Preventive and radical measures to protect against fraud
Despite all the anti-fraud measures taken by the participants of the global card market, today it still poses a serious threat to the stability of the electronic payments industry. The market for plastic cards in Russia has increased several times in recent years. With the increase of issue volumes of cards and the growing number of fraudulent transactions. At the same time, criminals are using more and more sophisticated methods of stealing money: phishing and phone fraud (vishing), interception of cards during shipment and skimming, fraud on the Internet and fake mail orders (card-not-present fraud) — these and other methods of committing crimes are constantly improving, along with improving the ways to protect cards and their owners.
In such conditions, the existing static (offline) models for combating fraud have long lost their relevance: they detect illegal transactions after the fact and are not able to prevent money theft. In this regard, market participants are increasingly interested in solutions that allow real-time monitoring of operations. Such systems are certainly more effective, since they provide banks with the necessary tools to detect and prevent fraudulent transactions during the authorization process, but at the same time they are much more complex in terms of implementation and use.
Today, two types of online solutions are most widely used — static and dynamic systems. The logic of the first type of solution is based on a mechanism of filters, or templates, that allow you to track suspicious transactions based on certain criteria and block them. Despite the obvious advantages associated with ease of configuration and high speed, static systems do not allow you to quickly respond to changing trends in the criminal environment and timely implement filters to combat new types of fraud. Solutions of this type also require the operator’s participation to analyze statistics on completed transactions, which is necessary for the development and implementation of new fraud prevention schemes.
Dynamic or intelligent systems allow you to build individual behaviors of cardholders based on the transaction history for a specific card, card group, or card product. These systems are self-learning and require a certain amount of time to accumulate statistics.at the same time, they are most effective in fighting card fraud, as they allow for a subtle analysis based on the individual behavior of the cardholder. Moreover, as the statistics are updated, the models being built are constantly updated, which allows us to take into account both the peculiarities of the client’s behavior and changes in the market situation as a whole. SmartVista Fraud Prevention & Monitoring — a comprehensive solution to the problem of fraud. With the development of the electronic payments industry and an increase in the volume of issues, banks ‘ losses from fraud have become more noticeable, so after timely assessing the changes that have occurred, BPC offered the market a specialized module for preventing fraudulent transactions — SmartVista Fraud Prevention & Monitoring, which combines the advantages of two main approaches to building online systems to combat fraud. The solution is part of the SmartVista product line, which is a single technology platform for processing plastic cards, processing electronic payments and supporting retail business operations.
The SmartVista Fraud Prevention & Monitoring module provides all the necessary tools for online monitoring and preventing fraudulent transactions, both based on predefined rules and using an intelligent self-learning model. This provides both high performance and flexibility of the solution, which can be deployed based on the specifics of the business and the wishes of a wide variety of customers. The SmartVista Fraud Prevention & Monitoring solution is closely integrated with the SmartVista Front-End system — a high — performance transaction management solution-and allows both the issuing Bank and the acquiring Bank to control transactions.
Models for detecting and blocking suspicious transactions, which can be built using the SmartVista Fraud Prevention & Monitoring module, are mechanisms of various levels of complexity that provide a wide range of functions — from simple blocking of suspicious transactions by certain parameters to monitoring operations in accordance with specified rules and fine evaluation using a behavioral model based on artificial neural network technologies.
Mechanism for blocking fraudulent attacks
The mechanism for countering fraudulent attacks implemented in the SmartVista Fraud Prevention & Monitoring module allows you to set transaction restrictions for individual cards, groups of cards or card products and is designed to automatically block suspicious transactions of the issuing Bank during the authorization process. The system also implements the “acquiring” component, which provides the ability to perform a preliminary analysis of the transaction and, if necessary, block it before sending an authorization request to the Issuer, which contributes to a significant reduction in the level of chargeback operations.
