Go to www.homechipandpin.co.uk

In a "Card-present" transaction, the cardholder is present at the time of the payment (face to face transactions)
A "Card-not-present" (CNP) transaction is a non face-to-face transaction (Internet, phone or mail order,... )

Card-not-present (CNP) fraud involves the use of stolen card details in non face-to-face transactions either on the Internet, by phone or by mail order. The legitimate cardholder may not be aware of this fraud until they check their statement. It has been the largest type of card fraud in the UK for the past three years. The rate of increase, however, decreased last year for the first time since 2003. (figures available at www.apacs.uk)

Phishing is the name given to the practice of sending e-mails at random purporting to come from a genuine company operating on the Internet, in an attempt to trick customers of that company into disclosing information at a bogus website operated by fraudsters. These e-mails usually claim that it is necessary to "update" or "verify" your customer account information and they urge people to click on a link from the e-mail which takes them to the bogus website.
Any information entered on the bogus website will be captured by the criminals for their own fraudulent purposes.

Trojans take their name from the term 'Trojan Horse' and are a type of computer virus which can be installed on your computer without you realising. Trojans can be capable of installing a "keystroke logger", which captures all of the keystrokes entered into a computer keyboard. Some specifically seek to capture passwords entered at certain web sites, by capturing keystrokes or taking screen shots of sites you visit. This information is then sent to the fraudsters over the Internet.
Typically the fraudsters send out emails at random to get people to click on a link from the email and visit a malicious web site where vulnerabilities in the web browser are exploited to install the Trojan. The emails are not normally related to Internet banking and try and dupe people into visiting clicking on the link to the malicious web site with a variety of excuses.

Card fraud occurs ‘face-to-face’ when the cardholder is present at the time of the payment :
- Card ID theft:
Card ID theft occurs when a criminal uses a fraudulently obtained card or card details, along with stolen personal information, to open or take over a card account in someone else’s name. Card ID theft has fallen by 17% in the past year and currently accounts for less than 7% of overall card fraud losses.
- Lost and stolen card:
Fraud on cards that have been reported by the cardholder as lost or stolen. Most fraud in this category takes place in shops without chip and PIN equipment, before the cardholder has reported the loss.
Since the introduction of chip and PIN this type of card fraud is now at its lowest level since 1999.
As well as the proven security benefits of chip and PIN, the banking industry has a number of other
initiatives in place to tackle this type of fraud (more information: www.apacs.uk)
- Counterfeit card:
Counterfeit card fraud occurs when an illegal copy of a genuine credit or debit card is made. Most cases of counterfeit fraud involve skimming, whereby the data on a genuine card’s magnetic stripe is electronically copied onto the magnetic stripe of another card, without the legitimate cardholder’s knowledge.
Often cardholders are unaware of
the fraud until a statement arrives showing purchases they did not make.
Since the introduction of chip and PIN in the UK, counterfeit card fraud losses are now at their lowest level since 1999.

As most of the fraudsters behind these scams are located overseas and it is not possible to make cross-border transfers out of UK online bank accounts, a money mule or money transfer agent is required to launder the funds obtained as a result of phishing and Trojan scams.
After being recruited by the fraudsters, money mules receive funds into their accounts and they then withdraw the money and send it overseas using a wire transfer service, minus a percentage commission payment. Money mules are recruited by a variety of methods, including spam e-mails, adverts on genuine recruitment websites, approaches to people with their CVs available online, instant messaging and adverts in newspapers.

Chip and PIN has been the biggest change to the way we pay and is part of a global programme to tackle plastic card fraud. It combines two effective security features.
The first, the chip or microchip on the card stores card data more securely than the magnetic stripe, making chip and PIN cards much harder to counterfeit.The second is the four-digit PIN (personal identification number), which is used to prove you are the genuine cardholder. It is a much safer way to prove you are the genuine cardholder as a PIN, unlike a signature, is not written on the back of the card.

The final phase of the national UK roll-out was achieved on Valentine’s Day 2006. Since this date cardholders with a chip and PIN card have needed to know the PIN on their chip and PIN card to be sure that they can use that card. If they do not know the PIN, the card may be declined and they should not expect to be able to sign.

There has been a significant reduction in card fraud losses on face-to-face transactions in UK shops and businesses, down 38% to £135.9 million. Much of this is down to the introduction of chip and PIN.

A number of initiatives are in place to counter this type of fraud:
An automated cardholder address verification and card security code (AVS/CSC) system is available for businesses that accept card-not-present transactions. The system allows them to verify the billing address of a cardholder and cross-check the security code on the signature strip of the card. These data checks provide additional information to help businesses assess fraud risks and decide whether to proceed with the transaction.

Visa and MasterCard have introduced secure payment systems (Verified by Visa and MasterCardSecureCode) for safer online transactions. (more details: www.visaeurope.com and www.mastercard.co.uk)

Retailers are also encouraged to make use of various card-not-present fraud prevention tools, such as intelligent fraud detection software, available from third-party providers.

