Can Australia's Credit Card Fraud Boom Be Stopped With More Security?

Having to get your credit card reissued after it has been used fraudulently is a major nuisance. According to Visa, that's becoming more common in Australia, in part because relatively few sites require additional authentication for credit card transactions online.

Picture by Christian Petersen/Getty Images

Speaking at the CA World Expo event in Sydney yesterday, Visa AP director of e-commerce Justin Roche said that Australia had an unusually high level of fraudulent transactions. "Australia, uniquely in the Asia-Pacific, did suffer over the last 12-18 months the predicament of being targeted by quite a few international fraud rings. Australia is becoming a target for a lot of fraud rings because we have high levels of online merchant capability high levels of credit but only a low level of merchants picking up 3-D Secure."

Visa's solution to this problem is its 3-D Secure authentication protocol, which requires card users to go through an additional security process, typically involving a password or other unique information. 3-D Secure is used for both Visa's Verified By Visa and MasterCard's SecureCode protection schemes.

My own past experience of both Verified by Visa and SecureCode was that they were terrible systems which ask you to sign up mid-transaction, often stuff up once you've done that and are often impossible to distinguish from phishing. My reaction to any site that requires their use is to see if I can find an alternative provider that's offering the same goods. If other consumers feel the way I do, there's potentially a big problem brewing.

Roche said that Visa's own research showed that the use of pop-ups in the initial implementations of 3D Secure has been off-putting. "Merchants were a little annoyed or frustrated when banks were asking people to enrol at the point of purchase. At that point in time, it really was inappropriate." It now recommends banks adopt a more nuanced approach, enabling the service by default for new sign-ups but only requiring it for existing accounts if there's a demonstrable security risk. Systems such as one-time passwords sent by SMS also make the approach more consumer-friendly, he said.

Do you feel safer when sites ask for additional authentication, or is it a nuisance? Share your thoughts in the comments.


    Isn't this what the CVV number on the back of cards was supposed to fix? Years ago, you never got asked for them, but now every online site requires you to enter it, as well as over the phone purchases. I've even seen it printed on receipts before!

    To me the only way forward is SMS-based two-factor authentication. The only time this fails is when you have your mobile and your cards stolen together. It wouldn't take you long to get either one or both of them deactivated however.

    I'm already used to SMS auth, as I use it on paypal, facebook and gmail already. For credit cards it just makes sense.

    What's funny though, is that at the same time as pushing this type of additional security, VISA is also pushing pay-wave. I've happily paid for purchases up to $100 with it before, and it doesn't even require a signature or PIN. (imagine how many packets of ciggarettes a criminal could fraudulently purchase with that)

    Convienent? Yes, but every time i use it I'm instantly reminded of how important it is to keep my card safe.

      They already use SMS verification/Notification in Lebanon and other places in Europe.... I totally agree that you should recieve an sms everytime a transaction is processed. You will be aware of any fraud as soon as it happens and can notify the Card company and SAVE them Thousands/Millions of dollars as they are the ones that will cover any losses(or their insurance companies).... Which makes me think that the insurance companies should be pressuring the card companies

      The local maccers had a policy of not requiring pin or signature for credit cards at drive though. That didn't last the first month.

      The simple fact that the CCV is being printed on receipts pretty much invalidates any extra security it might bring.

    My bank used to send me an SMS whenever I needed to authorise a transaction. It changed over to SecureCode recently and I've had to call up to reset my password multiple times (largely my own fault but still an irritation).

    When I first had to set up my password, I was incredibly wary. I had to restart the transaction because it timed out while I was looking this up on my bank's website.

    Now that you mention it, I'm tempted to see if I can revert to the SMS system.

      Which bank sends an SMS each time to verify?

    Banks need to change.

    Here's how it currently works.

    1) Person uses a fake credit card to buy something
    2) Item is shipped via courier, they sign for delivery
    3) Banks take back the money

    Why do banks take back the money? Because there was no signature AT THE TIME OF PURCHASE (which is impossible online obviously....)

    No, never mind that there was a signature (see #2). If it wasn't at the time of delivery, that signature doesn't matter.


    I was equally annoyed when I had to set this up initially... but haven't had any problems since the initial process.