To check the restrictions imposed on transactions, transactional schemes are used, which can be flexibly linked to different groups of cards that are United by a certain attribute. A transaction schema is a set of positive and negative patterns, each of which contains a specific rule according to which a transaction can either be rejected or accepted.
During the authorization process, the transaction scheme used for this card is determined, and the type of verification that will be used to compare the parameters of the authorization message with templates and make a decision about whether to continue the transaction.
There are four main types of transaction schemes that define the verification mechanism: positive, negative, positive — negative, and negative-positive.the last two involve sequential verification using negative and positive patterns. For a number of cards or card products, verification may not be performed, which is indicated using a special value in the transaction schema.
Thus, the mechanism for setting transaction limits allows issuing banks to perform automatic online verification and blocking of transactions in accordance with certain rules, which significantly reduces the risk of losses as a result of fraud. This scheme is particularly effective for repelling massive fraudulent attacks from certain points.
Business rules-based model
The business rules-based model allows you to monitor transactions online during authorization. The rules that are used for checking can be simple (for example, Single Alert) or based on the assessment of changes in transaction parameters compared to previous transactions on the same card, data about which is collected during the system operation. The length of the transaction history used for verification purposes can be configured individually for each organization.
Transaction verification is based on groups of rules that are set by the security officer and characterize certain types of fraud that pose a threat to the Bank. Rule groups are linked to cards, groups of cards combined by a specific attribute, or card products, which allows you to flexibly configure transaction processing conditions and verify each transaction by different groups. To create rules, the system provides a web user interface that includes a number of special forms.
The probability of a fraud attempt is determined by adding up the weights that are assigned to each rule in the group. For each verification group, there is a set limit for the acceptable value. If the sum of the weight coefficients exceeds the allowed threshold, the transaction is considered fraudulent and verification for other groups is no longer performed. The system’s algorithm also allows you to set exceptions from verification groups, according to which individual cards or groups of cards are not evaluated.
When processing an online transaction, a list of rule groups is defined that will be used for checking it, and then a list of rules is selected based on the information about the groups. Risk assessment according to the selected rule is performed by comparing the transaction parameters with information about previous operations on this card and assigning the appropriate weight coefficient. Based on the total result obtained for the group, the transaction is either allowed or not allowed for authorization.
Depending on the system settings, the decision to allow or deny authorization is made automatically or with the participation of the operator. If this function is performed by an operator, a notification will be sent to the operator when a suspicious transaction is detected. SmartVista Fraud Prevention & Monitoring provides mechanisms for notifying the operator via email and SMS messages.
Statistical model
The SmartVista Fraud Prevention & Monitoring statistical model is implemented on the basis of two components, the first of which is designed to collect and analyze information about the parameters of transactions for each card, and the second — to classify transactions in online mode based on previously built models of cardholder behavior. The implementation of this model requires a positive transaction history on the card, which is the basis for creating behavioral models that are used in subsequent risk assessment.
The analytical or offline component of the model regularly collects statistics on transaction parameter values for each of the cards served by the SmartVista processing system. This statistics is used to build clusterization centers for transaction parameter values that are most specific to a particular map, and to determine acceptable deviations. By comparing the data of verified transactions with the received values, the online component detects suspicious transactions whose parameters are “not typical” for transactions previously made using this card.
Each transaction is evaluated in terms of the” specificity “of its parameters for a” normal ” (not fraudulent) transaction on the same card. The estimation is based on the weight coefficients assigned to each transaction parameter. If the values of the transaction parameters are recognized as “typical for a normal transaction”, it is allowed to be authorized, otherwise the transaction is considered fraudulent.
The offline component of the SmartVista fraud Prevention & Monitoring statistical model is a self-learning system that operates automatically. In turn, the online component can function both in fully automatic mode and with the involvement of an operator who makes decisions about blocking transactions. The card blocking method can be configured individually for individual cards, groups of cards, or card products.
