While security in the banking world constantly improves, as it should, people tend to forget that fraudsters are developing their methods at a similar speed. In the words of John Marsden, identity and fraud expert at Equifax, ‘fraudsters always think of a way’. Patrick Brusnahan writes
Fraud is a disturbingly frequent topic for discussion, especially as the holiday season draws nearer. Research by ACI Worldwide stated that attempts to steal payment card information to commit online fraud are set to increase.
Go deeper with GlobalData
Fraud attempt rates in the US by volume for transactions that do not involve physically swiping a card increased in 2015, from one out of every 114 transactions in 2014 to one out of every 86.
This is expected to increase by 28% during the holiday season as a result of chip-cards being deployed within stores and as retailers do not require consumers to re-run cards when they pick up products ordered online in store.
This situation is slightly different in the UK, but not hugely. While EMV was implemented in the US in October of this year, it has been rolled out in the UK for close to a decade now.
On the differences between the nations, Marsden said: “There’s some key difference between our approach in the UK and the US approach. Obviously, EMV for us is Chip-and-Pin and the US only have pin, so God only knows what they’re going to get with that. Even fundamentally, that system is designed to be broken.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalData“The trust is laid down on the chip itself. That chip is gold dust. Point-of-sale (POS) isn’t really where [fraud’s] at, everything has migrated to online. You’ll still get the migration online in the US, which we’ve already had over here.”
Migration
With EMV finally taking root in the US, some claim that fraudsters will shift their focus back to the UK. According to a recent report from analytics company FICO stated that 47% of UK fraud actually takes place in the US.
Marsden added: “Will [fraud] migrate back? Well, we still have enough fraud over here and we still have to manage fraud losses anyway and I think it’s being managed really well. We’re still losing a load, but card issuers are now footing that bill, so the merchants are largely insured. The large merchants really have this locked down and I think the reason the US fraudsters won’t come back over here is because those defences are in place.
“There’s nobody craftier than a fraudster, but then again, I’m seeing the card issuers improve because they’re holding a lot of liability now. They are a lot faster now at intervening. They will allow the first, test transaction and deny all the rest. They’ve caught it at real time at the point of application. That was never the case before. The use of technology has helped them spot that faster.”
The risks behind contactless
A report from Which? stated that using contactless cards could be opening up consumers’ bank accounts to fraudsters. After testing 10 different credit and debit cards and were able to read crucial data that was meant to be hidden. They researchers grabbed enough details to allow them to go on an ‘internet shopping spree’.
This can become a real risk considering the rate of growth in contactless payments in the UK. Barclaycard stated that contactless spending amongst its customer triple in the twelve months up to August.
The UK Cards Association claimed that more contactless transactions took place during 2014 than in the previous six years combined. In addition, more than £2.5bn was spent using contactless cards in the first half of this year.
Marsden commented: “I love my contactless card, I love paying with it. I don’t see any security on it at all. It’s a license for fraud, but what the card schemes are trying to do is replace cash. You have to have a lot of freedom to replace cash.”
One possible solution is adding the biometric factor. Apple Pay requires a fingerprint scan to use it as a payment option and MasterCard, in collaboration with Zwipe, is planning a launch of the world’s first contactless payment card with an integrated fingerprint sensor.
On this concept, Marsden said: “Biometrics adds that extra security factor. But then, you’ve stored your card details in the cloud. Is that secure enough? I don’t know.
“Biometrics is good but false positives are an issue. Fingerprints get a lot of false positives and probably at the weaker end with iris identification at the top end. Facial recognition is somewhere in the middle, but difficult. Some voice recognition is fraught with false positives and hasn’t really been deployed in earnest. What has been deployed and has been useful is blacklisting fraudsters’ voices. That has been really effective.”
Making security foolproof
While technology can be updated, improved or replaced, this cannot be achieved with consumers. Often referred to as the weakest link in the security chain, a key struggle is making consumers aware of the dangers of fraud and how to prevent them.
Marsden said: “What can you do if the consumer does something stupid? What can we do to help those consumers? There’s very little you can do overall. The ones that take precautions are the ones that are savvy in the first place, they’re not the risk.
“What do you do? You’ve got all the Cyber Streetwise (a UK education campaign set up to educate consumers of cyber security) stuff going on, but the people who read it are the ones who are already cyber streetwise. How do you get the message through?”
A possible solution is making customers more culpable for their errors. With a liability shift, Marsden believed consumers would take better care. If the banks feel the client is at fault for the fraud, they would not reimburse their customer and, therefore, he or she would be more careful in the future.
He concluded: “I don’t know what the answer is because the consumer is the weakest link. I think the liability shift is the biggest thing banks can do. It’s a reputational risk, but you’re seeing it happen.”
