Thursday, September 30, 2010
A new study from payment security firm Retail Decisions Inc. (ReD) indicates card-not-present (CNP) fraud levels are rising in the United States but declining in the United Kingdom – trends that might be correlated.
Based on fraud data gathered from the first six months of 2010, ReD projects CNP fraud (which includes Internet and MO/TO purchases) will reach $2.83 billion in the United States by the end of 2010. That would be a 32 percent increase over the $2.14 billion such fraud totaled in 2009, according to the firm's report. Conversely, the report projects a 9 percent drop in CNP fraud in the U.K.
A number of possible explanations exist for rising fraud levels in the United States, according to ReD Chief Executive Officer Carl Clump. One is the use of sophisticated malware that's evolving ahead of the defenses employed against it.
"They are using automated attacks which clamp malware into people's laptops and are activated at some point," Clump said. "[Victims] receive an innocuous looking email [with the virus attached] that's sent out sometimes to hundreds of computers. … The virus is executed and turns these infected machines into web robots under the control of the fraudster. It's very, very clever."
Clump said high unemployment is another driver of fraud, noting that fraud tends to go up during periods of economic distress. Yet whether unemployment is affecting fraud levels – and to what degree – remains a point of contention. "I think there's probably some correlation, but I'm not sure it's really that strong, and I also think it's very hard to read those signals," said Tim Cranny, President and CEO of Panoptic Security Inc.
What is certain is that a thriving online black market for stolen card numbers has made it easier for the average person to enter the fraud game. Clump noted that most fraudsters are not hackers; relatively few numbers of computer whizzes, online scam artists and skimmers do the dirty work of extracting card numbers for use among a much larger pool of buyers.
One more possible reason for rising fraud rates in the United States is the adoption of Europay MasterCard and Visa (EMV) chip and PIN technology outside of the United States, which may be pushing fraudsters into countries with less stalwart defenses. ReD's discovery of opposing fraud trends in the United States and the U.K. seems to support this theory.
"It is a bit more difficult to perpetrate credit card fraud in the U.K. because of EMV, but you might as well try it in the U.S.," Clump said. "Also, Canada has stated it is going to EMV as well, so, again, fraud will migrate south of the border. … Fraud gravitates toward those countries that don't have quite the same level of control."
However, the ReD report focuses on an area – CNP transactions – in which the EMV system is vulnerable. Under EMV, only in-person transactions make use of the chip and PIN, while CNP transactions do not. So why would CNP fraud be any lower in countries that use EMV than in ones that don't?
Indeed, experts are debating whether the use of EMV has a significant impact on CNP fraud. To the extent that it does, the reason may be that different kinds of fraud, such as in-store, online and MO/TO, tend to migrate together, according to Clump.
Because the mag stripe system makes it easier, through card cloning, to perpetrate in-store fraud (preferred by many fraudsters because the payoff is immediate and avoids the hassles and risks of shipping purchases), markets for stolen card numbers in countries that use the mag stripe are more likely to flourish. And the more buyers there are for stolen numbers, the likelier it is that fraud rates of all kinds will be high, Clump said.
Cranny said that, while the morphing and migration of fraud causes fluctuations in the fraud rate from one country to the next, the overarching global trend is that fraud is increasing.
"Fraud, and cybercrime in general, where there's long-term trends – the number of viruses, the number of attacks, the amount of spam – all of these things tend to just inevitably ratchet up," he said. "You might get wiggles in the curve, but if you step back even a foot, you see a pretty strong upwards trend."
ReD noted that, in addition to developing more sophisticated attack methods, fraudsters have grown smarter about what they buy. According to the company's fraud report, the average transaction value for attempted fraud was 34 percent higher ($149, up from $111) in the first six months of 2010 than during the same period in 2009.
Clump said fraudsters' favorite items to purchase by far are gift cards, which are the closest thing to cash on retail shelves. For the first half of 2010, the second most popular purchase in the United States was the video game Halo: Reach for the Xbox 360.
Cranny said the tendency for fraud to migrate between countries is mirrored by myriad smaller migrations from one type of target to the next, be it a different player on the electronic payment chain or a different category of merchant or vertical. The most significant trend right now is toward targeting smaller merchants, he said.
"We've seen a lot of focus recently on trying to get the big guys – the processors, the high-volume visible players – to clean house," he said. "They're making real progress there … but if one part of the ecosystem tightens up, that just shifts the focus elsewhere, and we're already seeing increased emphasis on attacking and trying to exploit the lack of expertise" of small and midsize merchants.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.