When more U.S. issuers and merchants start using EMV-chip cards to improve security at the point of sale, fraud will likely surge online.
This is what happened in the U.K., which adopted EMV technology in 2005 and saw card-not-present rise 54% from 2006 to 2008, reaching £328.4 million before finally going down as banks and merchants addressed the fraud occurring online, says Julie Conroy, an Aite Group researcher and fraud expert. In 2013, the U.K. dealt with e-commerce fraud losses of £301 million.
EMV cards improve security by deterring the counterfeiting of physical cards, but they do not improve security online. Fraudsters thus move their efforts to e-commerce after being thwarted at the point of sale.
"The bad guys come up with new ways to attack, so then the fraud rate goes back up," Conroy says.
Conroy and Adam Dolby, vice president of business development at Boston-based Encap Security, shared their views on post-EMV fraud threats during a May 7 online presentation.
When determining the best way to thwart fraud, banks and merchants should think of EMV as a flu shot, Dolby says.
"The flu vaccine doesn't eradicate the flu, but if you get the flu it will go away faster and there won't be as much pain," Dolby says. "The same holds true for card security and the customer. If you get hit with a breach, it is imperative to make the data unusable and limit the use of the card, or in some cases take it away all together."
Encap provides in-app authentication software across channels, emphasizing ease of use for consumers, Dolby says.
Banks and retailers should rely on authentication that confirms a consumer's identity and intention, Dolby says.
Financial institutions and businesses deploying strong security will be ready for any attack, Dolby adds.
"You have the opportunity to eliminate fraud across channels, not just [card not present], and generate new products and services if you have good security," Dolby says. "I believe very strongly that if you can increase convenience and security, and do it with a solution that addresses both of those, you have a winner."
If security comes at the expense of the customer experience "somebody is going to be unhappy," Dolby says.
Conroy discussed the performance of the EMV CAP device, which consumers had to plug into a home computer to make a secure transaction online. It added a number of steps to the online shopping process, and consumers hated it, she says.
"That device is a non-starter in the U.S.," Conroy says.
Consumers don't like complicating the payment process, in part because they are not held liable for fraudulent transactions, Conroy says. "Consumers have no skin in the fraud game."
Hackers are also targeting alternative payment methods by developing new strands of malware.
"There will be 82 million new strands by the end of the year," which equates to 180,000 unique new strands per day, Conroy says. A year ago, she mentioned that 95,000 new strands were developed a day.
E-commerce sites are an appealing target for hackers, who can test stolen passwords across multiple websites, Conroy says.
"The good news is that counterfeit card fraud significantly drops when EMV technology takes hold," Conroy says. "But the crime rings will attack other vectors."
Even though the Target breach received the most publicity, the Adobe breach was the most dangerous incident of 2013. The Adobe breach resulted in the compromise of 3 million credit card accounts and 150 million username and password combinations, Conroy says.
In addition, hackers obtained the source code for Adobe's ColdFusion, used for building Web and mobile applications, and other popular Adobe web codings, Conroy adds.
"In the wake of that breach, we have seen two separate merchants get compromised who were relying on ColdFusion for their Web building," Conroy says. "It shows there are many different ways for the bad guys to get in. They are nothing if not creative."