New fraud headaches emerge with shift to EMV chip cards

Fix aimed at improving security spurs hackers to exploit other channels

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The orga­nized crime groups that spe­cial­ize in pay­ment card fraud are noth­ing if not adapt­able.

As the Unit­ed States con­tin­ues to reduce the cir­cu­la­tion of mag­net­ic-strip cred­it and deb­it cards that are all too easy to dupli­cate, crim­i­nal rings are hus­tling to squeeze every last drop of prof­its from old coun­ter­feit­ing schemes.

We’re see­ing coun­ter­feit card fraud going up right now because the crim­i­nals are basi­cal­ly hav­ing a fire sale,” says Julie Con­roy, senior ana­lyst at Aite Group, an inde­pen­dent research and advi­so­ry firm focused on finan­cial ser­vices. “They’re burn­ing through as much data as they can in the coun­ter­feit space.”

Research recent­ly released by the Aite Group and spon­sored by iova­tion showed that coun­ter­feit card loss­es in the Unit­ed States will decline from $4 bil­lion in 2015 to an esti­mat­ed $900 mil­lion in 2020, as EMV chip cards come into pre­dom­i­nant use by Amer­i­cans.

But don’t expect pay­ment card scam artists to slink qui­et­ly away. To replace that $4 bil­lion card coun­ter­feit­ing mar­ket they’ve become accus­tomed to, fraud­sters are piv­ot­ing to oth­er fraud chan­nels, Con­roy says.

Cyber crim­i­nals change tac­tics

Crim­i­nals are expect­ed to increas­ing­ly shift to so-called card-not-present (CNP) fraud as well as appli­ca­tion fraud and account takeover schemes. As the larg­er cat­e­go­ry of the three, CNP cred­it-card fraud is expect­ed to more than dou­ble, from $966 mil­lion last year to $2.1 bil­lion in 2020, accord­ing to Aite.

What’s caus­ing some con­cern, how­ev­er, is that even with only 20 per­cent of U.S cred­it card trans­ac­tions and 10 per­cent of deb­it ones being “chip-on-chip” now (mean­ing both the finan­cial insti­tu­tion or issuer and the mer­chant have switched to chip cards), there’s already an increase in the oth­er three types of fraud.

We can’t blame that (uptick) on the EMV migra­tion yet,” Con­roy says. “That means the prob­lem is going to get worse rather than bet­ter.”

CNP fraud already com­pris­es 45 per­cent of card fraud, accord­ing to Aite. But that’s expect­ed to change as cyber crim­i­nals begin turn­ing their atten­tion to oth­er chan­nels, espe­cial­ly e-com­merce.

Oth­er types of fraud start to surge

Jason Tan, CEO of fraud-pro­tec­tion com­pa­ny Sift Sci­ence, says online fraud is more scal­able for fraud­sters because they can auto­mate cer­tain actions. Sift, which uses machine learn­ing to detect fraud in real time, is see­ing more fraud­u­lent activ­i­ty on its cus­tomer sites.

Fraud­sters are attack­ing web­sites that you wouldn’t nor­mal­ly think of,” he says. “They’re hun­gry and look­ing for the most effi­cient avenues to com­mit fraud.”

One ris­ing prob­lem is the crim­i­nals’ use of non­prof­it dona­tion sites to ver­i­fy cred­it card validity—by mak­ing small dona­tions. Those ver­i­fied cards fetch more on the dark mar­ket, and fraud­sters often use them to buy goods and ship them for sales at over­seas store­fronts.

An added chal­lenge, Tan notes, is that law enforce­ment doesn’t typ­i­cal­ly get involved unless the loss­es reach very high amounts—and bad actors know how to stay under the radar.

With the unprece­dent­ed num­ber of data­base breach­es in recent years, cyber crim­i­nals are sit­ting on a ton of stolen data, includ­ing login cre­den­tials. Scott Olson, vice pres­i­dent of prod­uct at fraud-pre­ven­tion and authen­ti­ca­tion com­pa­ny iova­tion, says that account takeover is one of the fastest-grow­ing chal­lenges, albeit not just in the realm of cred­it card fraud.

