Financial institutions have always found themselves one
step behind fraudsters, who are finding ever more ways to penetrate
defences. Although traditional methods of payment fraud are
subsiding, in the online world it appears that new threats are
appearing with increasing regularity, as Victoria Conroy
reports.
Go deeper with GlobalData
Fraud is a multi-billion
dollar industry which inflicts damaging losses on financial
institutions and shatters the confidence of their customers, but it
seems that just as financial institutions shore up their defences,
the fraudsters find a new way to attack.
In the UK, chip and PIN was hailed
as the Holy Grail that would slash card fraud levels and to some
extent it has succeeded, although not in the card-not-present area.
Figures released in March by the UK Payments Association show that
total fraud losses on UK cards fell by 28% between 2008 and 2009 to
£440.3m ($653m) – the first time card fraud has decreased since
2006.
According to the association, fraud
on lost and stolen cards is now at its lowest level for two decades
and counterfeit card fraud losses have also fallen and are at their
lowest level since 1999. Losses at UK retailers have fallen by 67%
since 2004; lost and stolen card fraud fell by 58% between 2004 and
2009; and mail non-receipt fraud has fallen by 91% since 2004.
Although chip and PIN is
defenceless against card-not-present fraud, online authentication
solutions such as MasterCard SecureCode and Verified by Visa have
helped to drive losses down in this area by 19%, the first time
this kind of fraud has shown a year-on-year decrease.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataHowever, EPI understands
that 25-30% of all online fraud was committed through transactions
which had gone through these Visa and MasterCard online security
systems.
The accounts can be taken over in a
similar way that criminals take over customer bank accounts,
according to a payments industry source.
Also, cheque fraud losses decreased
from £41.9m in 2008 to £29.8m in 2009, although the trend of
declining cheque usage is a major factor in this.
ATM losses on the
decline
In Europe, ATM-related fraud losses
fell from €485m ($616m) in 2008 to €312m in 2009, a drop of 36%,
even though there was a rise in attacks, according to industry
group European ATM Security Team (EAST).
International losses due to
skimming attacks fell by 43% from €393m to €226m, and EAST claimed
that this is a further indication that the EMV roll-out across
Europe (with 94% of ATMs now EMV-compliant) is helping to reduce
skimming losses.
Despite the drop in losses, overall
ATM-related fraud attacks rose eight%, with a total of 13,269
incidents reported, up from 12,278 in 2008. This rise has been led
by a 209% increase in the number of cases of card trapping, up to
2,166 incidents from 701 in 2008.
But what about the markets which
haven’t adopted chip and PIN, such as the US? Card fraud costs the
US card payments industry an estimated $8.6bn per year. Though it
comprises only 0.4% of the $2.1trn in total yearly US card volume,
this area remains troubling for the industry.
Elsewhere in the US financial
services industry, the American Bankers’ Association 2009 Deposit
Account Fraud Survey Report found that industry cheque-related
losses amounted to an estimated $1.024bn in 2008, up slightly from
the $969m in 2006.
The number of fraud cases also
increased, with eight in 10 banks (80%) reporting having cheque
fraud losses in 2008. Industry losses from debit card fraud—POS
signature, POS PIN, and ATM transactions combined—reached an
estimated $788m in 2008.
According to US payment research
consultancy Aite Group, end-to-end encryption (E2EE) qualifies as
the most suitable technological means to fight against current card
fraud. E2EE is the most appropriate technological route to address
current card fraud threats in the US because of the entrenched
nature of magnetic card infrastructure.
While E2EE does not prevent the use
of counterfeit or lost and stolen cards, it prevents criminals from
accessing the raw materials for card crime: the card data itself.
It also appeals to merchants, helping remove them from the scope of
Payments Card Industry Data Security Standards (PCI DSS). In fact,
vendors perceive merchants to be as likely to purchase E2EE
solutions to offload PCI DDS requirements as they are to secure
card data.
Aite adds that card technologies in
the US are unlikely to be universally upgraded anytime soon due to
prohibitively high implementation costs and the loss of signature
interchange, leaving the way open for E2EE to stake its claim.
