The nature of fraud in the U.S. is about to change radically, as fraudsters adapt to EMV security at the point of sale by shifting their attention to e-commerce channels. Accompanying this shift are changes to the consumer's role in spotting fraud but this could be as much a burden as it is a benefit if banks and merchants are not careful.
Although some banks are planning to use mobile device data or to deputize the consumer to aid in account protection, these approaches are tricky to properly implement. Thus, the value of new technology in fighting fraud could lag the consumer adoption of that technology, providing a window of opportunity to scammers.
"People have been trying to understand what the best way to use mobile is," said Mark Nelsen, the senior vice president of risk products and business intelligence for Visa Inc. "The initial focus has been 'What is the best way to use mobile?' Security is often an afterthought."
One emerging trend is to put the consumers in control over how their cards can be used in different spending categories and channels. Some mobile apps allow consumers to set these controls on the fly, or to deactivate a card entirely if it is lost or stolen.
Although this may be a good way to involve the consumer in securing his or her own accounts, consumers may make bad assumptions that actually work against them. For example, fraudsters respond very quickly to incidents that enable them to capitalize on the fear consumers have of becoming victims. In the case of the breach of 80 million health care records this year from Anthem Blue Cross, fraudsters began impersonating Anthem in phishing emails, urging consumers to click an infected link to receive free credit monitoring.
"The thieves took advantage of the worry," said Al Pascual, director of fraud and security at Javelin Strategy and Research Thus, the consumers who thought they were being most proactive about their security were actually the most at risk. "Hapless victims who clicked the link received precisely the opposite of what they were hoping for," he said.
But it's still a good idea to empower the consumer to engage in mobile account management. The more commerce that takes place in e-commerce and through mobile devices, the more data that banks and merchants have at their disposal to properly determine when a transaction might be fraudulent.
Mobile devices add data points including various forms of biometrics as well as geolocation, but so far few processors, issuers and retailers have seriously been using these data points to authenticate e-commerce shoppers. That may start to change, though, as in-app purchases from Apple Pay and Android Pay start to leverage fingerprint authentication.
Banks and merchants must find a way to update their authentication tactics to make the most of new technology, particularly since fraudsters are already adapting their own strategies, Pascual said.
"There's going to be an evolution" in cyber-fraud tactics and the methods retailers use to defend themselves, he said. "We need to find a way to tie in that biometric authentication for any kind of m-commerce" ideally by "using a card on file that is 3D-Secure enabled," he said.
But it isn't going to be easy, even in a mobile environment with more data to work with, Pascual said.
Merchants are best served by working with the tools that Visa, MasterCard and other financial companies provide, he said.
"Trying to remove them from the current payments ecosystem is much easier said than done," Pascual said. "PayPal has learned that it's better to play nice with payment [brands] than to try and replace them."
In a recent report that Pascual co-authored, Javelin advocates giving consumers the tools to set limits on their accounts, but also warns about the mistakes consumers will make in using these tools. There is the possibility that this is placing too much burden on the shoppers, to the point where it might actually be more convenient to the consumer to simply reissue a compromised card.
In the near future, reissuance might get even more convenient to consumers.Banks are likely to try and automate the process of updating payment details with billers that deduct payments automatically. When a card is reissued, the consumer could be brought to a page that would list transactions that appear to be automated and the consumer could then authorize the communication of new account details to those billers.
Another big change in fraud tactics is how thieves are zeroing in on the smallest of merchants. The Javelin report argues that mom-and-pops and mid-level merchants are not merely being targeted because they have weaker security, although that is often the case. Other factors include: tiny or non-existent IT staffs; using consumer-grade remote access software or low-security POS systems; and the fact that breaches from small merchants typically receive little to no media coverage, which in turn reduces the incident awareness and that reduces the number of consumer victims who contact their bank to flag germane fraud quickly enough.
But an even more dangerous factor is that thieves are using geography and other tactics to fool card-brand fraud detection systems into thinking the attack is something else.
For example, a major attack might yield card numbers from across the country, but the thieves may choose to use only cards from carefully-chosen ZIP codes to make the attack appear to be regional. This, coupled with the relatively tiny number of transactions seen by the smallest of merchants, delays the brands from correctly identifying the common point of purchase. That's good for the thieves because they extend the value of stolen card data and maybe even continue to steal data from that initial victim.
"You need a pretty significant number of cards to have certainty that it's the common point of purchase," Pascual said.
The report also pointed out a baffling statistical disconnect, where the number of ripped-off consumers isn't rising as quickly as the number of stolen card-data would suggest. There are a few reasons for this. First, better fraud detection methods are shortening the window of opportunity for using the stolen cards.
"The lifespan of a breached card account has been dramatically shortened, putting a virtual expiration date on black-market data dumps," the report said. "This (has) forced underground markets to hold 'fire sales' to offload stolen credentials while they are still valid."
The second reason, though, speaks to the increasing sophistication and effectiveness of cyberthieves. Bluntly, they are stealing far more names than they have the ability to use. "Simply put, when over a quarter of the American populace is breached, criminals simply cannot target all of them," the report said.