October was a big month for fraud. The US finally adopted the liability shift for EMV, bringing its security measures more in line with those Europe adopted over 10 years ago. The US has been a target of unnecessary card fraud for far too long. Martin Warwick, FICO’s fraud chief for Europe, comments
According to the July 2015 Nilson Report, US card issuers lost £2.5bn ($3.8bn) to counterfeit fraud alone in 2014, which accounts for 24% of total global fraud losses.
Go deeper with GlobalData
Earlier this year, FICO reported worrying stats about fraud on UK debit cards: cross-border fraud rose 25% in 2014 over 2013 – but, more to the point, 47% of the cross-border counterfeit transactions were taking place in the US. Clearly, this added layer of security on US cards and payment terminals will help cut some of this cross-border fraud. The real question is how will the shift to EMV impact the UK, and where will this fraud migrate to?
Prior to 2005, card issuers in Europe suffered the loss for counterfeit fraud. The liability shift in 2005 meant that if a chip card met a mag stripe POS device and resulted in mag stripe counterfeit fraud, the merchant had to write off the loss.
This basic policy change meant that, within Europe, counterfeit became a thing of the past as merchants were incentivised to update their technology and properly authenticate payments. However, cross-border counterfeit fraud still exists in Europe, particularly in the UK where half of cross-border debit card fraud takes place in the US. The introduction of EMV in the US is expected to significantly reduce this, although not entirely.
The critical difference
When Europe implemented EMV we brought in chip and PIN, which not only protects against counterfeit, but also against lost & stolen and intercept fraud thanks to the PIN.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataUnfortunately, the US is moving to chip & signature only. This leaves criminals the opportunity use stolen cards in the US and further afield. Theft of US cards, even with a chip, will grow as criminals seize the chance to steal cards and still use signature at POS as they were able to pre-EMV.
The whole European market saw the benefits of a reduction in counterfeit fraud after the rollout of chip & PIN. In the UK, losses due to face-to-face fraud were virtually wiped out in the two years following the rollout. However, these benefits are expected to be less significant in the US, partly due to the lack of PIN security and partly because only 20% to 30% of merchants are estimated to have purchased and deployed EMV-capable point-of-sale terminals and the software they will need to handle chip cards. So, all consumers travelling to the US need to remain alert and remember that it is still not as secure as Europe.
Delays in effectiveness
Another major area of concern is that the US has delayed the liability shift by two years for ATMs and UPTs (Unmanned Petrol Terminals). These two areas have been a chronic source of skimming globally.
For the US to delay this shift means that customers using compromised ATMs or UPTs could be subjected to card skimming. Indeed, the US has already seen a spike in skimming attacks. From January to April 2015, the number of attacks on debit cards at ATMs reached the highest level in at least 20 years. In addition to this, specific holiday destinations in Mexico have reported criminals bribing ATMs engineers to allow them to place sophisticated skimming devices in the ATM. These limitations to the US’s already late adoption of EMV will impact fraud in Europe.
We expect to see an increase in account takeover, first-party fraud, application fraud, and in particular card-not-present (CNP) fraud as a result of the US adopting EMV. Fraud always migrates to the weakest link, or technology in this case. EMV is very strong as it is backed by cryptograms, so CNP is the easiest target.
Criminals are safer if they remain the ‘grey man’ in the crowd, and compromising cards by using them in the CNP environment through e-commerce is the least risky path. E-commerce spending has doubled in the last few years, so hiding fraudulent transactions in the most dominant environment is still the best way to go, and will be only more so as the US fully transitions to EMV.
It is important to note that while counterfeit dropped in Europe after the roll out of EMV, CNP fraud, which includes online purchases, rocketed. It is likely that the US market will have the same experience as Europe, but with perhaps more complexity as we expect to see fraud migrate and increase over the next couple of years as everyone tries to grapple with fraud in the digital age.
We are still fighting basic CNP fraud in Europe as more and more people shop online. As the US enters this post-EMV landscape, it will be interesting to see how global CNP losses are impacted.
That said, while Germany and the UK reported 70% CNP fraud losses in 2014, evidence suggests that we are slowly winning the battle. E-commerce spending in the UK more than doubled between 2008 and 2014, going from £41bn to more than £91bn, but CNP fraud losses grew by just one percent in the same period.
We are already at that tipping point where stronger authentication has to be adopted for digital transactions to ensure that customers can spend when and where they want to. The next wave of fraud protection around the world will involve authentication of both customers and their devices.
Two-factor authentication using crytograms, as already exists in online banking, will play a part, as will proximity correlation technology that can identify whether a cardholder’s mobile device is in the same location as the card being used and thus automatically flag if it is a higher risk transaction.
However, when stronger authentication has been adopted, that will inevitably push criminals back to basics. They will look at ways to obtain a good card and PIN together or resort to identity theft, and unfortunately that means that originations will have to become more robust. CIFAS is already reporting increases in identity theft attacks, so this shift has already started.
The key is to maintain the fight against CNP and ID fraud as new challenges crop up. While EMV strengthens protection in the US, criminals will be looking for the next lucrative opportunity. Fraud that once migrated to the US is likely return to the UK and other countries.
UK card issuers will need to maintain their vigilance to counter fraud activity during this transition and prepare for a rise in lost and stolen fraud from the US in particular.
