Laura Hymes, CFE
Managing Editor, Association of Certified Fraud Examiners
The U.S. credit card system is undergoing big changes that will affect how financial institutions, retailers and consumers conduct transactions and try to prevent fraud well into the next decade. Financial institutions in the United States traditionally issued credit and debit cards with magnetic stripes that store customer account information, and retailers used point-of-sale systems designed to read the magnetic stripes. Unfortunately, these cards are highly susceptible to hacking and are often used in fraudulent purchases. In an effort to reduce these schemes, financial institutions are issuing new cards with chip technology (in which data is stored on a circuit chip in the card rather than in the magnetic stripe) to replace magnetic-stripe cards. Credit companies are also shifting the responsibility for fraudulent transactions to retailers who did not implement new card readers by their 2015 deadline (ATMs have until 2016 and gas stations until 2017).
The new chip cards, also called EMV cards, make hacking and identity theft more difficult and are expected to decrease fraud in the long term. However, as the use of magnetic-stripe technology dwindles, criminals are making a last-ditch effort to get all the spoils they can before the stream of fraudulent opportunity dries up. In addition, experts are anticipating an increase in other fraud schemes after the transition is complete, based on trends experienced in countries that already made the change to EMV cards.
What’s Happening Now?
According to a recent study by the Aite Group and sponsored by Iovation, only 20 percent of credit card transactions and 10 percent of debit transactions in the United States used chip technology as of 2015. This leaves a massive window for fraudsters to exploit before it closes.
Currently, criminals can purchase stolen credit card data online and create their own magnetic-stripe cards loaded with the stolen data. They can also steal physical cards and replace the data stored on the magnetic stripe with stolen information. Fraudsters use these cards to purchase billions of dollars’ worth of goods and services every year. With a finite lifespan on these types of crimes, fraudsters are going to increase their use until all point-of-sale systems have been replaced with chip readers. The Aite study predicts such fraudulent purchases will reach $4 billion in 2016, and the retailers who have not upgraded their sales terminals will be hit the hardest.
What Will Happen Next?
After the United States completes the transition to chip technology, we can expect to see increases in certain types of credit card fraud, based on what other countries experienced after their transitions. In particular, we should expect more card-not-present fraud, application fraud and account takeovers. These three schemes are all enabled by massive data breaches in recent years that have given criminals access to the personally identifiable information (PII) of U.S. citizens. Experts cite similar patterns in countries that migrated to EMV technology before the United States.
To skirt the protections of EMV technology, criminals use stolen cards or data to make online purchases rather than in-store transactions. In the UK, online fraud rose 79 percent in the first three years after EMV became the new standard. Canada and Australia also saw increases in online fraud after they transitioned to EMV cards.
Currently, fraudsters can purchase stolen PII and create magnetic-stripe cards with the data. Although EMV cards will eliminate this scheme, fraudsters can use that same stolen PII to open new credit accounts in someone else’s name. They’ll have a brand-new EMV card delivered right to their door (or P.O. Box, more likely), but in someone else’s name. According to Aite, the UK and Canada saw big spikes in application fraud after they switched to EMV.
The last scheme likely to increase in the wake of EMV technology is account takeover. In these frauds, criminals use stolen data to log in to accounts (or directly hack into them) and empty all the funds. They do not need to worry about what type of card is associated with the account; they simply transfer the funds directly out of the account.
What Should We Do?
Anti-fraud professionals are constantly trying to stay one step ahead of the criminals. Every time we implement new protections, the fraudsters adapt. But knowing where the trends are leading us can help retailers and financial institutions brace for what’s coming. Some of the best prevention and detection methods for these frauds are:
- Implement additional technologies to verify customer identity, such as biometrics and second-source verification.
- Increase controls over online purchases and banking.
- Consider implementing transaction signing, which requires the customer to provide a digital signature before completing each online transaction.
- Install malware detection software.
- Encourage customers to check accounts frequently for unauthorized transactions.
- Run automated data analyses on transactions to look for trending fraud schemes.
Even if organizations have anti-fraud measures in place for such schemes, they might not be able to withstand the sudden increase in occurrence. Heightened diligence is essential to spot the changing approaches of fraudsters, along with staying abreast of the latest trends.
For more information, contact Sarah Hofmann, Public Information Officer, at (512) 478-9000 ext. 324 or