Fraud innovation and
migration
But as fraud decreases in some
areas, it migrates to others, as evidenced by a 14% rise in UK
online banking losses to £59.7m in 2009, largely due to criminals
using more sophisticated methods to target online banking customers
through malware (malicious software), which targets vulnerabilities
in customers’ PCs, rather than the banks’ own systems.
Phishing – where fake emails invite
customers to input their account details – rose by 16% to 51,000 in
the same year, despite efforts by banks and industry stakeholders
to raise awareness of this type of fraud.
As more and more consumers
worldwide use the internet to engage in e-commerce, fraud is
increasingly moving into the online world and, according to US
software solution provider Symantec, it is malware that poses the
greatest threat.
The latest Symantec Global
Internet Security Threat Report, published in April, indicates
that the number of worldwide malware samples increased by 71% in
2009 compared to 2008. Another example was that the%age of threats
to confidential information that incorporate remote access
capabilities increased to 98% in 2009 from 83% in 2008.
According to Symantec, the
popularity of this type of attack is the increasing number of
people worldwide using online banking. In the UK and France, more
than 50% of internet users engage in online banking, while in
Canada the number rises to 60%, and in the US, 80% of online
households conduct online banking, showing that there is no
shortage of potential victims.
As developed payment markets
bolster their lines of defence against fraud, a shift in malicious
activity to emerging countries is becoming more pronounced.
For example, for the first time
since 2006, a country other than the US, China or Germany has
ranked in the top three, with Brazil ranking third in malicious
activity in 2009, behind the US and China. Brazil became more
prominent in all of Symantec’s specific category measurements in
2009, except for spam, where it was already the top-ranked country.
Brazil’s significant increases across all categories are related to
its growing internet infrastructure and broadband usage.
India also saw a surge in malicious
activity, moving from 11th in 2008 to fifth in 2009. India
accounted for 15% of all malicious activity in the
Asia-Pacific/Japan region in 2009, an increase of 10% from the year
before. India increased its rank in malware, spam and phishing, and
was the third-highest country of spam origin globally. According to
Symantec, malicious activity tends to increase in countries
experiencing rapid growth in broadband infrastructure and
connectivity.
The scale of the fraud problem is
evidenced with the report stating that 75% of enterprises surveyed
experienced some form of cyber attack in 2009, showing this problem
is not limited to larger enterprises. Also, the financial sector
remained the sector most heavily targeted by phishing attacks,
accounting for 74% of the brands used in phishing campaigns.
A recent trend that has emerged
following the recent recessions in several countries, and strain on
consumer finances, was that more spam messages were advertising
refinancing of debts and mortgages along with offers of loans,
showing that attackers are rapidly adapting their social
engineering techniques to take advantage of current events.
A separate March report from
digital security specialist RSA found that, after nine consecutive
months of regional bank brands being the most targeted among the US
financial sector, nationwide brands were the most targeted brands.
The number of attacks targeting nationwide brands climbed 29% in
March while attacks against regional banks fell 21% and credit
unions fell 8%.
Renewed focus on
prevention
Unsurprisingly, payment networks
and banks are making the fight against fraud a key priority for
investment, highlighted by the news in April 2010 that CyberSource,
a US provider of electronic payment and security services for
online merchants, had agreed to be acquired for $2bn by Visa
Inc.
The deal will enable Visa to offer
new and enhanced online fraud prevention services to merchants,
financial institutions and consumers as well as to expand its
online payment, fraud and security management capabilities.
Via CyberSource’s fraud prevention
technology, Visa hopes to increase the online use of its credit,
debit and prepaid cards.
The acquisition of CyberSource
follows Visa’s March 2010 announcement that it is planning to
introduce an online shopping tool’ ‘Rightcliq by Visa’, which
enables consumers to store card details and shipping addresses for
online purchases at various merchants.
CyberSource’s solutions enable electronic payment processing for
web, call centre, and point of sale environments. CyberSource also
offers risk management solutions for merchants accepting
card-not-present transactions, and also provides support for the
Verified by Visa and MasterCard SecureCode authentication
systems.
