The Green Sheet Online Edition
August 22, 2016 • Issue 16:08:02
CNP fraud: Evolving strategies for an evolving market
There is an old saw that likens payment fraud to a water balloon. As every youngster playing with water balloons quickly learns, when you cut off the flow to any one area of a balloon the water automatically finds someplace else to flow. Just like that water, fraudsters, upon being deterred in the pursuit of ill-gotten gains using one card scam, simply seek a path of lesser resistance.
"The organized crime rings behind so many of the fraud attacks are able to nimbly evolve their strategies," said Julie Conroy, Research Director for Retail Banking at Aite Group LLC. Seattle-based fraud consultant Bob O'Neil added, "There are no constants in fraud detection and prevention. Fraudsters quickly catch on" to any new prevention techniques and devise fresh attacks.
The migration to EMV (Europay, Mastercard and Visa) technologies for authorizing credit and debit card payments at the physical POS, for example, has been accompanied by an uptick in card-not-present (CNP) fraud in the United Kingdom, Australia and Canada. And counterfeit card fraud – an irksome problem that EMV addresses – typically takes time to abate as EMV adoption takes time. Aite predicts 81 percent of credit cards and 57 percent of debit cards in Americans' wallets will contain EMV chips by the end of 2016; the 100 percent mark is expected to be reached in 2020.
In Australia, the EMV liability shift (which placed responsibility for fraud prevention squarely onto merchants) is blamed for a 30 percent fraud increase from 2013 to 2014 despite only modest (9 percent) growth in aggregate ecommerce sales during that period, Aite noted in a recent report. A nearly identical shift occurred following the 2011 EMV liability shift in Canada.
Meanwhile, in the U.K., where EMV implementation preceded both Australia and Canada, card fraud losses grew 18 percent in 2015, with a value of 88.5 million British pounds ($114.7 million), according to Fair Isaac Corp. Seventy-five percent of that increase was directly attributable to CNP transactions, the bulk of which ($85 million) were ecommerce transactions, FICO said.
Aite expects CNP fraud will cost U.S. retailers and banks $7.2 billion annually by the end of 2020. "EMV migration represents a big win for straightforward, friction-free transacting, but at what cost?" asked Vanita Pandey, Vice President, Strategy and Product Marketing at ThreatMetrix.
EMV is not the only factor inflating CNP fraud data. Experts are quick to point out that fraudsters are merely following the money. "Ecommerce in the U.K. has nearly quadrupled since 2007, so you see why this is such a target for criminals," said Martin Warwick, a fraud consultant with FICO. FICO publishes a yearly report on card fraud trends across 19 European countries. The latest report reveals that the U.K. accounts for 43 percent of all card fraud in the regions measured.
U.S. merchants and banks may be benefiting from the solutions and processes other countries developed when they encountered increased CNP fraud following EMV implementation. Indeed, the latest CNP fraud report from CyberSource suggests fraud management teams in the United States have been holding online fraudsters at bay. But it's a balancing act, and a costly one. Merchants are manually reviewing and rejecting more orders, CyberSource reported in the Annual Fraud Benchmark Report: A Balancing Act, North America Edition 2016. That report is based on a 2015 survey of more than 300 online, mobile and MO/TO merchants in the United States and Canada.
CNP fraud causes more harm than actual dollars lost and related expenses; it also negatively impacts online shopping habits. A recent survey by Sparks Research and Tender Armor LLC revealed that 55 percent of cardholders reduce online shopping and payment card usage, and/or close out card accounts after facing a fraudulent event.
"Lower card usage, card account attrition and less shopping are the silent revenue killers for FIs and merchants alike," said Madeline Aufseeser, Tender Armor co-founder and Chief Executive Officer and former Senior Analyst with Aite.
Most card fraud today is the result of a seemingly unending barrage of data breaches at financial institutions and other businesses that maintain data bases of information on customers, including credit and debit card numbers and other personal financial information. "In a world where billions of consumer identities have been compromised, it is becoming harder for digital businesses to authenticate the good guys, let along detect the bad ones," Pandey said.
