Ironically, two current U.S. payment security initiatives the EMV chip-card migration and the faster payments project will prompt hackers to find new ways to compromise banking networks.
Though it is oft-repeated as common knowledge that e-commerce retail fraud rises as EMV technology improves security at the point of sale, many banks in Europe, Asia and Canada were caught unprepared for the trend to also affect online and mobile banking, said Hakan Nordfjell, senior vice president of eBanking for digital security provider Gemalto.
"The banks in Europe are still fighting [online fraud] several years after EMV," Nordfjell said.
Many U.S. banks have acknowledged a likely shift in fraudsters' attack methods, but a significant number of banks still need to prepare, Nordfjell said.
Amsterdam-based Gemalto provides its clients with online banking fraud management along with tokenization, encryption and multi-factor authentication. Gemalto has a reseller agreement with NCR to include NCR's Fractals risk management software as part of Gemalto's Ezio Dynamic Fraud Manager, which monitors transactions in the online and mobile channels.
Fraud management has to be as frictionless as possible, Nordjfell said. Interruptions in the payment process must occur only as needed if a transaction raises red flags after the first layer of security, whether it is a password, PIN or biometrics.
"The idea for us is to be always active in the end-user experience, but far less active on the front end and more active on the back end," Nordjfell said.
The U.S. push for faster payments, including same-day processing of Automated Clearing House transactions, potentially opens another door for hackers.
"With the other global initiatives in combination with the U.S. desire for faster payments, customers are moving money across multiple devices," said Mary Ann Miller, senior director and fraud executive advisor for New York-based NICE Actimize.
"I call it a need for new vaccines because it is a new epidemic in fraud," Miller said. "We will need actionable fraud scores in an increasing digital and faster payments environment."
Banks are best prepared to protect their legacy systems and cards, but are not equally prepared to screen fraud in a network in which ACH payments are moving in a couple of hours rather than two days, Miller added.
A new approach to real-time fraud protection would start with prevention and detection "hubs" in which all of the data regarding malware, biometrics, navigation tools, customer enrollments, customer service information and money-movement technology is available at the same time, Miller said.
As the Federal Reserve banks and other key players formulate a faster payments system in the U.S. over the next four to six years, the financial industry could start with "mini hubs" designed to establish security procedures, skills and strategies, Miller said.
"The opportunity is there to bring all of it together and connect the dots that could result in better customer treatment," Miller said. "You can make fraud detection a more flexible strategy when you understand all of the events end-to-end."
Already banks and payment providers are advancing the use of real-time alerts and fraud remediation programs to minimize damage.
Other markets migrating to EMV have also seen application fraud and account takeovers, mostly motivated by the need of plastic-card fraudsters to find new accounts, said Al Pascual, senior fraud analyst for Javelin Strategy & Research.
"Eventually, POS fraud will become less popular because of the amount of work necessary to source new cards," Pascual said.
Fraudsters will chase other schemes where data can be stolen and misused online, Pascual added.
"The long and short of it is there are billions of dollars in fraud being perpetrated at the POS that will need somewhere to go, and the financial industry would be well served preparing now for what is undoubtedly around the corner."