Flexibility + versatility
The fraud prevention models implemented in the SmartVista Fraud Prevention & Monitoring module can be implemented and operated separately or as part of an integrated solution. As the volume of card issuance increases, the product portfolio is diversified and the geography of operations expands, the Bank can move from the simplest schemes for blocking fraudulent attacks to complex models for conducting a fine analysis of the behavior of cardholders, built on the basis of a single technological platform.
The SmartVista Fraud Prevention & Monitoring module is a full-featured solution for fighting card fraud, providing card market participants with a full set of tools for quickly detecting and blocking suspicious transactions, quickly responding to the appearance of new types of fraud, and analyzing statistical information to build various risk assessment models. Thanks to a convenient user interface based on web technologies, Bank employees can easily create and change transaction verification rules without the participation of technical specialists.
Thus, the combination of business and functional advantages of the SmartVista Fraud Prevention & Monitoring solution allows banks to significantly reduce financial and image losses from fraud, as well as solve a number of related tasks related to optimizing the work of the security service through partially or fully automated transaction monitoring.
About standards for microprocessor cards
ISO 7816 “Identification cards — cards with chips and contacts” is undoubtedly the most well-known and respected standard for General-purpose microprocessor cards. Based on this standard, standards have been developed for the use of smart cards in certain areas of human activity, such as healthcare, transport, banking, and object identification.
There are also standards that define communication protocols for contactless cards.
In turn, standards for smart cards are based on a wide range of standards related to information processing. These include standards that define the list and encoding of symbols, encoding of national monetary currencies, cryptographic algorithms, and so on.
Finally, since many applications of smart cards are in demand by government agencies, such as maintaining national payment systems, creating a national “electronic” passport, etc., national and regional standards have been developed for smart cards in addition to international standards.
Due to the slow adoption of international standards, there has been an increase in the number of smart card specifications issued by various laboratories, professional communities, trade associations, academic institutions, and private firms that are not associated with standardization bodies. Such specifications play a useful role in stimulating discussion and developing common ideas that will then form the basis of future international standards.
Smart cards are used in many areas of human activity. Cell phones, access control systems, information security systems, pay TV, and the Internet are just a few examples of their uses. We can expect that for each area of human activity, industry standards will be developed that define the requirements for the smartcards used in them.
Characteristics of cards with a built-in chip. It defines the permissible limits of external influences on the map, such as x-rays, ultraviolet radiation, electromagnetic fields, static electricity fields, and ambient temperature.
Bending and torsion tests allow you to emulate the conditions of normal mechanical impact on the card, for example, when carrying the card in a wallet. When conducting tests with a microprocessor card, the possibility of damage or breakage of the chip itself, or a break in the connections between the chip and the contact pad is investigated. Practical test results have shown that the square chip area should not exceed 25 mm2 in order to comply with the bending and torsion resistance limit.
The ISO 7816-1 standard sets relatively strict requirements for the mechanical characteristics of a smart card. The purpose of these requirements is to ensure reliable contact between the reader and the card. However, the card’s contacts must not protrude more than 0.1 mm above the surface. The card must be strong enough to withstand long-term deformation when it is bent, after which, as a result of pressure on the surface of the card, it must return to a flat state.
The ISO 7816-1 standard defines whether a chip has eight electrical contacts located in standard positions on the front surface of the card. Some of these contacts are electrically connected to a chip embedded in the card. Others are not connected to the chip and are not currently in use. (For the purpose of contacts, see Chapter 2.) the ISO 7816-1 Standard also defines the permissible values of the electrical resistance of the card contacts.
The position of the contacts and their dimensions are defined in ISO 7816-2. Contacts are almost always placed on the front surface of the card (i.e. the side opposite to the magnetic stripe). However, ISO 7816-2 does not require the contacts to be located on the front side. Contacts can also be located on the back of the card, provided that they are not located in the zone of embossment and placement of the magnetic stripe.
