For many years, credit card fraud has been the favored method for fraudsters seeking to profit from stolen identity information. The ease with which a criminal could use a victim’s card information and the generally widespread availability of stolen card data made credit card fraud the simplest and lowest-risk option for the average criminal.
But things have been changing. The U.S. was the last of the major markets to switch to the EMV credit card security protocols. Much of the world, including Europe and the Asia-Pacific, had already been using European Mastercard-Visa (EMV) system for years. This means that much of the innovation and adaptation necessary for criminals to address the new EMV environment in the U.S. has already been in development and in use around the globe for years.
One very obvious change in fraud behavior has been a steady increase in account takeover and account application fraud, two types of what has been termed “remote fraud” because the crime is often conducted online and/or over the phone.
The first half of 2015 saw a rush in fraudulent account creation, evidenced by the nearly 100% increase in such events just within the first two quarters of the year. From April through June of 2015, out of more than one billion created financial accounts, nearly 50% were flagged as fraudulent. This is a huge jump from the 28% witnessed in the first quarter of 2015. It is believed that this remarkable increase resulted from the desire of fraudsters to take advantage of the end of the pre-chip-enabled debit and credit card window before the EMV switchover.
However, despite the October 1, 2015 EMV compliance deadline in the U.S., the “old fashioned” fraud method of simply using an existing (stolen) credit card has continued to thrive. This is the result of a staggered and uneven implementation of EMV compliant technology across the U.S. transaction environment. While the deadline for the switch was October of this year, not all merchants have upgraded and there is widespread misunderstanding of how the new technology works and why the conversion is taking place.
Because newly-issued EMV credit cards in the U.S. are still compatible with old magnetic-swipe systems, merchants that continue to use the old systems continue to be exposed to the same fraud as they were before the switch. However, merchant’s liability for this fraud has significantly increased as the result of new regulations associated with the EMV deadline. Compounding the confusion, some card-issuers are deciding to phase in PIN compliance, as it was not part of the October 2015 deadline. Without the PIN, these EMV cards require the far less secure signature to authorize the transaction, stripping the card of its two-factor authentication protection.
Although the U.S. market had the advantage of being able to observe its European counterparts as they made the change over in the past five to ten years, it may be too soon to think that because the American merchant market is mature enough that it will not see the same, correlated increase in account takeover fraud and fraudulent account creation that occurred in other markets that made the EMV transition. The pattern has borne out in every market that has previously made the switch to chip-enabled cards.
Remote identity fraud has many faces
Remote identity fraud can occur in many different variations.
- Account takeover fraud — If a fraudster can’t utilize stolen credit card data, he may instead choose to leverage someone’s identity credentials. He can do this by assembling Personally Identifying Information (PII) on fraud victims to mimic them. He might then use the data to guess passwords or to request a password reset, and gain access to the victim’s on-line account data or transactional capabilities.
- Application fraud — This happens once a fraudster uses another’s identity or an artificial identity to open a new or replacement account. Once they have a victim’s PII, criminals can impersonate their victim and request shutdown of existing accounts, transfer of assets to new accounts, or open brand new banking or credit accounts without the victim being aware for sometimes as long as 5 or 6 months. In one particularly clever case, fraudsters hired a “professional impersonator” to manage all of the interactions which required a fluent English speaker to act like the victim.
- Card-Not-Present (CNP) fraud — Here, the criminal uses another's card data in remote transactions that don't need a physical swipe of the credit card. Data from Europe and Australia would suggest that CNP fraud should see a substantial spike after the adoption of EMV becomes more widespread.
The conflict between client convenience and security
Remote fraud is becoming increasingly problematic as payment forms evolve and businesses enter a grey area. Companies that previously were “pure retail” operations are evolving. After all, what constitutes a financial organization in today’s world? And, how should regulators determine what corporations ought to be responsible for maintaining the same standards as banks and credit unions?
For example, today’s shoppers demand convenience and regularly conduct purchases on non-traditional platforms. Many shoppers feel safer utilizing mobile wallets like PayPal, Android Pay, and ApplePay for online shopping because doing so doesn’t require them to share their PII credentials with the vendor. However, if the payment service’s enrollment, authentication, and information protection practices are faulty, then the mobile wallet is not secure. What if an identity thief is able to set-up a digital wallet by successfully emulating the individual whose data they have stolen? That thief now has a payment method available that requires no presentation of identity at all, regardless of where he uses it.
Remote fraud can also become problematic on popular social sites like Pinterest and Instagram that provide ads with “click to buy” promotions. The use of these features by consumers leads to their credentials being shared, transferred, and used among multiple vendors, merchants, and beyond, to marketing platforms and other affiliate sites.
Are retailers catering to consumer’s ever-growing need for convenience? Absolutely.
However merchants and vendors operating these types of schemes should – more than likely – be thinking of their businesses not as pure retailers, but rather, as some new form of hybrid retailer-financial institution. As such, these firms ought to be thinking about their “know your customer” [KYC] and alternative identity theft detection processes. These processes should seek to affirmatively identify their customer - not only to determine “who are they?” but also, “are they connected to the account?” If merchants fail to effectively answer these questions, they leave themselves and their customers receptive to dangerous security breaches and costly fraud—and regulators can potentially hold them financially (or criminally) responsible.
The Key to Transaction Fraud Prevention
Ultimately, complying with guidelines intended for banks and financial institutions will become a reasonable standard - even for organizations that are not financial institutions simply because the concept of ensuring that you “know your customer” makes sense. By authenticating client credentials (identity documents) during the transaction, the anonymity which protects criminals is stripped away. At the same time, most consumers these days are highly aware of the massive data breaches that have occurred in recent years and the vulnerability of individuals to identity theft. Thus, instituting ID authentication practices into the transaction process can now be marketed as a forward-thinking and industry leading practice that any modern organization ought to pursue.
Want to find out about how to authenticate customer credentials during transactions?