Counterfeit card fraud is finally on the way down as EMV creeps into the U.S. marketplace, but card not present (CNP) fraud through online channels is skyrocketing.
It's too soon, however, to blame the EMV shift for much of the new fraud spike, new data from Aite Group suggests.
If present trends continue, U.S. CNP fraud caused by multiple factors will rise 80% over the next four years, to $7.2 billion from $4.5 billion, while counterfeit card fraud—the kind EMV primarily thwarts—will fall 77% to $1 billion from $4.5 billion, Aite forecasts.
In discussions with 16 large U.S. card issuers this year, Aite aimed to sort out exactly what role the EMV shift is playing so far in the rise of CNP card fraud. Aite determined EMV isn't a big factor yet in the rise of CNP fraud, but it turned up a variety of interesting nuggets about the patchy progress of EMV and the future course of online fraud leveraging data stolen from the widespread breaches that took place over the last few years.
"Fraud is rising on all fronts, but the waters are muddy, making it hard to measure the effect of each type of fraud," said Julie Conroy, research director for Boston-based Aite Group.
The U.S. migration to EMV, which began in earnest with the October 2015 liability shift for counterfeit card fraud, is definitely part of what's driving fraudsters to commit CNP fraud, but its effect so far is slight, Conroy said.
Because of wide variations in EMV readiness Aite saw, it forecasts that only 81% of all credit cards and 57% of debit cards will be chip-enabled by the end of this year, and because the vast majority of merchants also are not yet EMV-enabled, its snuffs out the case for EMV directly sparking a significant spike in CNP fraud.
"With only 20% of credit card transactions chip-on-chip, it's too early to put the blame on EMV for the sharp rise we're seeing in CNP fraud," Conroy said.
Nor is there any sign counterfeit card fraud has gone away.
"The skimmers have not packed up shop and gone home yet," Conroy said, noting that counterfeit card fraud is set to peak this year at $4.5 billion, up 12.5% from last year.
Merchants can attest to the ongoing effects of counterfeit card fraud, as they pick up the tab for those losses following the liability shift. Many merchants have questioned whether the tsunami of chargebacks they've received in the months since the liability shift are legitimately due to counterfeit card fraud.
In separate research conducted recently among U.S. issuers and merchants, Conroy said some of the concerns about chargebacks are justified.
"The processes many issuers set up to report counterfeit card fraud are not fully baked yet," Conroy said, noting that some issuers are using inconsistent criteria in documenting "reason codes" for counterfeit and other questionable transactions, which is leading to some incorrect assumptions about counterfeit fraud's role in the recent spike in chargebacks.
Those processes should stabilize in coming months, Conroy said.
And by early next year, with the expansion of EMV-enabled cards and terminals, counterfeit card fraud will begin to deflate, falling 33% to $3 billion on its march down to less than $1 billion over the next four years, Aite predicts.
By that time, it will be fair to expect criminals to abandon the point of sale channel for counterfeit card fraud, potentially driving up CNP losses further, Conroy says.
"As we start to see EMV really gain steam toward the end of this year and going into next year, it's going to put more pressure on CNP fraud, which is a pattern we saw in the U.K. and Australia during the first year EMV was fully in place," Conroy said.
So if it's not the first wave of EMV cards in the U.S., what's behind the fresh surge in CNP fraud?
Conroy points to two factors: The overall increase in e-commerce, which is pulling routine fraud levels up as volume rises. The other is new types of fraud using millions of packets of personally identifiable information from massive breaches such as the one Anthem suffered last year, affecting more than 37.5 million consumer accounts.
Issuers also are getting blindsided by a sharp rise in CNP fraud from two fast-rising scams—account takeover and application fraud—where fraudsters use stolen personal information to hack into consumers' bank accounts and open up bogus credit accounts, Conroy said.
Last year CNP fraud started its climb, increasing 14% to $3.2 billion, and it's on track to rise another 25% this year to $4 billion, data suggests. The trajectory is only going to get steeper, Conroy said, based on the breadth of compromised data and the many ways it can be monetized by criminals.
Issuers and merchants are working to battle CNP fraud through fast-evolving methods, Conroy said, but there is no single solution that will work across the board.
"Fraudsters are exploiting multiple avenues, so the best practice is to deploy multiple technologies in a layered manner," Conroy advised, noting that the challenge is finding a suitable balance between protection and maintaining consumer convenience.
Examples of fraud-fighting approaches in the CNP channel include biometrics, device fingerprinting and authentication, digital identity assessment, and technology to instantly analyze consumer behavior, including detecting unusual patterns in using devices or navigating websites, Conroy said.
Tools to detect malware are also key for fighting CNP fraud, along with out-of-band authentication and other methods for verifying a user's identity.
To conduct its research, Aite Group interviewed 16 large U.S. issuers, four issuing processors and two payment networks, between February and April 2016.
Portland, Ore.-based Iovation, which sponsored Aite's survey, is one of many suppliers of technologies to battle CNP fraud through device authentication. ThreatMetrix and Kount also provide these services.
Iovation keeps tabs on 3 billion devices globally, accounting for 86% of devices used in 4 billion transactions each year, and 60% of its clients are financial institutions using its services to ward off CNP fraud, among other threats. Twenty percent are retailers, and the rest are other types of enterprises such as gaming companies. Iovation's services work by spotting clues that transactions aren't legitimate and flagging them for stepped-up authentication, said Michael Thelander, a product manager at Iovation.
Iovation's goal is to catch CNP fraud without interfering with consumers' activity or generating "false negatives" that tend to annoy end users, Thelander said.
With a large database of information about devices ranging from desktops to laptops, tablets and mobile phones, Iovation's global network automatically tracks routine device movements and flags those indicating potential CNP fraud, such as transactions occurring at an illogical place and time, Thelander said.
To avoid incorrectly flagging legitimate transactions when a device's circumstances look suspicious, Iovation compares such transactions with another global database covering broad spheres of likely "exceptions," including travel, operating system upgrades and other easily explained variables.
"We call this our 'fuzzy matching algorithm,' because it corroborates and overlaps with the actual device data, giving us a much clearer picture of whether or not the device and transaction are legitimate," Thelander said. "We are constantly refining and enriching our database so we catch more fraud sooner, but it's a challenge as fraud keeps evolving."