British banks and payment-industry players spent more than £1 billion (US$1.97 billion) to roll out more-secure credit and debit cards and terminals and to educate their customers on how to use them.
So it may have been a bit disappointing for card issuers in the United Kingdom when UK payments association APACS released its most-recent fraud statistics showing they got fleeced for a record £532.2 million (US$1.1 billion) last year. That is more than the previous high point in 2004–the year banks began their chip-and-PIN rollout, the largest implementation of EMV technology to date See fraud data.
But APACS and other card-industry observers are quick to point out that chip-and-PIN has done what it was designed to do–cut fraud from counterfeit and lost or stolen cards when both cards and terminals support the technology. And losses within the UK have plunged since 2004. (British banks actually began issuing chip cards a few years earlier, but these did not support PIN codes.)
Fraudsters, however, have more than made up for this crimp in their business by going around the chip technology and targeting the magnetic stripe that UK issuers still must place on their cards. Fraud from Internet and other card-not-present transactions grew by 37% last year, and it represents by far the biggest category of issuers' card-fraud losses.
But the sales volume of e-commerce is growing much faster–up nearly nine-fold between 2000 and 2007 for Web shopping alone–from £3.5 billion to £34 billion–compared with a tripling of Internet, telephone and mail-order fraud to £290.5 million in 2007.
More troubling for British banks is the soaring fraud on their payment cards used abroad, which has increased by nearly four times since 2004. This type of counterfeit fraud more than doubled in 2007 to £113.2 million from £23.8 million in 2004.
"We became aware of it two years ago, the mass compromise of data," Graham Goodwin, detective inspector from the Dedicated Cheque and Plastic Crime Unit of the Metropolitan Police, tells Cards&Payments. "The thing of concern to us, and the thing we're concentrating on, is the mag-stripe and PIN compromise at cash machines."
ATMs: A Fraud Hotspot
Nearly all of the international fraud from cards issued by UK banks that crooks counterfeit is occurring at ATMs, says Goodwin, a four-year veteran of the police unit, which is funded by British banks.
And UK banks are by no means the only ones in Europe affected by ATM fraud. The European ATM Security Team reported in April that cash-machine losses for banks throughout Europe approached 440 million euros (US$648 million) last year, up 43% from 306.5 million euros in 2006. Cross-border fraud accounted for nearly 90% of the losses last year.
"People involved in that type of crime are getting wise to the (security) gaps," says Lachlan Gunn, coordinator of the ATM group. "(There are) improvements in technology. Data obtained from one card skimmed in one country can be transmitted instantly to another country."
Graham McKay, head of the European branch of the ATM Industry Association, believes the European ATM Security Team has vastly underestimated the extent of fraud in Europe. Banks or bankcard brands in some countries, such as those in the UK, report full details on losses. Others hold back, perhaps worried about undermining consumer confidence in their brands, McKay tells Cards&Payments.
"You'd probably end up with four times as much for the actual cost of (ATM) fraud," he says. "I believe if you extrapolate the problem, it is a lot bigger, and it's being masked."
Gunn, of the European ATM Security Team, rejects that, noting his group's fraud estimates include figures from Europe's five big commercial markets–Germany, the UK, France, Italy and Spain. He acknowledges some losses in these countries may be understated and that his group does not make estimates to account for this or for losses in nonreporting countries.
"I have no idea how much they could be underestimated," he says. "I have an idea that [the four-fold underestimation is) well off the mark. We're much closer than that."
The biggest gap in EMV security is the mag-stripe, which still exists on all the cards banks or card companies issue with chips. Criminals easily can lift the data off the mag-stripe by planting rogue card-skimming devices at ATMs or by attaching them to point-of-sale terminals.
They also have been able to capture mag-stripe data stored on the chip itself by eavesdropping on the transaction data. Fraudsters capture cardholder PINs either by installing small cameras above the PIN pads to record cardholders entering their codes; by "shoulder surfing," which involves watching cardholders tap in their PINs; or by replacing or modifying the PIN pads to record the key strokes.
Once fraudsters have the data, they often send the information immediately via mobile phones or other electronic means to confederates in countries where mag-stripe, instead of chip-and-PIN, is the predominent card format. Criminals then produce counterfeit cards, which they use with increasingly profitable results, especially at ATMs.