APACS’ Spot & Stop Card-not-Present Fraud provides comprehensive fraud prevention training for card-not-present businesses. An e-learning version is available at www.cardwatch.org.uk.

The key thing is to be suspicious of any unsolicited emails you receive, even if they appear to originate from a trusted source.

Banks will never contact you by email to ask you to enter your password or any other sensitive information by clicking on a link and visiting a web site. The emails are sent out completely at random in the hope of reaching a live email address of a customer with an account at the bank being targeted.

If you receive a suspicious email, please inform your bank as directed on their web site. More information on www.banksafeonline.org.uk

Most Trojans take advantage of vulnerabilities in standard web browsers.

To protect against these vulnerabilities it is essential that you protect your computer by using up-to-date anti-virus software, doing regular scans of your computer to check for viruses, installing a personal firewall and also the latest security updates for your web browser and operating system.

Treat all unsolicited emails (especially those from unknown senders) with caution and never click on links from such emails to visit unknown web sites.

Yes, banking online is a safe and convenient way to manage your money and there is no reason why the Internet cannot be used with confidence. 

Banks are committed to keeping their customers' money safe and will protect customers from Internet fraud as long as they have acted with reasonable care.

Customers must take sensible precautions however so that they are not vulnerable to the criminal. Banking online is very safe providing you use a fully protected PC and remain wary of unsolicited emails.   The banking industry works alongside a number of online partners to tackle CNP fraud. A number of initiatives are already in place including hand-held card readers that are used to create a one-off passcode during the login process to help identify the person as the genuine account holder.
 
Alongside these initiatives the industry has launched a website at www.banksafeonline.org.uk to help online banking users stay safe online. There are links on the site that enable consumers to report scams to the APACS team of online banking experts and a link that allows consumers to get help and advice from APACS about any industry-wide online banking queries.  

RCA stands for "Remote Card Authentication".
It is the next generation of fraud prevention solutions to help tackle fraud in non face-to-face transactions (i.e. e-banking and internet and telephone shopping). There is a range of RCA devices available, in the form of smart card readers.

Remote Card Authentication works with devices (smart card readers) that generate one-time passwords (OTP) combined with a banking smart card.

Pocket-sized EMV-compliant smart card readers incorporating a challenge/response capability appear to offer the most promising long-term answer to online authentication problems. Not only do the readers leverage the considerable investment by the banking industry in EMV chip card migration, but they can also be extended in scope to cover other forms of CNP fraud.
 
As for the process itself, banks provide their customers with a hand-held card reader, which does not require any connection to a personal computer, and is equipped with a LCD display and a keypad.

Step 1: The customer inserts their EMV card into the reader and inputs his PIN code.

Step 2 : A cryptographic key contained within the card’s chip creates a one-time digital passcode– usually in the form of an 8-digit number.

Step 3 : The customer can then authenticate himself by relaying this OTP back to the bank via the web bank form. 

Faster Payments is a key initiative being driven by the Office of Fair Trading Payments Systems Task Force in conjunction with APACS in the UK.

The Faster Payments service will significantly increase the speed of credit transfer from one account to another:
for internet banking transfers and telephone transfers between banks the movement will be near real time, with standing orders being processed on a same day basis. Currently, it takes 3 working days from the initiation of the payment to the recipient getting the funds for these interbank transfers.

Faster Payments will be introduced into the UK market by the end of November 2007.

More information on faster payment

In December 2005 the Office of Fair Trading (OFT) and the banking industry agreed to create a new payments capability for the UK by the end of 2007.

APACS set up an implementation group which has been developing the specification for Faster Payments in response to the Office of Fair Trading (OFT) Payments Systems Task Force.

Voca (which processes all BACS payments) and LINK (the ATM network company) have formed a joint venture company (Immediate Payments Ltd) to provide the IT Infrastructure for this new service.

The scheme management for this new service will be provided by CHAPS under the auspices of The Payments Council and supported by BACS.

Faster Payments and SEPA are completely different projects and schemes:

- Faster Payments is a UK sterling only payments scheme, essentially for real time credit transfers ;
- SEPA is a scheme covering payments in euros only in 25 countries, including credit transfers and direct debits.

SEPA is an initiative of the European Commission (EC) that seeks to remove the barriers to the movement of funds across borders and reduce the cost of euro payments to the level of domestic transfers.

The deadline for the introduction of SEPA-compliant cross-border schemes is 1 January 2008 and for these to be fully operative for cross-border and local payments by 31 December 2010.

As UK Faster Payment is clearly going ahead (implementation at the end of 2007), banking institutions must focus on their payment business organization and infrastructure, as well as related issues such as increased security.

Remote card authentication solutions offer the most promising answer to online authentication problems.