The Rand Corp. reported in April 2016 that one in four American adults had been notified that their personal information had been compromised in a data breach over the previous year. That information gets sold on the underground web to fraudsters who use the information to apply for new (bogus) accounts, or simply run up charges on innocent consumers' existing card accounts.
"The challenge remains, how do businesses accurately identify genuine attacks from legitimate transactions?" Pandey said.
ThreatMetrix developed a solution it calls Digital Identity Network to help identify potential fraud resulting from malware and data breaches. The company said it verifies 20 billion transactions annually for 30,000 websites globally. It uses data from those transactions for regular cybercrime reports. The latest of those reports, covering the second quarter of 2016, reveals the network detected and stopped 112 million attacks among 5.2 billion transactions processed, representing a 50 percent increase over the same period in 2015.
One attack plan is not enough
It is essential to find the right automated tools, and combinations of tools, that can help merchants more efficiently and effectively identify fraud. CyberSource's data revealed that merchants use combinations of tools when screening customers, including card validation and customer lists. Many also conduct manual reviews: 86 percent of North American businesses, on average, perform manual reviews on 29 percent of orders, according to CyberSource. The cost: 46 percent of those surveyed said manual review staffs are the biggest line items in their fraud management budgets.
CyberSource, which is owned by Visa Inc., is one in a growing army of companies that leverage data and analytics to help CNP merchants accept more good orders, which by extension, is intended to enhance the customer experience. It's a tall order. "We're dealing with teams of fraudsters working in global groups," O'Neil said. "They can leverage vast amounts of computational power, and they are gaining access to huge amounts of data."
Most experts believe the best fraud-fighting strategies demand a combination of solutions implemented by merchants and issuers, alike. This also makes for good customer service; 75 percent of consumers surveyed by Tender Armor and Sparks said they wanted more protection for card data when shopping online. "It's a huge worry for consumers," Aufseeser said.
In 2015, Tender Armor introduced a real-time, dual-factor tool for authenticating cardholders in CNP transactions. Aufseeser described the product, CvvPlus, as a "one of a kind solution" that enables issuers to stop all types of CNP fraud (not just online, MO/TO and mobile fraud). Plus there's no need for retrofitting; the solution can be deployed on any and all credit and debit cards, she said.
CvvPlus uses two sources of data to authenticate cardholders: the card number and a unique security code the cardholder retrieves from a mobile text message or email and provides the merchant in lieu of the payment card's CVV2 code. The codes can be changed as often as daily and can be used for multiple cards in a consumer's wallet. Consumers sign up for CvvPlus through card-issuing banks, many of which have shown interest in the concept. "We've got a huge sales pipeline," Aufseeser said.
Unlike CvvPlus, many CNP fraud tools have been developed for and implemented by merchants, and the move to EMV has more merchants looking closely at these and emerging tools. Here's a rundown of the most commonly used CNP tools:
- Address Verification Services and Card Verification Numbers, supported by card companies and issuers.
- Proprietary and shared data on customers, high-risk cards, email and IP addresses, and similar information.
- Tokenization, in which card values are replaced with different values (tokens), so there is no need for merchants to store sensitive data.
- Device authentication, critical when customers use mobile devices, this tool confirms devices are legitimate as well as users' locations, based on things like IP geolocation information and device fingerprinting.
- 3-D Secure, a secure communications protocol promoted by the card brands, requires consumers to enter unique PINs to verify that customers are who they say they are. Adoption to date has been lackluster, although it may be poised to grow. CyberSource's 2016 benchmark report indicated that 23 percent of merchants use this validation method and that an additional 20 percent plan to use it.
Getting machines to learn
While each of these tools can help keep fraudsters at bay, they are not always practical. Companies selling digital content, for example, complain about high customer abandonment rates when orders take too long to authorize using tools like 3-D Secure. Others are troubled by too many false positives from automated decision tools. "Where I'm seeing a big push today is with machine learning," O'Neil said.
The need is clear. CyberSource data suggests that, on average, 27 percent of orders received by online merchants get routed to fraud analysts for manual reviews; 85 percent of these cases ultimately are deemed valid and accepted.