A Prime Target
Petrol stations have been favorite haunts for criminal gangs in Britain to steal card data, including at least one that experts believe is connected with Sri Lankan rebels. APACS reported last year that nearly two-thirds of fraud hotspots in the UK in 2006 were at petrol, or gasoline, stations. That improved somewhat last year but still accounted for more than half of card breaches in 2007, says APACS. "(Gas stations are open) 24 hours and are quiet during times of the night, and [that] enables gangs to get in there and do their skullduggery," says Goodwin.
In May 2006, executives from Royal Dutch Shell's UK arm shut down 600 stations after discovering crooks had compromised some of its terminals and had drained customer accounts to the tune of more than £1 million (US$1.8 million). The high-profile fraud called into question the value of EMV because it occurred just a few months after the banking industry made chip-and-PIN transactions mandatory in cases when both cards and terminals are equipped to handle the technology.
But the Shell breach did not compromise the chip technology, says APACS. The thieves copied the mag-stripe data and tampered with PIN pads to record PINs as motorists entered them, according to reports. They either skimmed the mag-stripe itself or seized the same track-2 data stored on the chip via the transaction message.
A few consumers, including one customer who has filed a lawsuit against Halifax PLC bank, which is part of the UK's largest savings bank group, HBOS PLC, say they lost a couple thousand pounds each when thieves pilfered their accounts from ATMs in the UK. All cash machines there support EMV, but investigators have not established the chip technology was to blame, says an APACS spokesperson.
In fact, cloning a chip card for an ATM transaction would be very difficult because issuers always authorize the transactions online, and fraudsters would have to crack the encryption key on the chip that verifies the card is genuine, say experts. That is in addition to stealing the PIN from the chip or recording the cardholder entering it.
Though not nearly as easy as skimming a mag-stripe, it would be more practical for fraudsters to clone chips on UK cards and use them at point-of-sale terminals that do not secure authorizations online.
A large majority of the more than 100 million chip-and-PIN cards British banks have issued support the least secure–and least expensive–option within the EMV standard, called static data authentication. The card holds a static signature, which fraudsters theoretically could copy along with the rest of the data on the chip. They also could fool the card into accepting any PIN code. APACS contends no known cases of this type of fraud have occurred, however.
More-secure options are available in the standard, such as dynamic data authentication or combined data authentication, which create a unique signature for each transaction. Some banks on the Continent are issuing the more-secure cards. And until British banks adopt this for all of their EMV cards, they will require nearly all of their POS transactions to be authenticated online, just as all ATM transactions are.
In any case, why would crooks mess with tackling the chip when the mag-stripe is readily available to be copied? APACS acknowledges this is by far the card's weakest link.
"It is an old-style scam," says the APACS spokesperson. "It's unfortunately as simple as taking information off a magnetic stripe. The technology is widely available."
The fraudsters are using the skimmed data to shop at stores with counterfeit cards or to do card-not-present transactions with Web merchants and mail-order houses using the card data. In-person transactions require them to produce convincing mock-ups of banking cards.
But with either face-to-face or card-not-present fraud for purchases, criminals end up with merchandise they would need to sell–usually at a big discount–to secure cash. That is one reason they usually target ATMs instead.
"It's a much better business case for them to go to ATMs and get cash than get jewelry or electronics that they go and resell," says David Worthington, head of consulting for UK-based Aconite, which counsels banks on the move to EMV.
This requires fraudsters to find cash machines not equipped to read chips or that revert to reading the mag-stripe if the fraudsters disable the chip.
Finding such machines is not too difficult. The European ATM Security group estimates 22% of the more than 360,000 ATMs in Europe did not comply with EMV at the end of last year. That is a substantial improvement from 2005, when just more than half of ATMs could accept EMV cards.
But it still leaves large numbers of cash machines vulnerable in fraud magnets such as Italy, where an estimated 53% of ATMs did not take EMV chip cards as of the end of last year. Rates in some Eastern European countries are worse still, and about 40% of cash machines in Germany are vulnerable to mag-stripe fraud.
Still, Europe progressively is closing the window of opportunity for ATM fraud, with 14 countries having converted 100% or nearly all of their cash machines to EMV. Those countries include France, the Netherlands and, of course, the UK, according to the European ATM Security Team. Spain, another favorite destination for fraudsters, had equipped more than 80% of its ATMs to read chip cards as of last year.
