The Green Sheet Online Edition
May 09, 2016 • Issue 16:05:01
Are CNP fraud warnings on target?
Six months after the October 2015 U.S. EMV (Europay, MasterCard and Visa) deadline, consumer chip card distribution is sluggish and merchant adoption is even slower. And based on other countries' experiences, fraud experts predict the United States will see an onslaught of card-not-present (CNP) fraud.
The Green Sheet recently interviewed Tim Critchley, Chief Executive Officer of global voice security company Semafone Inc., to learn more about the similarities and differences between the U.S. and other countries' post-EMV fraud experiences.
What has your company seen after the first six months of EMV transactions in the United States?
We definitely see an increasing concern among our merchants here in the United States around issues of card-not-present security. I suspect that is in response to concerns that the EMV implementation is shifting fraud to these channels. We saw it in the U.K. when chip-and-PIN was introduced there, and though it is still a little early to see data trends, the industry believes these are valid concerns.
Are the U.S. statistics expected to parallel what occurred internationally following EMV adoption?
There's no denying that in the U.K., there was almost a 180 degree shift. However, the industry 10 years ago was different from today. There are more transactions now, and merchants can take payments in many different environments. There is also a significant difference between chip-and-PIN and the chip-and-signature systems being implemented in the United States.
There has also been rapid adoption of frictionless ways for consumers to pay, and the industry is also investing considerable resources in prevention. This creates a different measuring landscape, so it is going to be hard to compare.
Nevertheless, what we saw in the U.K. with EMV shifting the fraudsters away from the physical retail target, as well as later in Canada, suggests the fraud shifting to CNP channels in the United States is very likely to occur.
Are call centers particularly vulnerable to fraud?
There are three main risk areas in the call center:
- Customer service representatives (CSRs) may unwittingly open up a back door. You also get the criminal agents that are hacking for their own benefit or may have been coerced by criminal gangs to help them extract data.
- The basic network is also a target, and big organizations with lots of systems often have card data floating around. The network is always open to cyber attacks, so the infrastructure is a big area of risk.
- Specialist systems, such as agent customer relationship management, call recording and voice over Internet protocol systems, also present fraud possibilities.
How does social engineering factor into payment card fraud?
In the call center, in particular, fraudsters are using stealthy social engineering methods to hack systems, and their tactics for getting CSRs to open up networks are becoming more sophisticated. They often come in through emails that pose as people in the company to get someone to divulge information that helps them capture the data they're after.
We've also seen examples of USB drives being left around in public areas where certain agents would go. It's very easy to mistakenly pick that up and plug it into a network triggering an attack.
Is there a greater need for social engineering in the United States to prepare for post-EMV fraud?
Social engineering is a vital part of any company's security strategy and approach. A training and education program for employees on how to be wise on this type of fraud to protect the company is always smart. We naturally like to trust and believe people's intentions are good. Unless we are conscious of the potential risks, it can be easy to innocently open a door to a fraudster.
Both merchants and the payments industry have responsibilities for how to grapple with fraud. The numbers are big - $5 billion is lost annually in the United States to fraud. Everyone should take it very seriously.
In the U.K., there are lots of ways companies can protect themselves, including third-party storage vaults. The overriding philosophy is you can't be hacked for data that you don't hold, so if you don't need to store or keep it, hand it off to a company who can protect it.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.