Machine learning has existed for years, with recent applications popularized by Internet search engines and social media. Essentially, machine learning enables computer programs to adapt and change in response to new information about cardholders and transactions. It uses statistical analysis and predictive analytics to identify patterns and make adjustments.
Such analytics can reduce the number of legitimate card transactions that get declined, identify more real fraud attempts and improve operational efficiencies, said Jonathan Crossfield, a partner at Oakhall Ltd., a London-based analysis firm. "Incumbent systems can block 10 legitimate transactions for every fraudulent one identified," Crossfield noted.
A recent analysis by Oakhall suggested that financial services firms worldwide could generate $12 billion in annual savings by employing machine learning techniques to combat card fraud. The actual breakdown: $4 billion in reduced fraud and $8 billion in savings on fraud management costs and lost revenue.
"Having genuine transactions decline is extremely frustrating for consumers and damages their relationships with their card issuer or bank," said Martina King, CEO at Featurespace Ltd. Based in the UK, Featurespace is a pioneer in using machine learning to support card fraud prevention, one customer and one transaction at a time, in real time.
In May, Total System Services Inc. signed on to use the Featurespace platform. "We will incorporate these capabilities across the credit risk lifecycle, enabling our [issuer clients] to catch more fraudulent transactions while dramatically reducing false-positive alerts for genuine transactions," Andrew Mathieson, Group Executive for Issuer Products at TSYS, said at the time.
San Francisco-based Sift Science Inc. is another technology startup deploying machine learning to support better card fraud detection. Founded by former Google Inc. engineers, Sift developed a cloud-based machine-learning platform that uses over 16,000 fraud signals that get updated in real-time from a global network of 6,000-plus client websites, including those of OpenTable Inc., Dwolla Inc., Airbnb Inc., Wayfair LLC and Kickstarter PBC. The platform – which is constantly learning from transactions and interactions between consumers and merchants – looks for all manner of fraud, identifying fraud by different patterns and signals, and calculates scores for every transaction reviewed.
CyberSource also employs machine learning to help online merchants analyze and adjust their fraud management strategies. Decision Manager Replay is the latest enhancement to what CyberSource calls its Decision Manager tool set. It allows merchants to perform what-if fraud strategy analyses, back-testing prior transactions to determine what would have happened with different rules and adjusting systems accordingly.
"Merchants create rules and parameters in their fraud management system that determine whether a transaction is accepted or denied, based on risk levels," said Andre Machicao, CyberSource Senior Vice President. "In some cases, the parameters they set might be overly cautious, causing them to lose legitimate, safe business unnecessarily." Now, with enhanced features, they can revise rules quickly and easily.
SIDE NOTE:To PIN or not to PIN
While many experts agree widespread adoption of EMV technology combats fraud, there has been significant disagreement on how best to implement EMV: as a chip-and-PIN or a chip-and-signature solution. In most countries where EMV has taken hold PIN is the dominant authorization method; not so in the U.S., where many retailers remain frustrated.
Retailing giant Wal-Mart Stores Inc. has gone so far as to sue Visa over Visa's insistence that cardholders be given the option of authorizing transactions with PINs or signatures. Wal-Mart wants to mandate PIN authorization.
A new report from Aite raises questions about the value of PIN authorization, however. Aite found that although the cost for merchants with PIN pads is minimal, the economic impact would be huge – in excess of $4 billion – because there are so many merchants without PIN pads. Issuer costs would exceed $2.6 billion, and include card re-issuance, establishing and maintaining PIN management systems, customer education and platform modification.
The end result, by Aite's estimates, would be a five-year fraud-avoidance benefit of about $850 million. What's more, the most effective use of PINs is to counteract lost and stolen card fraud, which only accounts for about 9 percent of total card fraud losses, Aite reported in Chip Cards in the United States: The PIN, PINless, Debit, Credit Conundrum.
"With very little incremental risk for merchants and significant expense and implementation challenges for the payments ecosystem, it is difficult to justify a mandate to implement PIN as a credit card verification method," said Aite Senior Analyst Thad Peterson.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.