- CyberCrime Center
May 15, 2014
People migrate all the time to earn an easier, better living. To escape the Dust Bowl of the 1930s Okies migrated to California. To escape the lowering profit margins in personal computers, Apple migrated to iPhones and iPads. Okay, so you own a MacBook Pro. We didn’t say everything and everybody migrated. In fact, the last time we checked there were still 3.815 million people living in Oklahoma.
The point is it’s only natural that, when it becomes tougher to make a living in one place, people pick up and go to another. And that’s what projections show some cybercriminals will do if, as is likely, the EMV standard (the “E” stands for Europay and the “M” and “V” stand for MasterCard and Visa, the companies that first backed the idea of a chip to replace magnetic stripes on credit and debit cards) comes to pass.
In their piece on paymentssource.com, Nicole Reyes, a senior fraud prevention analyst and Brandon Kuehl, a senior product manager, look at the possible impact of EMV and other technologies.
Card-not-present (CNP) fraud is generating quite a bit of chatter in financial and payments circles today. Much of the talk centers on the link between greater global use of the EMV standard and rising CNP fraud.
The connection is legitimate, as counterfeiting artists have a much more difficult time duplicating chip cards than they do cards with a magnetic stripe. In the face of this new adversity, criminals in areas of the world where EMV has taken a firm hold are following the path of least resistance—namely online, mail order and telephone fraud. It’s certainly happening in Europe, where CNP fraud surged more than 21 percent in 2012.
Of course, fraudulent online, mail order and telephone transactions posed a significant and growing threat long before the EMV standard began to take hold around the developed world. Today’s CNP fraudsters aren’t exactly on the cusp of a new trend; their tactics have been effective for decades.
CNP fraud makes up 16% of the entire U.S. card fraud picture today, which resulted in more than $5.3 billion in losses in 2013. Much of the CNP fraud growth is fueled by consumer comfort with online transactions.
As well, the development of several new payments tools has made electronic transactions so simple they become almost carefree. By 2017, U.S. consumers are expected to spend more than $430 billion on e-commerce transactions. With CNP fraud running at about 1% of e-commerce revenue, we can expect to see losses [soar] over the next three years—unless the industry pulls together an effective CNP fraud loss solution.
For many years, issuers were able to shrug their shoulders when it came to CNP fraud. That’s because most losses from fraudulent e-commerce transactions could be charged back to the merchant. Today, however, with increased merchant enrollment in 3D Secure protocol programs, such as Verified by Visa and MasterCard Secure Code, CNP chargebacks have been virtually wiped out. If a merchant participates in either of these programs and a fraudulent transaction gets through, the issuer no longer has chargeback rights.
However, not all merchants are on board with the 3D Secure protocol. In fact, some have coined the innovation a “conversion killer,” mainly because it can disrupt an otherwise seamless online checkout experience for consumers. Yet for every naysayer, there is a supporter. Most recently, a Dutch e-commerce processor conducted a survey to support the idea that 3D Secure can actually enhance the conversion rate among online shoppers.
Issuers are, understandably, a bit stand-offish on programs that threaten their chargeback rights. Beyond the potential to damage the bottom line of card-issuing credit unions and banks, 3D Secure programs also have a long way to go before they are as secure as they hope to be one day. Both Visa and MasterCard have made commitments to continue to improve the program’s security and to also develop strategies that allow the protocol to offer merchant and issuers “equal rights.”
Still, the fraud risk from online transactions has become problematic for merchants and issuers. Fortunately, the industry has hardly thrown up its hands. On the contrary, innovation in authentication methods is alive and well.
Among the new technologies being bandied about the industry, the use of payment tokens, or tokenization as it’s commonly called, offers the greatest potential to slow the growth of CNP fraud in the U.S. That’s because the process replaces all of that coveted card account data with a single, secure token. The token has zero value for a fraudster because it would have to be decrypted, and the only entities capable of doing so are the major card networks.
Today, card data, such as the Primary Account Number (PAN), is static. As soon as a fraudster has obtained it, the data can be used multiple times for a variety of nefarious purposes. Worse, merchants are storing this vulnerable data in what we have seen to be insecure ways. Tokenization, on the other hand, replaces that PAN data with a unique token, and storage of cardholder data is limited to the tokenization system. This removes a hefty burden from the world’s merchants, who are increasingly under attack from data-hungry hackers.
Tokenization and EMV are similar in that they both use dynamic data to prevent duplication. Unlike EMV, however, tokenization is a technology that is nearly invisible to the cardholder. Think of it like fraud-prevention strategies in the background of a portfolio – it’s another layer of security running completely behind-the-scenes. Cardholders only become aware of the security measures when they have been victimized or when a suspicious transaction has been flagged. Otherwise, it’s a non-intrusive way to keep an eye on consumers’ accounts with minimal involvement from the cardholder.
Although tokenization is mostly theoretical today, the development of standards is underway. EMVco, for instance, released its technical document for implementing tokenization in online or mobile environments in March 2014. MasterCard, Visa and American Express have also announced a joint collaboration to move the standard forward.
The most important change an issuer can make is to hone its fraud-detection strategies to identify and prioritize accounts where a transaction has been declined by a 3D Secure module; those accounts should be queued for review by a human fraud analyst.
Card issuers may want to take their fraud-prevention measures further by writing strategies that analyze other risky attributes, such as dollar amount region or risk scores. In the event the 3D Secure validation for a fraudulent transaction is authenticated, allowing a fraudster or account takeover artist to move forward with the transaction, those strategies would fill in behind 3D Secure, acting as a second layer of protection.
The new state of the CNP chargeback, in combination with the predicted increase in e-commerce and online fraud in the wake of EMV, has forced card issuing financial institutions to pay more attention to their CNP fraud strategies. As fraudsters acclimate to the new world of payments, issuers, too, must adjust their strategies to keep fighting the good fight.
ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.
ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.
The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.
For more information, visit www.threatmetrix.com or call 1-408-200-5755.
Posted by Dan Rampe
Tags: Account Takeover, Account Takeover Fraud, Bank Fraud, Building Trust on the Internet, CNP fraud, Context-Based Authentication, Cookieless Device Identification, Cookies, Credit Card Fraud, Cyber attacks, Data Breach, Device Detection, Device Fingerprint, Device Fingerprinting, Device ID, Device Identification, Fraud Prevention, Hacking, Identity Spoofing, Identity theft, Malware, Malware Detection, Malware Protection, Man-in-the-Browser Detection, MitB, Mobile fraud, Online Fraud, Phishing, Phishing Detection, PII, ThreatMetrix, ThreatMetrix Cybercrime Index, ThreatMetrix Global Trust Intelligence Network, ThreatMetrix Web Fraud Map, Trust Tags, TrustDefender Cybercrime Protection Platform, Web Fraud