Mandates from the European Union for a Single Euro Payments Area will put even more pressure on banks in Europe to move all of their mag-stripe-based ATMs to EMV. The banks face a December 2010 deadline to also convert their POS terminals to EMV.
Some banks will not hit that deadline, especially at the point of sale, but the international card companies will be placing pressure on them to do so, observers say.
For example, starting in July 2008, banks and other ATM owners throughout Europe will face the prospect of covering the costs of fraud if their terminals do not accept EMV cards. That is part of an expanded liability-shift agreement between Visa Inc.'s Central and Eastern Europe, Middle East and Africa region and the autonomous Visa Europe region, which cover Western Europe.
Under that shift, if fraud occurs at an ATM in either of the two regions, and one of the parties in the transaction—the card issuer or the acquiring bank–is not equipped to support EMV, it will be liable for the money stolen from the machine. The two regions already had a mutual liability pact for card purchases at shops, which took effect in 2006.
Visa in November also decided to add its Asia-Pacific region to the European mutual liability pact, starting in October 2010. The pact also includes Canadian banks.
But the agreement will not cover fraudulent ATM transactions involving Asia-Pacific cards or terminals initially.
Asia-Pacific has had its own ATM-fraud problems, which is why regulators in Malaysia, Taiwan and South Korea mandated the move to more-secure cash machines with chip technology years ago.
In cash-toting Japan, which has been subject to high-profile ATM attacks in recent years, a number of banks are rolling out sophisticated biometric-based cards and ATMs.
In addition, the international card schemes have put rules in place in at least some of their EMV regions mandating banks to issue cards that no longer store the same track-2 data on the chip as the card's magnetic stripe carries. This is designed to prevent thieves from stealing this data after it leaves the chip during a transaction and use it to produce counterfeit mag-stripe cards. British banks began issuing these more-secure cards in January.
But even with the blanket of EMV protection spreading across Europe and extending into surrounding regions and later to Asia, one gaping security hole will remain.
In the United States, banks have no plans to move to EMV, and that is why is has become an increasingly popular destination for fraudsters and their counterfeited European payment cards.
APACS reported fraud losses on British cards in the United States shot up by nearly 120% between 2005 and 2007, to £24.6 million (US$49.1 million) from £11.3 million, and it has supplanted France as the top overseas hotspot for British card fraud.
But neither Visa nor MasterCard Worldwide have extended their EMV-liability shifts to the United States. Banks there are willing to absorb what they consider an acceptable level of fraud on their own cards instead of undertaking the massive expense of rolling out EMV.
"The political things have to be understood," says Aconite's Worthington. "On the U.S. side, for MasterCard and Visa, they've got some of their largest member banks there. They're not really in a position to tell Bank of America or Citigroup, 'You will do this.'"
The giant U.S. market is a major reason European and other foreign banks keep the vulnerable mag-stripe on their chips cards. Otherwise, their customers could not use their cards when traveling there, or to other countries that have yet to roll out EMV.
Besides advising their cardholders to take commonsense precautions, such as covering the PIN pad when they enter their codes, banks are left to rely on countermeasures, such as fraud-detection software that analyzes cardholders' buying patterns and predicts fraudulent activity, say Worthington and other experts.
Banks are beefing up these neural-network systems. Among the hottest options are those that triangulate on the suspected "points of compromise" of the defrauded cards, says David Divitt, risk solutions consultant in the UK for U.S.-based payments software company ACI Worldwide.
Once it has zeroed in on the merchant location or ATM where criminals have skimmed cards that they subsequently have used to commit fraud, the issuer can identify all their cardholders who have patronized the shop or cash machine.
European banks are split over whether to then block these accounts and replace the cards, which could cause their cardholders significant inconvenience, or keep the cards in circulation, Divitt says. But one thing, he says, is clear: Once fraudsters begin to withdraw money with counterfeit cards, banks do not have much time to make up their minds.
"Within two to three hours of the exploitation of these (skimmed) cards, over 80% of the [account funds] are gone," Divitt says.
With cross-border card fraud showing few signs of letting up this year and much of the world's payment card infrastructure unable to handle EMV, UK and other European banks could be called upon to make these hurried decisions for some time to come. CP