Worldwide, cards payments are safer now than they ever have been before, but new types of fraud are creating fresh concerns for the industry. Traditional types of fraud have been declining in recent years. Visa reported in late 2006 that its global fraud levels had fallen by 50 percent since 2001 to record lows of only $0.07 per $100 transacted worldwide, and just $0.03 per $100 transacted in the Asia-Pacific region.
However, certain types of fraud are growing at a rapid pace. Card not present (CNP) transactions have become particularly troublesome, as people use the anonymity of the internet and telephone to commit fraud. Advances in technology have become something of a double-edged sword – just as payment networks and issuers are utilising new technology to combat fraud, the fraudsters themselves are also employing evolving technology to devise new ways to beat the systems.
Phishing has become an increasingly significant area of growth for card and identity fraud. According to APACS, the UK payments association, between the first six months of 2005 and the first six months of 2006, the number of phishing incidents in the UK increased by 1,471 percent (see Figures 1 and 3). Other markets such as the US, India and Canada have seen comparable recent increases in the prevalence of phishing attacks.
Pharming is another growing scam. Like phishing, pharming attacks trick cardholders into entering data into a fraudulent website that looks like a legitimate banking website. However, unlike phishing, which requires victims to click on an e-mail link to get to the fake site, pharming automatically redirects a customer’s web browser to the site, making it harder to detect as a scam.
Other types of scams include increasingly complex skimming operations that use smaller and harder-to-detect cameras, as well as computer viruses, Trojans and spyware that invade a cardholder’s computer and search for private information, including card data.
Types of fraud
Card fraud is increasingly moving from the physical world to the virtual world. Fraud from CNP transactions was almost non-existent ten years ago. However, the growing popularity of the internet and telephone commerce has given fraudsters a new medium for card crime, and CNP transactions are becoming a major source of card fraud worldwide.
In Australia, CNP fraud is the second-largest source of fraud, and in the UK it is the first (see Figure 2). The magnitude of the growth in CNP transaction fraud is alarming: in 2005, the value of CNP fraud in the UK was nearly twice the total value of all types of card fraud in 1996.
In the US, credit card fraud accounts for 26 percent of all types of identity theft fraud, according to a 2006 report by the Federal Trade Commission. However, a study by US research consultancy Javelin Strategy and Research, published in February 2007, reported that identity theft in the US fell by 12 percent in 2006, its third consecutive year in decline.
In a survey made as part of the study, only 4 percent of respondents indicated they had been a victim of identity theft in the past 12 months, down from 4.7 percent in 2003.
As debit card payment becomes increasingly popular in the US, fraudsters are doubling their efforts to obtain cardholder details through a variety of methods. According to the latest study commissioned by the Pulse EFT Association, the US debit network, US debit card-issuing financial institutions experienced debit card transaction growth of 18 percent in 2006 and expect continued strong growth in 2007.
Issuers also reported fraud-related information from 2005, and it appears that debit fraud is shifting from the cardholder level to the system level, and predominantly from signature debit to both signature and PIN debit.
Based on fraud losses reported by study participants, the study estimates that issuers in the US lost a total of $662 million to debit card fraud in 2005, a 21 percent increase over 2004. Of these losses, 60 percent resulted from ATM transactions, 37 percent from signature debit transactions and 3 percent from PIN point of sale transactions. Signature-based losses grew 28 percent in 2005, while PIN-based losses (including ATM and PIN POS losses) rose 17 percent.
In response, US debit issuers are using more advanced fraud detection tools to combat evolving fraud tactics, such as the use of card verification value or card verification code (CVV/CVC) checking, neural networks and international transaction blocks. CVV/CVC checking is expected to significantly reduce phishing-related PIN-based losses in 2006.
Probably the most important change in the fight against fraud has been a shift in many markets towards EMV-compliant chip and PIN technology. Many markets that have introduced chip and PIN cards, such as Malaysia, the UK and Australia, have seen a significant reduction of fraud from counterfeit cards.
In December 2006, the Australian Payments Clearing Association (APCA) released data for cheque, debit card, credit card and charge card fraud across all financial institutions in Australia. At A$0.03 in every A$100, Australia’s total plastic card rate of fraud is about one-third of that in the UK, which is £0.09 for every £100. The credit card rate for signature-based transactions globally is currently around $0.07 for every $100 transacted as against every A$0.04 for every A$100 in Australia. The Australian PIN-based debit card system fraud rate is less than A$0.01 for every A$100 transacted. Between July 2005 and June 2006, the most common type of card fraud in Australia was that of lost and stolen fraud, which comprised 44 percent of debit card fraud incidents and 32 percent of credit and charge card fraud incidents.
Malaysia was the first country to complete a national EMV chip card adoption programme, converting all credit cards to EMV chip by December 2004 and all card terminals by December 2005. As a result, in the first quarter of 2005, total card fraud in Malaysia fell to its lowest level in five years, according to Visa Asia-Pacific. Visa announced that total fraud at merchant outlets in the country fell to 0.12 percent of sales in the first three months of 2005 compared with 0.74 percent over the same period in 2000. Counterfeit fraud dropped by 87 percent from 0.6 percent to 0.08 percent of sales over the same five-year period.
Another industry innovation in the fight against fraud has been the improvement and standardisation of security protocols. In 2006, MasterCard, Visa, JCB, American Express and Discover joined forces to create the PCI Security Standards Council – an independent organisation to manage the ongoing evolution of the Payment Card Industry Data Security Standard.
Networks are also actively promoting internet security. MasterCard’s Secure Code and Visa’s Verified by Visa programmes are helping to prevent internet fraud by providing cardholders with an extra security code they can use to authenticate internet card payments.
More than 110,000 merchants have adopted Verified by Visa and 10,000 banks have made the service available to over 395 million consumers globally. In early 2006, MasterCard announced that merchants who support MasterCard Secure Code would be eligible for lower rates than those for face-to-face transactions.
The networks have recently launched additional security measures. In October 2006, MasterCard introduced its Online Fraud Monitor service, which uses data analytics and risk scoring models to try to spot fraudulent debit card transactions as they occur.