As EMV spreads, will e-commerce fraud finally balloon?

Register now

Counterfeit card fraud remains a fairly lucrative activity for criminals, mainly because the EMV chip migration the U.S. still has many gaps. As such, there was never a clear spike in card-not-present fraud since the anti-counterfeiting design arrived in the country, according to the card brands.

But that may change, and soon.

"Right now, it is pretty easy to tell who has EMV and who doesn't, because the signs are right there at the point of sale," said Thad Peterson, senior analyst with Boston-based Aite Group. "That makes it easier for fraudsters."

When those signs all say that chip cards are accepted, fraudsters will finally shift their attention en masse to card-not-present scenarios, Peterson said during the Internet Retail Conference in Chicago.

The card brands attribute any rise in e-commerce or card-not-present fraud to trends that are unaffected by the EMV deployment. Indeed, the EMV migration may have made it easier for fraudsters to target vulnerable brick-and-mortar stores.

But it's not as if fraud activity has been quiet on the web.

"Since about 2010, it is safe to say that every person who has visited your websites has been compromised in some fashion," Peterson said. "The Yahoo breach of a couple years ago was initially a 500-million person breach, and that is now up to a 2-billion person breach."

Recent Aite research indicates dollars lost to card-not-present fraud increased only slightly in 2016 at $3.3 billion, compared to $3.2 billion in 2015. But as EMV takes hold at the physical point of sale, Aite predicts those dollars to increase to $4 billion this year, $4.9 billion in 2018, $5.5 billion in 2019 and $5.9 billion in 2020.

At the same time, Aite predicts digital commerce dollar volume will rise from $404 billion in 2016 to as much as $770 billion by 2020.

To focus solely on protecting payment card data will be a mistake, Peterson said.

Account takeover is more profitable for hackers, who get about 22 cents for stolen payment cards on the black market, compared to $3.78 for a stolen Uber account, $6.43 for a PayPal account and $3.02 for a Facebook account, according to Aite research.

Potentially more troubling, Peterson said, is that fraudsters are now concentrating on taking over merchant accounts so as to imitate a retailer site and begin collecting payment card data and other personal credentials in the process.

One of the weakest links remains the use of passwords, or more specifically use of the same weak password for several accounts.

"Passwords remain a frustrating problem," Peterson said. "Most people have less than five passwords they use for all accounts and hardly anyone on the planet has a different password for every single one of their accounts."

Authentication efforts through the work of organizations like the Faster Identity Online Alliance [FIDO] focus on eliminating passwords in favor of biometrics and other methods.

Ultimately, the security industry may move toward a single number that is tokenized and embedded securely within the organization managing it, Peterson added.

"A good example is the USAA customer number, which drives everything that happens at USAA," Peterson said. "It's reasonably unhackable and has two-factor authentication behind it. The secret to proliferation of numbers, is few numbers."

USAA has nurtured a reputation for adopting security technologies to complement its client number system.

David Liu, director of information technology for Azalea Boutique, encouragea merchants to go for a full verification of transactions by establishing "a chain of truth." Liu's company is a client of ClearSale fraud prevention.

"The next best thing is to be able to prove, through a link, that a transaction is being initiated by a bad actor," Liu said. "That could come for an IP address list, or credit card list or customer addresses. It could also be as simple as an issuer response, saying the card is no longer valid."

Whether it is more human interaction or using new tools such as automated machine learning, the goal remains trying to recognize patterns and correlations into demonstrating something that is known to be false, he added.

For reprint and licensing requests for this article, click here.
EMV CNP Device security Data security