Online fraud may surge after EMV chip card rollout
By Tony Mecia | Published: November 19, 2014
Sophisticated online fraud rings are expected to flourish in the next few years, even as the U.S. switches to credit cards embedded with anti-fraud computer chips.
Following the lead of most other developed countries, card issuers in the United States have begun phasing out credit cards with only the traditional magnetic stripe and replacing them with cards that also contain a newer technology known as an EMV chip, which makes the cards nearly impossible to counterfeit.
However, as the ability to use counterfeit cards in stores dries up, fraudsters are expected to turn to other forms of fraud that prey on different vulnerabilities. At the top of the list, payment security experts say, is using stolen card numbers to buy stuff from the Internet.
And that might be only the beginning. "As long as we innovate and develop new financial services, there will always be some exploit that will be created and someone seeking to take advantage of a poorly executed or nonexistent control," says Seth Ruden, senior fraud consultant with ACI Worldwide.
In every country that has switched to EMV cards -- and the United States is the last developed country to do so -- online fraud has jumped, says online fraud expert Brian Krebs. "Fraud doesn't go away, it just goes somewhere else, and that somewhere else is always online," he says. "The thieves can still steal the card number and expiration date, which still can be used online. So that's generally what will happen. We'll see a pretty big uptick in card-not-present fraud."
EMV is coming
In October 2015, retailers and card issuers will face an important deadline. At that time, they could become liable for credit card fraud losses if they have failed to adopt EMV technology.
Getting poll results. Please wait...
Because of that, retailers are upgrading their terminals to accept EMV cards, and banks are steadily issuing cards containing EMV chips. About 70 percent of U.S. cards are expected to have EMV chips by the end of 2015.
The effect on consumers will be slight. You're likely to receive a new EMV card in the mail, and when you use it at a store equipped with EMV payment terminals, you won't swipe the card as you do now. Instead, the terminal will tell you to insert it into the card reader.
If you shop at a retailer that hasn't made the switch to EMV, you'll still swipe the card's magnetic stripe as you always have.
Most consumers will sign, not enter a PIN for their transactions. PINs would be more secure, since it's harder for a thief to fake a PIN number than a signature, but card issuers fear that PINs would discourage people from using their cards.
The main advantage to EMV cards is that they will cut down on counterfeiting, which accounts for 37 percent of all U.S. credit card fraud, according to a 2014 report by Aite Group. Now, when fraudsters obtain stolen credit card numbers from major retail data breaches such as those at Target or Home Depot, or from less sophisticated skimming operations, they can produce fake magnetic stripe cards easily, using equipment available for just a few hundred dollars on Amazon or eBay.
For instance, in one of Georgia's biggest fraudulent card busts ever, authorities in November arrested a man after discovering more than 1,000 fake or blank cards and card-writing equipment in an office outside Atlanta. Those schemes are now common.
However, they're expected to diminish with the spread of EMV technology in the U.S. While magnetic stripes contain sensitive data that doesn't change, every time an EMV card is used, the chip creates a unique one-time code. Because the transaction number is not usable again, if someone tries to use information duplicated from the chip, the transaction would be denied. Producing fake EMV chip cards will be almost impossible, and creating counterfeit cards is expected to largely disappear.
Other countries have seen a benefit in adopting EMV technology. In the U.K., counterfeit fraud has fallen 56 percent since the country rolled out EMV cards in 2005, the Aite Group report says. In Australia, counterfeit fraud is down 38 percent. In Canada, the figure is 49 percent.
Much of the remaining counterfeit fraud in those countries is what's known as "cross-border" counterfeiting, in which criminals use cards from, say, Australia in non-EMV countries, where consumers have to swipe the card's magnetic stripe; or they use fake U.S. magnetic stripe cards for purchases in the U.K. or Canada. As long as magnetic stripe cards are accepted -- and they will be for some time -- counterfeit fraud will continue.
"It's going to be difficult to completely eliminate fraud and high-risk transactions, so long as that magnetic stripe is still outstanding and circulating in the wild," Ruden says.
Although the transition to EMV is expected to lead to less counterfeiting of cards, it will also encourage fraudsters to move to new areas of vulnerability.
If counterfeiting physical cards is more trouble, criminals will naturally turn to buying items online with stolen credit card numbers. That's been the pattern elsewhere, says Justin McDonald of The Fraud Practice, an anti-fraud consulting company.
"There is a little bit more sophistication that is needed to commit fraud online, but people went ahead and learned it," he says. "When it comes to committing online credit card fraud, you can buy the card details on the black market and go use them."
As long as we innovate and develop new financial services, there will always be some exploit that will be created and someone seeking to take advantage of a poorly executed or nonexistent control.
In the United Kingdom, online fraud -- known in the industry as "card not present," or CNP, fraud -- rose 79 percent in the first three years after the country switched to chip cards, and it more than doubled in Australia and Canada, according to Aite Group.
The most attractive purchases to criminals are high-value items that can quickly be converted to cash or resold, such as gift cards, jewelry and electronics.
For U.S. retailers, the coming wave of online fraud means they will need to improve controls to ensure that they know that their customers are authentic. This often involves new risk-management technologies and additional security questions or passwords, says Julie Conroy, research director with Aite Group.
For consumers, the best advice is to pay closer attention to credit card bills to detect suspicious charges, and to review your credit reports periodically to ensure they're accurate.
Other kinds of fraud seem poised to increase, too. With chip cards tougher to counterfeit, criminals could start applying for more real cards by using fake identities.
"Application fraud will absolutely be a channel that will start to explode, where somebody fills out an application and the issuer thinks it's you and it's not," says Patrick Davie, general manager of card services risk solutions with the financial services technology company Fiserv.
In other countries, security experts say they've seen elaborate and creative ways to commit fraud, even involving chip cards. In 2008, for instance, gangs in China and Pakistan were reported to have tampered with hundreds of chip-and-PIN card readers before they were shipped to Europe. The readers siphoned card information and relayed it to criminals, who then made purchases and withdrew cash.
Surely other schemes will also emerge that try to beat the system, experts say. "It's like a balloon: When you push on one end, the bottom will puff out," Davie says. "They're always looking for new vulnerabilities. There's too much money in it."
|Other countries have seen decreases in some kinds of fraud and increases in others following the introduction of chip cards. The major types of credit card fraud and their outlook, post-EMV:|
|Counterfeit card fraud. Chip cards are much more difficult to forge than cards with only magnetic stripes, so cases involving criminals duplicating a card using stolen card information should drop significantly once mag-stripe cards are taken out of circulation. Outlook: decrease
|Lost and stolen card fraud. Because most U.S. issuers will not require use of a PIN, new chip cards will have little effect if someone steals or finds your card and uses it before you can report it lost or stolen. Outlook: neutral|
|Online, or card-not-present (CNP), fraud.
With chip technology making in-store purchases safer, fraudsters are expected to ramp up attempts to make online purchases with stolen card data. Outlook: increase
- You may soon be able to buy lottery tickets at grocery checkout – States have to approve shoppers using smartphones linked to credit or debit cards to purchase Powerball and Mega Millions chances ...
- EMV chip card torture test – We put EMV chip credit cards through a series of tests to see how they stand up to common threats such as extreme temperatures, water and corrosive liquids ...
- Abolish the password? Card issuers are working on that – Credit card issuers and banks aim to phase out passwords over the next few years with the help of biometric authentication ...