New fraud headaches emerge with shift to EMV chip cards
Fix aimed at improving security spurs hackers to exploit other channels
By Rodika Tollefson, ThirdCertainty
The organized crime groups that specialize in payment card fraud are nothing if not adaptable.
As the United States continues to reduce the circulation of magnetic-strip credit and debit cards that are all too easy to duplicate, criminal rings are hustling to squeeze every last drop of profits from old counterfeiting schemes.
“We’re seeing counterfeit card fraud going up right now because the criminals are basically having a fire sale,” says Julie Conroy, senior analyst at Aite Group, an independent research and advisory firm focused on financial services. “They’re burning through as much data as they can in the counterfeit space.”
Research recently released by the Aite Group and sponsored by iovation showed that counterfeit card losses in the United States will decline from $4 billion in 2015 to an estimated $900 million in 2020, as EMV chip cards come into predominant use by Americans.
But don’t expect payment card scam artists to slink quietly away. To replace that $4 billion card counterfeiting market they’ve become accustomed to, fraudsters are pivoting to other fraud channels, Conroy says.
Cyber criminals change tactics
Criminals are expected to increasingly shift to so-called card-not-present (CNP) fraud as well as application fraud and account takeover schemes. As the larger category of the three, CNP credit-card fraud is expected to more than double, from $966 million last year to $2.1 billion in 2020, according to Aite.
What’s causing some concern, however, is that even with only 20 percent of U.S credit card transactions and 10 percent of debit ones being “chip-on-chip” now (meaning both the financial institution or issuer and the merchant have switched to chip cards), there’s already an increase in the other three types of fraud.
“We can’t blame that (uptick) on the EMV migration yet,” Conroy says. “That means the problem is going to get worse rather than better.”
CNP fraud already comprises 45 percent of card fraud, according to Aite. But that’s expected to change as cyber criminals begin turning their attention to other channels, especially e-commerce.
Other types of fraud start to surge
Jason Tan, CEO of fraud-protection company Sift Science, says online fraud is more scalable for fraudsters because they can automate certain actions. Sift, which uses machine learning to detect fraud in real time, is seeing more fraudulent activity on its customer sites.
“Fraudsters are attacking websites that you wouldn’t normally think of,” he says. “They’re hungry and looking for the most efficient avenues to commit fraud.”
One rising problem is the criminals’ use of nonprofit donation sites to verify credit card validity—by making small donations. Those verified cards fetch more on the dark market, and fraudsters often use them to buy goods and ship them for sales at overseas storefronts.
An added challenge, Tan notes, is that law enforcement doesn’t typically get involved unless the losses reach very high amounts—and bad actors know how to stay under the radar.
With the unprecedented number of database breaches in recent years, cyber criminals are sitting on a ton of stolen data, including login credentials. Scott Olson, vice president of product at fraud-prevention and authentication company iovation, says that account takeover is one of the fastest-growing challenges, albeit not just in the realm of credit card fraud.
Reusing passwords weakens security
The average user, Olson says, has about 25 accounts, but only about half a dozen passwords.
“They’re reusing the same password over and over again,” he says.
Which means that when a major breach happens at a company like Adobe—or the recent Google breach—cyber criminals can test the same login data at various other websites.
Application fraud, while currently only comprising 2 percent of credit card fraud, also is being viewed by some financial services experts as one of the most pressing issues for the industry in the near future.
Although identity theft is nothing new, the magnitude of data available to fraudsters is at an all-time high. A website security threat report recently released by Symantec shows that the top three types of records exposed in 2015 were names, home addresses and birth dates.
Conroy agrees that there’s a correlation between those numbers and the increase in activities like application fraud. The breaches of health care organizations were especially damaging because of the type of personally identifiable information available in those records.
“That’s the keys to the kingdom from the application fraud perspective,” she says.
Olson believes that one trend that will result from these challenges is a movement from account notifications to account authorizations, putting more control into the hands of the consumers.
“That’s going to protect both consumers and businesses,” he says. “It would be a more sophisticated technology so there would need to be a level of investment around that channel—but it’s going to be in accordance with risk.”
Consumers hold the cards
Rachna Ahlawat, co-founder of mobile-card-services company Ondot, says empowering consumers against fraudsters is a win-win situation for merchants and banks because alone those companies can’t fight fraud.
Her company, which offers financial institutions an app giving cardholders control over transaction authorization, has been growing rapidly—proof, she says, that the idea of putting more control into the consumers’ hands is taking hold.
“Fraud is not a problem that can be easily solved just by banks keeping track of your behavior,” she says.
In the past, criminals could move geographically from the other EMV countries to perpetrate fraud in the United States. But with the U.S. being the last of the G-20 economies to transition, that leaves no new geography for the bad actors to pivot to.
“The U.S. was still a big outlet for counterfeit activity,” Conroy says. “As we go, there’s no other market that will be of a size to absorb that.”
So as counterfeit card fraud drastically declines, the other fraud channels will see increased pressure. In earlier reports, the Aite Group estimated that overall card fraud will grow from $6.7 billion in 2014 to $9.1 billion in 2018.
As the EMV transition plays out, Conroy says it’s the smaller financial institutions that will be increasingly in the bad actors cross-hairs, because they’re lagging behind in the conversion. Criminals at the same time are doing their homework and hitting those targets that are more vulnerable.
“As the ‘big guys’ become more fortified, we do see that the fraudsters move on to the smaller financial institutions,” she says. “It’s really important for them to be on top of this because they have the potential of being hit from both sides.”
More stories related to EMV technology:
As U.S. adopts EMV technology, will hackers revamp tactics?
As U.S. switches to EMV payment cards, fraudsters exploit still-open loopholes
Human factors could undermine chip-and-PIN security