E-commerce fraud increase looms after EMV switch

With the October deadline for the EMV fraud liability shift from issuers to retailers fast approaching, merchants and financial institutions are focused on making the change happen as soon as possible. However, this does not take into account a potential increase in e-commerce fraud.

The adoption of EMV chip cards will create roadblocks for fraudsters hacking POS systems in-store, but ThreatMetrix predicts online retail fraud and fraudulent account creation for financial institutions in the U.S. will increase drastically following the EMV transition. The precedent has been set in other countries. For example, online fraud increased 21 percent in Europe in 2012, in part due to the introduction of EMV cards.

"Cybercriminals will always exploit the weakest link," Alisdair Faulkner, chief products officer, ThreatMetrix, told FierceRetailIT. "Prior to the adoption of EMV, fraudsters could easily hack POS systems in-store to skim credit card numbers and security codes when customers would swipe their magnetic stripe credit cards. But after the widespread adoption of EMV in the U.S., cybercriminals will have a much harder time obtaining credit card information through compromised POS systems."

As a result, they will focus their efforts on using previously stolen credit card information and other personal data, such as username/password combinations compromised in previous data breaches, to commit fraud online, where exploitable security holes still exist for card-not-present uses, he said.

U.S. retailers lost about $32 billion to fraud in 2014, up from $23 billion the year before. Most of that was due to the weak security of credit and debit cards. But with the EMV transition, U.S. merchants and credit card networks will follow many other countries around the world in abandoning the technology associated with magnetic stripe credit and debit cards. The magnetic stripe technology allows hackers to skim card numbers and security codes to use for stolen credit cards, but EMV chip card technology will prevent this, ThreatMetrix reported in a press release.

EMV will make it more difficult for criminals to copy the account numbers, security codes and magnetic stripes associated with those cards. However, in the countries that preceded the U.S. in adopting EMV, a significant increase in online fraud followed. The same thing is expected to happen here.

"From a consumer perspective, the shift to EMV is good news as it will make it harder for cybercriminals to counterfeit credit cards and conduct fraudulent purchases in stores," said Faulkner. "But from an online merchant perspective, as it becomes more difficult for cybercriminals to monetize on counterfeit cards, their goals are now going to shift to use stolen credit card data through online channels. Right now–ahead of the October deadline–is the time for retailers to start implementing systems that look at cybercrime in context to combat the growing breadth and intelligence of fraud following the widespread adoption of EMV in the U.S."

As of the October deadline, retailers still relying on magnetic stripe card technology will be liable for any fraud losses that result, rather than the issuer paying these costs. However, an increase in online fraud can create liability issues for banks. To ward off this expected growth in fraudulent online account creation, banks also will need to increase security.

Additionally, with the switch to EMV, banks will need to prioritize mobile security. Thirty percent of banks' customer acquisition now comes from some kind of mobile device. This trend is continuing to grow, which creates even more of a challenge for financial institutions, as the mobile channel is easily compromised by cybercriminals.

"The vast majority of financial institutions are using very rudimentary intelligence about user behavior, Internet connections and devices to determine whether the end user is a good customer or a cybercriminal," Faulkner said. "For example, many banks still rely on the geolocation of the user based on IP addresses and cookies for authentication–but those can be easily spoofed through proxies and by bots. With the adoption of EMV, financial institutions must have the capabilities to authenticate users by assessing their digital identities as a whole to prevent cybercriminals from opening new credit cards with a stolen identity."

Merchants and financial institutions need to increase these efforts by using a digital identity network to combat online fraud prior to the widespread adoption of EMV, he said. For example, the ThreatMetrix Global Trust Intelligence Network is a cloud-based digital identity network for companies with large online customer bases. It analyzes over 1 billion transactions monthly.

For more:
-See this ThreatMetrix press release
-See this ThreatMetrix report

Related stories:
55% of retailers not prepared for EMV migration
Retail threats surged during 'the year of the POS breach'
Retailers, banks spar over chip-and-PIN cards
CES: Personal security concerns spur new credit card products
Walmart banks on mobile payments, chip-and-PIN