The EMV standard provides certainty in the placement of contacts. Dimensions of contacts and their placement on the map in accordance with EMV
Appearance of the microprocessor card
The ISO 7816-3 standard begins with the description of the logical architecture of the smart card. This standard defines asynchronous data exchange protocols between the card and the reader.
The ISO 7816-4 standard defines the file structure of a microprocessor card and the set of commands used for interaction between the terminal/Issuer and the card.
The ISO 7816-5 standard specifies the structure of the map application ID, as well as the method for registering this ID and the application provider.
We will refer to the ISO 7816 standard again and again in this book.
EMV specifications appeared in 1996 as a product created jointly by Europay, MasterCard and VISA (the standard was named after the first letters of the names of the companies that created it). The EMV standard is an industry standard that regulates the operation of a microprocessor card used for non-cash payments. EMV is based on the ISO 7816 standard.
Since 1999, the EMV standard has been developed and supported by the specially created company EMVCo, LLC. Initially, the founders of this company were the payment systems Europay, MasterCard and VISA. Today, the company is managed equally by four payment systems-MasterCard, VISA, JCB and American Express. JCB became a founding member of EMVCo in 2004, and American Express in 2009.
EMVCo’s functions include not only developing the EMV standard, but also ensuring compatibility of card applications and devices of various banks. EMVCo provides certification of POS terminals for compliance with EMV specifications (Level 1 & Level 2 Type Approval), as well as certification of Srai CCD cards for compliance with CPA and EMV standards.
In addition, EMVCo is a holder of the Common Payment Application (CPA), EMV Card Personalization Specification, EMV Contactless Communication Protocol Specification, and EMV Entry Point Specification standards. Finally, the company evaluates the security of the chip and its operating environment in accordance with the EMVCo Security Evaluation Process developed by EMVCo.
The latest version of the standard (EMV 4.2) appeared in June 2008 and consists of four books:
Application Independent ICC to Terminal Interface Requirements. Describes the minimum set of requirements for microprocessor cards (ICC-Integrated Circuit Card) and terminals, the execution of which ensures interaction between the terminal and the card, regardless of which card application is used.
The book defines requirements for Electromechanical characteristics of the map (size and location of the contacts, ciowego height of the module above the surface of the card, power supply, clock frequency, signal initial setup of the map, the resistance value between a pair of card contacts and the terminal, etc.). The book describes the stages through which the chip card during operation, starting from its initiation and ending with deactivation. It also contains a description of asynchronous data transfer protocols between the card and the terminal T = 0 and T = 1.
A separate section of the book is devoted to the description of the card’s file structure, data elements and commands. In particular, it describes the data elements and objects used, the command structure, how to access application files, and the procedure for selecting the map application (Application Selection).
Security and Key Management. Describes the minimum set of requirements for the logical security functions of a microprocessor card and an electronic terminal used for performing operations. Book 2 describes the procedures for static and dynamic authentication of the card application, pin encryption, ensuring the integrity and confidentiality of data exchange between the card and the Issuer, and the principles and policies of key management of the card application.
In addition, the book contains a description of cryptographic algorithms used for signing data, verifying the signature and restoring data from the signature, encrypting data, calculating the values of data integrity control codes (Message Authentication Code), and displaying map keys and session keys.
Application Specification. Contains a description of the data elements, files, and commands associated with executing the transaction. It lists the functions of the payment application, describes the data elements and commands used to perform these functions, and describes the sequence of events and commands that occur during transaction processing.
Cardholder, Attendant, and Acquirer Interface Requirements. It describes the types of terminals and their capabilities, as well as the functional requirements for terminals that are necessary to implement operations on EMV-compatible cards, and requirements for the physical characteristics of terminals. Book 4 describes the architecture of the terminal software, including the principles of data management, requirements for the “terminal — cardholder” and “terminal — servicing Bank” interfaces.
The specifications given in the book contain requirements that make it possible to accept magnetic stripe cards and microprocessor cards on the same terminal.
