U.S. EMV chip card adoption, starting in 2015, helped trigger a migration to other fraud types such as identity and card-not-present transaction scams, as well as so-called sleeper fraud and account takeover.
The Global Fraud Index shows a 62% rise in online fraud from third quarter 2015, and 39% between first and second quarter of 2016.
“The prediction the years before was that the fraud would move to digital. There was a precedent for that, it happened in other countries,” Mike Lynch, chief strategy officer of Boston-based device authentication and intelligence firm InAuth, said.
Lynch added, in Canada when EMV migration began in 2011 counterfeit card fraud declined pretty quickly. “But all the fraud moved into application fraud and then that increased 500% in the digital space.” In the U.K., Australia and Canada online fraud increased by 80-100% in a three-year period following EMV; and since EMV launched in the U.S. through the last quarter of 2016 e-commerce fraud moved up 42%.
Some other statistics from LexisNexis studies are just as sobering:
- Debit card fraud accounted for 39% of m-commerce fraud in 2016, up from 24% in 2015.
- Credit card fraud accounted for 45% of m-commerce fraud in 2016, on par with 2015.
- Identity fraud is a factor in 23% of known fraud cases among large e-commerce retailers.
- Fraudulent new credit card account openings increased by 113% last year.
- EMV-heavy issuers are experiencing more application fraud than EMV laggers.
- Synthetic identities are gaining ground. Fraudsters using a true identity stand at 41%; synthetic ID at 31%, and manipulated ID at 27%.
“The shift to EMV has had the unintended consequence of migrating fraud from the production of fake plastic cards to new account and account takeover fraud, requiring an entirely different, not to mention more sophisticated approach to predicting and assessing risk, as well as preventing it from the outset,” Chris Pinion, manager of fraud solution consultants at New York City based LexisNexis Risk Solutions, observed. “I don’t think anyone anticipated the amount of account takeover and new account fraud that would occur in the wake of the EMV changeover.”
Lynch suggested one reason fraudsters target new account opening is the high amount of personally identifiable information circulating on the black market due to a number of breaches. Fraudsters use that data to either steal identities or create synthetic personas.
One of the biggest challenges financial institutions face is trying to distinguish between legitimate and fake identities. Pinion suggested, “Synthetic identities typically have PII data that verifies back to an identity. That means their names, addresses and SSN’s all match together. When this happens, it is hard for a financial institution to tell if the identity applying is a good person or a bad actor.”
Eventually the financial services market has to raise the bar on security. Lynch noted, “You see financial institutions moving into stronger multifactor authentication trying to move away from just IDs and passwords.”
Some organizations are moving to four-factor authentication. These include knowledge factors such as a user name and password; possession factors such as a one-time password token or a smartphone; inherence factors include biometric user data; and user location.
InAuth is working with several credit unions to reinforce their device intelligence, which Lynch considers a critical permanent recognition of the customer’s device, whether it be browser of mobile, helps provide element. “Better real-time risk decisioning.”
Account takeover fraud, what Pinion calls silent risk and sleeper fraud, continues to be a lucrative source of income for fraudsters, Pinion held. “Launching DDoS attacks to credit union websites can flood call centers with members trying to access accounts or process a transaction.” Obtaining PII data as well as user IDs and Passwords from data breaches can make it easy for the fraudsters to get in the door to initiate the account takeover. In an effort to reduce member friction, call center agents may not be as diligent when following policies and procedures during a transaction. “Fraudsters are very aware of this and will sweet talk an unsuspecting agent into doing something they shouldn’t be doing, allowing for account takeover fraud to happen.”
