The importance of a shared secret

Fraud mitigation has never been a cardholder issue; the banks have assumed responsibility, and then transferred the liability to the consumer as has happened with Chip & PIN. The cardholder has had little or no involvement in preventing fraud even if the majority of cardholders would be keen to participate in a process to effectively fight fraud. Examples of shortfalls and strengths for all card types in use today, and in the future, can be identified in the following transaction scenarios:

• Cardholder-Not-Present transactions (internet, mail and telephone order)
• Real purchases in the face-to-face area where Chip & PIN does not exist (foreign countries)
  
• Withdrawing money from an ATM overseas
  
• Secure access to online banking
  
• The ability to turn the card on and off for specific purposes (Delegated Card Services)

A signature is not a shared secret as it is visible before during and after an exchange of information has taken place. A signature also lacks credibility and authenticity as it can be easily forged. Hence, we need to look at readily available solutions that are technically available and also acceptable to the general public. As both the Internet and mobile phone are used globally by the majority of people, the end-to-end security solution must incorporate this method of information exchange.

Mobile phones – the common denominator

The mobile phone is the common denominator that can encompass the exchange of a shared secret for the card transaction scenarios mentioned above. It is also important to recognise that in Card-Not-Present transactions the mobile phone is not the weakest link. Quite the reverse; it becomes the strongest link as it is the cardholder’s treasured possession.

Cardholder Delegated Services

The vast majority of cardholders only become aware of fraudulent transactions when they have viewed their statement. Can cardholders contribute to the process in mitigating fraudulent transactions, in a similar way to Chip & PIN, before it is too late?

If we have an unsolicited two-way secure communication channel between the cardholder and bank, one would naturally assume that the cardholder could alert the bank about their card transactions, such as when to turn their card on or off. Similarly, the bank could notify the cardholder about a transaction that has not been verified by PIN, by asking the cardholder to enter the PIN on the mobile phone when the card is physically present during a transaction. Even better, the bank could notify the cardholder of a transaction that the cardholder is not aware of. In this situation the cardholder would simply decline the transaction, wherever they may be.

The services described are easy to design and operate provided we have the methodology to verify “who we are talking to”. We do have it! It is the shared secret, the PIN. The same platform addresses secure online banking access, thereby saving the banking industry tens of millions of pounds.

The current shared secret implementation

The current Chip & PIN implementation requires that a PIN (a shared secret) is transmitted from a chip on the card (recognition of a personal artefact) to a card reader (single channel). An exchange of information can then be sent if the secret is deemed the same (in this case a card transaction) through the entire value chain (multiple points of integration). The Chip & PIN solution meets some of the mentioned requirements, but falls short in satisfying today’s convergent technologies and worse so for the future. We also believe that as mobile payments converge, the card reader and plastic card will become less desirable in tomorrow’s high street.

We need two components if we are to achieve a separation between the card and card information, namely the card and a device that can verify the shared secret.

SecurePay and mobile phones

SecurePay is fundamentally an infrastructure that recognises the importance of convergent technologies and communication methods used globally by the majority of people. It has the capabilities for mobile interaction for exchanging a shared secret between the card issuer and cardholder.

Hence, given the global status of mobile technology and the multitude of cards issued by banks, one can categorise a cardholder as a person who carries a mobile phone and a wallet/purse full of cards. It is therefore logical that we utilise this “human behaviour’” to provide an exchange of a secret(s) between the cardholder and bank using all available communication channels (i.e. SMS, WAP and voice) and we can provide a range of layered security services that prevent fraudulent transactions even though the fraudster might have acquired the card details.

About Rashid Qajar

He is the founder and Chief Executive of both Fortunatus and Telsecure. He is also Managing Partner and owner of CMAX and Anglo Dutch Finance. Anglo Dutch Finance has provided a wide range of investment banking services including, but not limited to raising capital, restructuring debt and designing and analysing business models. Clients have included banks, trusts, wealthy individuals, private and public companies and institutional funds. Back in the 1980s, Qajar studied Law, Business Management and Marketing in Glasgow, Scotland, and after completing his studies managed several family businesses. Qajar, who has been involved with technology since 1995, only represents a few special clients today because of his commitment to Telsecure.