Peter Dorrington: The introduction of chip-and-PIN technology to the high street is bound to have an impact on fraud. The experience elsewhere in the world has been that although it is good at reducing opportunistic fraud it causes migration to other frauds. We expect to see an increase in card-not-present fraud [online], as cards will be of no use to criminals in the physical world.

How can online traders protect themselves from this threat?

The problem is that there is no one solution. We might see the introduction of single-sign-on authentication, randomly generated passwords or the use of card readers in the home.

What other problems will arise?

Firms should expect to see an increase in identity theft as criminals will still want to use cards in stores, and to do this they will need their own. It will not be possible to commit fraud in their own name so they need to get a card issued to them using false details - which have to come from somewhere. Then the challenge to businesses will be, how do you tell who is a real customer and who is not? An enabler to ID theft is data harvesting, where you have people within a company using its systems for sourcing personal information about customers. A person working in a bank's call centre can pass that information onto criminal gangs. If you are within that organisation you might not be aware of this fraud, but it is your systems that are enabling it and you are duty bound to protect that information.

So how can you tell if your employees are stealing data?

Well it can be quite difficult but the basic components are there. You can monitor the use of peer-to-peer messaging, internet logs, apply administration controls to certain applications. We have done a lot of work on how you gather that data, but the question is, how do you decide what is inappropriate use?

Can monitoring be automated?

Analytics software is very good at identifying comparative behaviours. Firms can create and set-up baseline usage models for certain applications and performance that they can then compare individuals' usage against. For example, you might find that a certain person is using a certain application at a very unusual part of the day. People put a lot of trust in data and once it is compromised you are facing a nightmare situation. Internal [data theft] is growing and is the most effective way criminals have to gather information - plus, it's very difficult to trace the information back to where it came from.

This kind of illegal information harvesting is not limited to internal systems and employees though, is it?

No, a lot of harvesting is done through "phishing" scams where users inadvertently divulge information needed to access bank accounts, or other information. The challenge here for firms is that the criminals are bypassing them, to get access to the data without having to go through company systems. It is almost impossible to stop people from setting up spoof sites and email addresses so here it is all about the firm educating its customers.

The phishing problem is mostly associated with finance companies. Have banks responded well to this threat?

Yes they have; it's very rare not to see information on a banking splash page. But this problem is not confined to banks. We are seeing internet service providers and other companies having their customer accounts targeted. All companies in this situation should look closely at their customers' behaviour to see if any are behaving abnormally. Any unusual behaviour [should] trigger an alarm that will lead to the situation being investigated.

ABOUT PETER DORRINGTON

Peter Dorrington is head of fraud solutions at software firm SAS UK.

He works with a wide variety of clients and partners on technologies for detecting and preventing fraud and money laundering.

Before joining SAS, Dorrington worked as a systems designer for the Science & Engineering Research Council, and as a principal consultant with an IT services consultancy.