Online Fraud in the U.S. Grew Dramatically Post-EMV
1.3.2017 securityweek CyberCrime
The introduction of EMV (Europay, MasterCard, Visa) cards, also known as chip-and-PIN cards, into the U.S. has had the expected effect: with card present fraud more difficult, fraudsters have moved to on-line card-not-present fraud. Domestic online fraud became 79% riskier in 2016 than it had been in 2015, according to figures come from the Forter/MRC Fraud Attack Index (PDF).
Forter, which provides a fraud detection system for merchants, teamed with the Merchant Risk Council (which currently has almost 450 member companies in more than 20 countries) to develop a Fraud Attack Index. This is defined as the 'dollars at risk per $100 of sales'. The 'dollars at risk' combines detected and prevented fraud with actual fraud.
The relative simplicity of cloning non-EMV cards made domestic (ie, US) off-line card-present fraud attractive. This is no longer easy. The introduction of more secure EMV cards has driven fraudsters from card-present to card-not-present fraud -- EMV was never going to eliminate fraud, it was merely going to change its nature. This is shown in the fraud attack index for 2016, rising from $2.7 in Q4 2015 to $4.98 in Q4 2016.
Related: EMV Payment Cards - Salvation or Failure?
"Domestic order fraud," explains Forter's CEO Michael Reitblat, "has increased following the adoption of EMV (microchip cards) in the US. The fraudsters who used to steal and copy or counterfeit cards in the US now find that much harder, since card present transactions are increasingly protected by EMV -- and so have moved online instead." He adds that this has been further fueled by an increase in 'friendly fraud' or 'liar-buyer' fraud (where a person might buy an item and then report it undelivered in order to obtain a refund). "That's always been a trend," he said, "but it's increasingly moving from an occasional thing to a serious, serial problem for many retailers."
The greater part of international fraud against US merchants has always been on-line; and is always a higher risk than domestic fraud. In absolute terms, it decreased by 13% compared to 2015 but is still 62.4% riskier than domestic fraud, despite the domestic switch from off-line to on-line fraud within the US. Forter puts the international decrease to a growth in genuine international orders rather than a decrease in fraud.
For online fraud, the criminals need to obtain the victims' payment credentials. Forter notes a shift in account takeover (ATO) against merchant sites to ATO against online payment accounts. "A growing recent trend in the realm of account takeover (ATO)," says the report, "is the use of hacked online payment accounts such as PayPal, ApplePay, AndroidPay etc. In these attacks the fraudster breaks into the victim's account and uses the details there, including payment details, to make purchases and take actions as if they were the victim."
ATO on merchant websites is down 16% on the previous year; ATO on online payment accounts is up 131%.
Forter puts this shift down to improvements in merchants' cyber security combined with the 'unprecedented data breaches of the last few years.' These "included account and password information and this, combined with the fact that many consumers continue to reuse passwords across multiple accounts, has made this form of attack easier to carry out."
"It's an example of the speed at which fraudsters adapt to moves made to stop their attempts," explained Reitblat. "Merchants realized that ATO was a problem, and started guarding against it -- so fraudsters shifted, using similar tactics against online payment accounts, which is far harder for merchants to spot, and which in any event gives them greater scope for theft."
The big target in this shift to online fraud has been clothing -- apparel. Attacks against apparel rose 69.9% over 2016. "This is partly due to fraudsters who are moving online post-EMV continuing to operate in an industry with which they are comfortable," explains Reitblat. With card-present fraud, it is easy to walk into a shop, conduct the fraudulent transaction, and walk out with the clothes.
However, he added that it is also "partly because fraudsters who have been focusing on luxury goods for years (due to the high ROI they represent) are trying a new tactic. Rather than go for the low end of luxury goods (which retailers are now aware that they need to protect and scrutinize, as well as the high-end ones), they're getting equivalent products from apparel sites which are often less careful since they have not traditionally been major targets in the same ways that luxury sites have been."