The meteoric rise of the use of debit cards in the US masks an increasingly disquieting downside: the more the card numbers grow, the higher the fraud incident rate.
According to the 2007 debit card market study by electronic funds transfer network Pulse EFT Association, debit card fraud losses in 2005 (the latest available data) totalled $662 million, 21 percent up on the $546 million in 2004. In 2005, PIN debit fraud at ATMs was $364 million, up 6 percent from $345 million in 2004, while signature debit losses were up 28 percent to $247 million from $193 million in 2004. While still relatively rare, PIN debit fraud at the point of sale grew 163 percent to $21 million in 2005 from $8 million the previous year.
Debit card fraud is a growing concern for issuers, as payments volume continues to migrate to debit cards. Fuelling the fear is the fact that today’s debit card fraud employs increasingly sophisticated methods, and that the scams are being used on a system level rather than individual cardholder level.
Data breaches and other high-profile incidents continue to focus industry attention on debit card security issues.
The latest massive breach involved TJX, the parent company of T.J. Maxx, Marshalls and other retailers, which revealed in a 30 March regulatory filing with the US Securities and Exchange Commission (SEC) that data on more than 45 million credit and debit card users was stolen and sold to fraudsters. The company has not yet said whether it knows how the breach occurred, but many IT professionals in the trade press suspect that TJX was a victim of ‘wardriving’ – the practice of driving around with a laptop and antenna to detect wireless access points and assess how they are configured.
When a global positioning system receiver is added, a map can be made of the different access points. A telescope antenna lets wireless poachers attack their targets from miles away; they don’t even have to be sitting in the store’s parking lot.
In one of the cases, a ring of thieves was foiled at a Wal-Mart store in Gainesville, Florida when police apprehended them attempting to use gift cards that had been converted from stolen TJX credit card account numbers. It is estimated that up to $8 million was loaded onto gift cards purchased at Wal-Mart and Sam’s Club retail locations in Florida. The full scope of the impact has not been fully determined outside Florida.
Experts said that it’s likely that the cyber attacker or attackers who stole millions of customer records from TJX stumbled across a vulnerable store location while staking out a shopping centre from a car.
A recent study by research company Tower-Group stressed the vulnerability of store-branded gift cards, particularly their anonymous nature, as offering a vulnerable target for criminal activity. A number of US and Canadian agencies have also cited the anonymity of prepaid gift cards as a potential risk for money laundering and tax avoidance.
Meanwhile, the fallout from the breach continues for TJX. The company is now facing investigations by several government agencies, including the Federal Trade Commission, a multi-state group of 30 attorneys general and two Canadian privacy groups. TJX is co-operating with each of these investigations, according to the company’s SEC filing.
The SEC filing also lists 18 lawsuits banks and consumers have brought against TJX.
Banks forced to reissue cards
Hard on the heels of the TJX breach came a second major fraud event, this one in Canada, which resulted in debit cards issued by the Bank of Montreal, Royal Bank of Canada and CIBC being frozen for several days after Winnipeg police apprehended a pair of fraud suspects. Authorities recovered $105,000 in cash and over 100 debit cards.
There is no question that data breaches are taking a toll on debit card issuers. A survey by trade association America’s Community Bankers found that data breaches have forced 91 percent of its more than 1,000 member institutions to reissue cards, the majority of which were debit cards. Seventy-one percent reported that they had to reissue cards three or more times over the past 24 months.
To fight fraud, issuers are implementing neural-network technology to look for unusual transaction activity, and some are beginning to score PIN and signature debit transactions to protect against evolving fraud tactics, Pulse said.
The stakes are huge: according to a recent survey by Javelin Strategy & Research of more than 1,200 consumers, 77 percent said they would discontinue shopping at merchants that suffered major data breaches. Some 85 percent of respondents said they would prefer to reward companies that avoid major incidents by giving them more of their business.
Technology fights back
The answer may well lie with card technology vendors, which already are offering novel ways to combat debit card fraud.
One potential answer could come from payment systems developer Innovative Card Technologies (ICT). It has announced a partnership with Activ-Identity, a security vendor, that will allow issuers to offer customers security tokens embedded within payment cards. The one-time-password token technology generates a numerical pass code that quickly expires, so it cannot be reused if a criminal manages to steal the number. By adding token technology to payment cards, ICT’s solution overcomes the hurdle of external hardware, removing a major obstacle to tokens among consumers.
Despite the growing fraud issue, the Pulse study found that the volume of debit card transactions grew at 18 percent in 2006. That rate is expected to slow to 16.8 percent this year, but still represents heady growth and – if fraud has any relationship to transaction volume – continued headaches for issuers.
Look for US debit issuers to devote significantly more time and money to the fraud problem, which now threatens the viability of debit like never before. Wary consumers are watching closely for signs that the industry will stay ahead of the issue. Consumer activists already are warning consumers about using debit cards at all: the Federation of State Public Interest Research Groups, a consumer advocacy body, has called for shoppers to use credit cards for all purchases until steps are taken to better fight fraud.