Cybercriminals Not Waiting for October EMV Chip Deadline to Increase Attacks on Online Targets
Posted April 2, 2015
ThreatMetrix Warns Merchants of a Hike in Online Fraud and Banks about an Upsurge in Fraudulent Account Creation
Just months away (October 2015), Europay-MasterCard-Visa (EMV) will become the new standard for credit cards in the USA. To criminals, the adoption of EMV means two things. One is that it’s going to be harder to hack in-store point-of-sale (PoS) systems. The second is that they’re going to be looking for “softer” targets and shifting their focus to online retail fraud and the creation of fraudulent accounts at online financial institutions.
Losses to the economy as a result of fraud
In 2014, U.S. retailers lost about $32 billion to fraud, up from $23 billion just a year earlier – much of it due to the weak security of credit and debit cards.
Countries that have adopted EMV suffered a significant increase in online fraud
For countries adopting the more secure EMV chips, the end of magnetic stripe technology that let hackers skim card numbers and security codes has meant the beginning of new attacks online. When EMV cards were introduced in Europe in 2012, not coincidentally online fraud increased 21 percent.
Alisdair Faulkner, ThreatMetrix chief products officer, says now is the time to implement systems to stop the expected increase in online cybercrime
“From a consumer perspective, the shift to EMV is good news as it will make it harder for cybercriminals to counterfeit credit cards and conduct fraudulent purchases in stores. But from an online merchant perspective, as it becomes more difficult for cybercriminals to monetize on counterfeit cards, their goals are now going to shift to use of stolen credit card data through online channels. Right now – ahead of the October deadline – is the time for retailers to start implementing systems that look at cybercrime in context to combat the growing breadth and intelligence of fraud following the widespread adoption of EMV in the U.S.”
Merchants and banks face new fraud liabilities requiring more security
Following the October deadline, retailers still supporting magnetic stripe card technology will be liable for any resultant fraud losses. While merchants will be held liable for any in-store fraud, the increase in online fraud can also create liability issues for banks– specifically as cybercriminals turn their attention to applying for new EMV chip credit cards online with stolen information. To combat the expected growth in fraudulent account creation online, banks will also need to increase security.
Facing the challenges of mobile devices to online bank security
Thirty percent of banks’ customer acquisitions come via some type of mobile device. With the mobile channel easily compromised by cybercriminals, this creates a major security challenge for financial institutions.
Faulkner on financial institutions’ intelligence regarding user behavior
“The vast majority of financial institutions are using very rudimentary intelligence about user behavior, Internet connections and devices to determine whether the end user is a good customer or a cybercriminal. For example, many banks still rely on the geolocation of the user based on IP addresses and cookies for authentication – but those can be easily spoofed through proxies and by bots. With the adoption of EMV, financial institutions must have the capabilities to authenticate users by assessing their digital identities as a whole to prevent cybercriminals from opening new credit cards with a stolen identity.”