Card use, abuse spiral upward

Year-over-year growth in payment card usage has provided revenue streams to merchants, service providers and cybercriminals, according to new analysis by the Nilson Report, Arkose Labs and Bluefin. Analysts at all three firms expect these trends to continue into the new year.

Issue 1187 of the Nilson Report newsletter, published December 2020, reported $42.274 trillion in global credit, debit and prepaid card activity in 2019, a 4.2 percent increase over the previous year. Global losses during 2019 involving payment card issuers, acquirers and merchants rose to $28.65 billion, a 2.9 percent increase compared to the same period in 2018.

"Dollars lost to fraud rise every year in the U.S. and worldwide," Nilson analysts wrote, while noting that losses to fraud detailed in the report exclude expenses incurred by issuers, merchants and acquirers when investigating and responding to fraudulent transactions, costs that increased nearly 10 percent in 2019, they stated.

New milestones ahead

Nilson predicts total payment card volumes will $56.182 trillion by 2025, with gross card fraud expected to reach $35.31 billion across the following categories:

• Synthetic fraud: Criminals mix valid and false cardholder information to open accounts or transact fraudulently. "Synthetic fraud looks like bad debt to credit managers," Nilson researchers wrote. "It is not counted in any fraud category. However, 20% of chargeoffs are linked to synthetic identity fraud."

• Friendly fraud: Cardholders and family members dispute legitimate purchases, resulting in costly chargebacks. "Friendly fraud is another growing problem without an official category to count losses," Nilson researchers wrote. "Card issuers have dispute rights with friendly fraud but also bear high operational costs."

• Counterfeit cards: While researchers noted that losses to counterfeited cards in retail stores and at ATMs dropped in 2019, magnetic stripe counterfeit card losses frequently occurred at fuel pumps that were not EMV-compliant.

• CNP fraud: Card-not-present purchase fraud was tied to 65 percent of all fraud losses, Nilson researchers noted, and rose globally in 2019 with the growth of online sales.

• ATM fraud: Fraud at ATMs in 2019 included skimming, PIN compromise, dispenser jackpotting, cash trapping, malware and network packet switching, according Nilson. These fraudulent transactions were largely driven by professional criminal gangs from North Korea, Brazil, India, Nigeria, the Caribbean and Russian-speaking countries, which used sophisticated attack vectors to inject malicious code into terminals and reverse engineer fraud detection systems, researchers found.

• Social engineering: Attacks designed to obtaining personally identifiable information (PII) increased in 2019, researchers found. These attacks included criminals posing as a bank representatives and phoning cardholders, which is commonly known as "vishing."

• Credential stuffing: Automated botnets deployed by criminals in 2019 tested payment card issuers and merchant environments for vulnerabilities. Programmed with some valid information such as a 16-digit primary account number, the botnets look for full data sets to perpetrate account takeovers or access lines of credit. They then sell the full data set on the dark web.

Stay aware and compliant

A December 30 blog post by Bluefin titled, "Securing Omnichannel Payments and Data in 2021," noted that 2021 will be a crucial year for cybersecurity, stating, "Experts predict there will be a marked increase in ransomware, malware and other threat vectors targeting payment and data intake points, from in-store purchases and e-commerce payments, to healthcare forms, to online financial applications."

Bluefin recommends taking these four critical steps to protect credit card data PII in 2021:

• PCI DSS compliance:The Payment Card Industry Data Security Standard (PCI DSS) and related standards provide cybersecurity guidelines that help reduce credit card fraud. Maintaining PCI compliance can help protect data, Bluefin researchers noted.

• PCI-validated P2PE: Point-to-point encryption (P2PE) protects payment card information across multiple channels by immediately encrypting credit and debit card information using a P2PE validated payment device, whether a transaction is card-present, mobile, or even made though a call center, Bluefin stated.

• Tokenization: Tokenization masks clear-text credit card data with a token or random set of characters and passes the data to a tokenization provider, where it is decrypted and used to process a payment, Bluefin noted.

• Contactless Payments: P2PE certified contactless solutions protect cardholder data while minimizing physical contact at the point of interaction. These solutions became popular during COVID-19 and are likely here to stay, Bluefin noted.

Devalue, disincentivize fraud

All four of Bluefin's cybersecurity tips involve devaluing cardholder data to make it meaningless to cybercriminals, Bluefin noted, across mobile, digital and in-store commerce channels.

Kevin Gosschalk, founder CEO at Arkose Labs, pointed out that removing a criminal's financial incentive can be a highly effective fraud prevention strategy. Arkose Labs achieves this by posing ecommerce challenges that are simple for legitimate consumers to solve but difficult for fraudsters, he stated, adding that this method enabled his company to detect and prevent over 500 million fraud attacks in 2019.

"Most cybercriminals are like the rest of us who go to work every day to do a job and get paid," Gosschalk said. "Arkose Labs makes it cost more to break into a merchant's website or a bank. When you take away the ROI, you take away the incentive."

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.