    I have a much bigger problem with the lack of notifications about transactions happening on my account. Before arriving in Australia, my bank would do the following checks before authorising a transaction:

    1) Called me every time I tried to use my credit card with a NEW online merchant to verify that I had initiated the transaction.
    2) Called me when I did an unusually large transaction.
    3) Sent sms notifications of every transaction being deducted from my credit card (you could set minimum spend amounts etc if you didn't want to know about every little transaction) (the text usually arrived before I'd even left the till point)

    That way it was easy to immediately check if an unauthorised transaction was going through, or that the $$ amount had been deducted correctly (very handy when travelling abroad).
    Having that information made it much easier to do something about fraudulent transactions rather than checking my online statement every 2nd or 3rd day....

    i dont get the deal with NFC as well...
    it should be hardware-enabled... as in, if i go to pay for something with an NFC enabled smartphone, it should be button-enabld (hold a button down, whilst holding the phone on the reciever). that would stop unauthorized recievers... simple fix to a stupid problem.

    PayPal and Google Wallet. If I can't use them I shop elsewhere.

      Yeah I use PayPal on the more suss websites.

    A note to all users of SMS as an authentication mechanism:,2817,2408609,00.asp

    Could be used in a sophisticated scam.

    "often impossible to distinguish from phishing"

    This is why at least MasterCard SecureCode has a message that gets displayed whenever you try to use the card so you know it's actually from them. You set this message up when signing up for the service. I have a rather unique message that when displayed, I know it is the correct site.

      I used SecureCode once in the middle of buying a flight on Tiger, i have no idea what phrases or codes or even what email address i used to set it up, i was in a hurry to get the flight booked, not to mention it was a real PITA and didnt work properly the first time so i was very annoyed while setting it up.

    Here's the rub. At the moment if your card is compromised the card holder is not liable however if your 3D secure password/phrase is compromised (which is easy to phish BTW) then the consumer is liable. There is no way I would voluntarily enroll for Verified by Visa/MasterCard SecureCode.

    It would be good if Com Bank made their customer passwords fkn case sensitive!

    An Australian Company, currently in Stealth mode, is about to release a revolutionary payment system that is a world first and delivers "real" security.

    These ridiculous Wave and Pay cards are blatantly insecure and Banks do not care. They just want more transaction fees. The cards can be easily cloned and used because transactions are batched up at the terminals. So a stolen card can be used many times by the criminal to pay for items over several hours before it is spotted.

    Apparently this new innovation ties the owner to the transaction, eliminates card fraud and transaction fraud, including eliminating identity fraud.

    The real question is will the Banks and others embrace this or continue to let the poor old consumer suffer.

      I am quite interested in this (mostly because the software i develop allows internet based payments via credit card), I look forward to seeing more when they come out.

    I've run ecommerce businesses in Australia, the UK and the US. Australia is BY FAR the worst place to operate when it comes to protecting your business against credit card fraud. The ridiculous privacy laws mean that I can't confirm that a cardholder is who they say they are, even though I've gone through all the loops to become and authorised merchant.

    If we receive a payment by BPAY that's fraudulent, we receive phone calls within hours to tell us not to ship the goods; we don't hear until sometimes months after if it's a credit card transaction.

    What's the difference? The banks are liable if it's a BPAY transaction - the merchant is liable if it's a card not present (CNP) credit card transaction. What's more, the banks charge a $30+ fee for informing you they're going to take the money back! I have thought on more than one occasion that chargebacks are a nice earner for the banks.

    We looked at Verfied by Visa (VbV) and Mastercard SecureCode (MSC), but the original implementation in Australia meant that if your customers could provide the details required, you couldn't take the order. As virtually no-one in Australia uses VbV or MSC, that would mean losing most of our customers. In other countries, we can still take the order, but without the 3DSecure benefits.

    I am very interested in the new system Mark mentioned above, but it's three month's since that post and I haven't seen anything. I would be surprised if anyone can improve the situation without a change to the privacy laws.

      Sorry...I meant " if your customers can't provide the details required" in the paragraph about 3DSecure.

Join the discussion!

Trending Stories Right Now