Based on the EMV standard, major payment systems VISA and MasterCard have released specifications for their applications for microprocessor cards. At the end of 2009, the latest chip-based versions of these specifications are known by the acronyms M/Chip 4 (MasterCard) and VIS 1.4 (VISA). However, both payment systems have developed new versions of their applications — VIS 1.5 and M / Chip 4 R2 (the VIS 1.5 release has already been approved, and M/Chip 4 R2 should be approved by the end of 2009). the First cards supporting these releases will probably appear in 2010. In addition, the VISA payment system offers its banks specifications for Javaapplets of its applications that are compatible with the GlobalPlatform/Java Card operating environment. The VSDC applet releases 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6 and 2.7 are known on the market.
It should be noted that the differences in the applications of the leading payment systems are quite noticeable (see Chapter 8 for details). They are primarily concerned with:
formats and semantics of key data elements (for example, Issuer Application Data, Card Verification Results, Issuer Authentication Data, Application Control, and card risk management parameters) used in applications;
formats of responses to commands. For example, in the M/Chip 4 data in response to the command GENERATE AC, GET PROCESSING OPTIONS, INTERNAL AUTHENTICATE is presented in format 2, while in VIS 1.4 answers to the last two commands must use the format 1 and the response to the GENERATE AC command format 1 for SDA and DDA cards, and format 2 for CDA-cards;
card functionality (for example, M/Chip 4 uses a mechanism for checking the Issuer for offline authentication of the card application by the terminal, a special additional verification of the GENERATE AC command data as part of the card risk management procedure, as well as an alternative method to the Issuer Script Processing procedure for changing risk management parameters);
and even the set of commands used (for example, the EXTERNAL AUTHENTICATE command is used in VIS 1.4, but not used in M / Chip 4), as well as the method of applying the Issuer’s commands (in VISA cards, the Issuer’s commands are transmitted to the card only after it executes the GENERATE AC command).
In December 2005, EMVCo approved the common Payment Application (CPA) specification, supported by leading payment systems as an alternative application for their M/Chip and VSDC applications. The Bank, which has chosen CPA as a universal payment application, extends the functionality of the M/Chip 4 and VSDC applications, and also makes it easier to solve the problem of risk management and personalization of microprocessor cards
Among the standards related to microprocessor cards, it is worth noting the PC / SC Workgroup Specifications, which describe the interaction of a personal computer application with a microprocessor card. Today, the microprocessor card is considered as a universal secure mobile computing platform for General purposes. Therefore, the need for interaction between the card and the computer is obvious.
In September 1996, computer, software, and IPC manufacturers created the PC/SC Workgroup group, which developed the open PC / SC Workgroup Specifications that define the interaction model of a computer program with a microprocessor card. According to this model, multiple card readers can be connected to a computer using various physical interfaces (for example, RS-232C, PS/2, PCMCIA, etc.). The model defines a computer software module that controls access to map and reader resources (ICC Resource Manager), as well as modules for providing services to computer applications (ICC Service Provider). These services include performing cryptographic operations, implementing file access methods, authentication, and so on.
Today, PC/SC specifications are widely used in the field of information technology. However, the trend related to the use of microprocessor cards in the USB Protocol high-speed data exchange with an external computer, indicates that the specification of PC/SC in the future will be replaced by direct interaction of the card with the computer, such as TCP/IP
In conclusion, we will give a brief overview of the state of Affairs in the field of biometric identification/authentication, which should eventually find its application as a means of authentication of the microprocessor card holder.
The development of technologies for identifying / authenticating a person based on their biometric characteristics began long ago, in the early 60s of the last century. However, the main practical results have been obtained recently. The power of modern computers and improved algorithms for processing biometric information have made it possible to create products that are interesting and accessible to a wide range of users due to their technical characteristics and prices.
To date, the following technologies are most often used for biometric identification of a person (object), which differ in the type of biometric information used in them:
fingerprints;
hand geometry;
facial features (based on optical and infrared images)
retina of the eye;
eye;
voice;
signature.