The chip and PIN initiative celebrated its first anniversary earlier this month, but experts have warned that its success in combating card fraud on the high street is driving criminals to commit more online fraud and even attack retailers’ and banks’ back-end systems.

According to payments association Apacs, chip and PIN helped to reduce total card fraud by five percent in the first six months of 2006. But during the same period card-not-present fraud, including online, increased by five percent, and online banking fraud rose by 55 percent year-on-year.

To combat the threat of online fraud, Apacs is looking to oversee the rollout of two-factor authentication devices later this year, with financial institutions likely to lead the way. These devices will combine chip and PIN with 3-D Secure, an XML-based authentication protocol that underpins the Verified by Visa and MasterCard SecureCode secure e-payment services.

Once a card is inserted into the device, and the relevant PIN number entered, a one-time passcode is generated that can be typed into the Verified by Visa or SecureCard pop-up at the time of transaction.

An Apacs spokesman said the new scheme could encourage the take-up of the Verified by Visa initiative, which has attracted little interest from retailers even though it protects them from financial liability in the case of online fraud.

“The banks will be the ones to send the devices out but whether it’s something the retailers join in on in terms of distribution [remains to be seen],” he added.

Others were less optimistic about the success of a scheme relying on 3-D Secure. “Historically, customers have largely not been liable for fraudulent transactions, and as such, there is little incentive for them to participate [in 3-D Secure],” explained Nathan Jackson, managing director of fraud detection specialist CyberSource. “It’s a vicious circle – because of the low level of uptake, many merchants are not yet using these tools, and until this happens banks are unlikely to encourage customers to register.”

Ian White of data security specialist Cybertrust argued that although retailers should support mechanisms like Verified by Visa, the cost of rolling out two-factor devices could be prohibitive, and such a scheme would be unlikely to get buy-in from all retailers.

“I’m not sure how much mileage there is in putting a two-factor authentication system in the home; you can’t have a one-size-fits-all [approach] if you’re dealing with e-commerce,” he explained.

CyberSource’s Jackson added that technologies like 3-D Secure should not be used in isolation. “To combat fraudsters’ [increasing sophistication], retailers should take a layered approach to managing fraud,” he said. “It is less likely that criminals will be able to beat three or four different tools.”

Risk management tools, which monitor purchasing behaviour and detect and flag any anomalies, could be used in combination with 3-D Secure and card verification number authentication, he explained.

David Porter of risk management consultancy Detica agreed, adding that, “You should never oversell any single fraud countermeasure, otherwise people will assume that it’s the final answer and they don’t need to bother doing anything else.”

Any plans for the rollout of two-factor authentication devices should also include backup mechanisms in the event of devices running out of power or getting lost or broken, he added.

Other experts warned that even with extra security at the point of transaction, firms must be increasingly vigilant about the security of their back-end systems, which contain customer transaction data. International Payment Card Industry (PCI) data security standards have been introduced that require any firm handling payment card data to ensure it is secured.

However, many organisations have yet to implement the most recent version of the PCI standard, which requires them to test their applications to ensure compliance.

“The merchants are getting a grip on the PCI standard but few firms own all their IT systems; there are always third parties involved who may not be aware of their responsibilities,” said CA’s Steven Cox.

But firms could actually benefit from third-party help with data storage, according to CyberSource’s Jackson. “Merchants are at less risk of their data being compromised if they have limited or no contact with it, and as a result we are increasingly speaking to merchants that wish to outsource data storage,” he explained. “We offer a secure storage solution, which removes sensitive payment data from the merchant’s network and stores it securely in our PCI-certified datacentres.”

Meanwhile, hackers are increasingly trying to access corporate data via home workers’ systems. The Serious and Organised Crime Agency (Soca) is currently investigating a series of suspicious emails that were sent to senior managers at the Royal Bank of Scotland as part of an alleged attempt to gather network passwords by installing keyloggers on their home PCs.

“Firms have to decide whether they should use higher levels of authentication and/or full disk encryption for their mobile workforce,” argued CA’s Cox. “The answer depends on the classification of the information that the mobile worker is holding and using.”

According to anti-malware vendor Sana Security, recent advances in botnets and malware-writing techniques mean that many firms’ defences are now no longer adequate. Polymorphic malware, for example, can change its signature every time it replicates, to avoid detection by traditional signature-based antivirus engines. Sana said that over 30 percent of botnets and Trojans were now polymorphic.