France drags its feet on online security

French banks, merchants are not putting in place antifraud technology to catch bad online transactions because of high deployment costs and the reluctance of customers to use it

With Internet fraud on the rise, French banks and merchants are not putting in place antifraud technology to catch bad online transactions, an official from France's central bank said Thursday.

Some banks are reluctant to put into place stronger mechanisms, such as requiring customers to use one-time passwords, because of high deployment costs as well as the reluctance of customers to use it, said Marc Andries, who works in the non-cash means of payment oversight division for the Bank of France.

Paradoxically, the introduction of authentication technology prompts some consumers to question the security of their bank, said Andries, who gave a presentation at Fraud World 2007 in London.

Nonetheless, the rise in online banking fraud and card-not-present (CNP) fraud -- in which someone's credit-card details are used for an online transaction without the need for the physical card -- demands a solution, he said.

As a result, the Bank of France is in an "intensive dialog" with financial institutions to adopt new security technology, Andries said. The Bank of France will not, however, dictate how banks should strengthen their security or what technology they should use, he said.

That is in contrast with the U.S., where the Federal Financial Institutions Examination Council, which supervises U.S. financial institutions, mandated that banks implement two-factor authentication by the end of 2006.

Merchants in France who conduct e-commerce transactions tolerate CNP fraud because e-commerce is soaring, and they can buy insurance to guard against losses, Andries said.

"They accept it because it's part of the business," he said.

CNP fraud has risen as face-to-face transaction fraud has fallen with the widespread deployment of so-called "chip and pin" technology in Europe, where consumers must enter a four-digit personal identification number in a terminal before completing a transaction.

As a result, criminals have turned to CNP fraud, where the credit-card details, obtained through phishing or other scams, are used for e-commerce transactions.

But that fraud can be reduced by using systems that use a combination of data to better authenticate the transaction. Security software can check the card's security code -- the three-digit number on the back of the card -- along with part of the customer's post code or house number.

Consumers aren't putting much pressure on either banks or merchants since they can contest fraudulent CNP transactions, Andries said. But they don't get off that easy, since "in the end, the losses are paid by the client of the merchant through inflation, and that's not good for the central bank," Andries said.