Reusing  pass­words weak­ens secu­ri­ty

The aver­age user, Olson says, has about 25 accounts, but only about half a dozen pass­words.

They’re reusing the same pass­word over and over again,” he says.

Which means that when a major breach hap­pens at a com­pa­ny like Adobe—or the recent Google breach—cyber crim­i­nals can test the same login data at var­i­ous oth­er web­sites.

Appli­ca­tion fraud, while cur­rent­ly only com­pris­ing 2 per­cent of cred­it card fraud, also is being viewed by some finan­cial ser­vices experts as one of the most press­ing issues for the indus­try in the near future.

Although iden­ti­ty theft is noth­ing new, the mag­ni­tude of data avail­able to fraud­sters is at an all-time high. A web­site secu­ri­ty threat report recent­ly released by Syman­tec shows that the top three types of records exposed in 2015 were names, home address­es and birth dates.

Julie Conroy, Aite Group senior analyst
Julie Con­roy, Aite Group senior ana­lyst

Con­roy agrees that there’s a cor­re­la­tion between those num­bers and the increase in activ­i­ties like appli­ca­tion fraud. The breach­es of health care orga­ni­za­tions were espe­cial­ly dam­ag­ing because of the type of per­son­al­ly iden­ti­fi­able infor­ma­tion avail­able in those records.

That’s the keys to the king­dom from the appli­ca­tion fraud per­spec­tive,” she says.

Olson believes that one trend that will result from these chal­lenges is a move­ment from account noti­fi­ca­tions to account autho­riza­tions, putting more con­trol into the hands of the con­sumers.

That’s going to pro­tect both con­sumers and busi­ness­es,” he says. “It would be a more sophis­ti­cat­ed tech­nol­o­gy so there would need to be a lev­el of invest­ment around that channel—but it’s going to be in accor­dance with risk.”

Con­sumers hold the cards

Rach­na Ahlawat, co-founder of mobile-card-ser­vices com­pa­ny Ondot, says empow­er­ing con­sumers against fraud­sters is a win-win sit­u­a­tion for mer­chants and banks because alone those com­pa­nies can’t fight fraud.

Her com­pa­ny, which offers finan­cial insti­tu­tions an app giv­ing card­hold­ers con­trol over trans­ac­tion autho­riza­tion, has been grow­ing rapidly—proof, she says, that the idea of putting more con­trol into the con­sumers’ hands is tak­ing hold.

Fraud is not a prob­lem that can be eas­i­ly solved just by banks keep­ing track of your behav­ior,” she says.

In the past, crim­i­nals could move geo­graph­i­cal­ly from the oth­er EMV coun­tries to per­pe­trate fraud in the Unit­ed States. But with the U.S. being the last of the G-20 economies to tran­si­tion, that leaves no new geog­ra­phy for the bad actors to piv­ot to.

The U.S. was still a big out­let for coun­ter­feit activ­i­ty,” Con­roy says. “As we go, there’s no oth­er mar­ket that will be of a size to absorb that.”

So as coun­ter­feit card fraud dras­ti­cal­ly declines, the oth­er fraud chan­nels will see increased pres­sure. In ear­li­er reports, the Aite Group esti­mat­ed that over­all card fraud will grow from $6.7 bil­lion in 2014 to $9.1 bil­lion in 2018.

As the EMV tran­si­tion plays out, Con­roy says it’s the small­er finan­cial insti­tu­tions that will be increas­ing­ly in the bad actors cross-hairs, because they’re lag­ging behind in the con­ver­sion. Crim­i­nals at the same time are doing their home­work and hit­ting those tar­gets that are more vul­ner­a­ble.

As the ‘big guys’ become more for­ti­fied, we do see that the fraud­sters move on to the small­er finan­cial insti­tu­tions,” she says. “It’s real­ly impor­tant for them to be on top of this because they have the poten­tial of being hit from both sides.”

More sto­ries relat­ed to EMV tech­nol­o­gy:
As U.S. adopts EMV tech­nol­o­gy, will hack­ers revamp tac­tics?
As U.S. switch­es to EMV pay­ment cards, fraud­sters exploit still-open loop­holes
Human fac­tors could under­mine chip-and-PIN secu­ri­ty