Experts: Why CNP Fraud is Up 30%EMV, Credential Compromises Fuel Ecommerce Fraud
Card-not-present fraud is increasing, and now outpaces card-present fraud in the U.S. by a ratio of 3:1, says Aite analyst Julie Conroy.
See Also: IoT is Happening Now: Are You Prepared?
"Merchants are seeing a substantial uptick in account takeover, thanks to all of the credential compromises," says Conroy, a financial fraud expert and research director at Aite. "A large issuer I spoke with said they are now seeing the CNP fraud rate in the U.S. outpacing card-present fraud by 3:1."
Conroy's findings are not isolated. According to a new study from electronic payments provider ACI Worldwide, global fraud rates by volume in the CNP space increased 30 percent during the first half of 2015 when compared with the same period a year earlier.
In fact, one of out of every 86 CNP transactions conducted between January 2015 and July 2015 was fraudulent, ACI finds, versus one out of every 114 CNP transactions conducted during the same period in 2014.
Fraud attempt rates based on the purchase amount also increased by 33 percent year-over-year, ACI notes.
"I think we have a perfect storm brewing, in which there is a vast amount of data at criminals' disposal, thanks to all of the data breaches," Conroy says. "CNP commerce is growing at a much more rapid pace than card-present commerce, and there's little in the way of disincentive to their attacks."
Experts say the uptick in CNP fraud means that online authentication practices have to improve, and that ecommerce retailers, like all merchants, must move toward payment-card tokenization (see Payment Security: What Factors Are Essential?).
Online retailers also need to invest in real-time fraud monitoring and behavioral analytics so that they can review buying trends and patterns across all channels, whether online or in-store, experts say.
But are merchants willing to invest more in fraud prevention for online transactions? Just coming off huge investments in the U.S. to prepare for the EMV fraud liability shift, many merchants may be reluctant to make additional investments to curb CNP fraud.
Gray Taylor, executive director of Conexxus, a convenience store and petroleum industry technology association, says most top ecommerce merchants are already investing in technologies to curb CNP fraud.
"The big online retailers are using machine learning and neural technology to tighten down risk, to the point where some are saying that they may authorize a customer even if [3-D Secure] tells them it is too risky."
While 3-D Secure, an XML-based protocol, adds an additional authentication step for online purchases, Gray says larger online retailers are investing in more sophisticated technology layers to help them reduce false risk ratings that could encourage them to push good customers away.
"We are looking into better risk scoring," he says. "And the World Wide Web Consortium (W3C) is working on Web-based authentication that approximates 'in-app' authentication security as another means to reduce CNP. Conexxus is co-chair of this initiative."
EMV Not Entirely to Blame
ACI, which analyzed transaction data year-over-year from leading U.S. and European retailers, attributes the CNP fraud shift, in part, to fraudsters' anticipation that the U.S.'s migration to EMV will close security gaps at the physical point of sale.
ACI notes that fraud rates in buy-online/pick-up-at-the-store scenarios are expected to increase 28 percent between November and December this year, namely because of EMV deployment at the physical point of sale.
Other experts have made similar predictions, noting that CNP fraud has historically increased in markets once EMV is deployed (see Bracing for Uptick in CNP Fraud).
But Conroy says EMV isn't to blame for these most recent upticks in U.S. CNP fraud.
"Most of the people I spoke with said that the fraud has been steadily rising throughout 2015, so I think it's actually too early to pin this one on EMV, especially given the fact that less than 20 percent of U.S. transactions are chip-on-chip at this point."
Manuel Da Silva, global product line manager of the financial crime risk management unit at core processor and technology provider Fiserv, also notes that increases in CNP fraud have been evident for some time and shouldn't be blamed solely on the U.S.'s move to EMV (see EMV Shift: Preparing for a Fraud Migration).
"This is why it's critical for financial institutions to monitor the different lines of business," Da Silva says in an August interview with Information Security Media Group. "When we look at fraud patterns from markets that have deployed EMV, we actually see an uptick in other types of frauds."
ACI touches on this, too, in its new findings about upticks in CNP fraud.
According to its latest research, ACI finds that CNP ecommerce fraud also is rising because more consumers shop online, either with mobile devices or PCs. What's more, ACI says compromised cards have longer shelf-lives today than they did a year ago, because card issuers are now slower to shut down accounts and reissue cards after fraudulent activity.
One executive with a leading card issuer, who asked not to be named, tells ISMG that CNP has increased since last year. But this executive says the percentages are not as high as ACI suggests. "We have seen a steady year-over-year increase, but not the 30 percent and 33 percent figures identified in the report. Our increases in CNP are relatively in line with portfolio growth."
Al Pascual, director of fraud and security at Javelin Strategy & Research, says CNP fraud trends in the U.S. will be somewhat unique, despite global increases in CNP fraud.
"Fraud as a proportion of overall e-commerce volume shrunk in the U.K. between 2002 and 2013, with only a slight increase immediately after the EMV transition," Pascual says. "Our transition is on track to take longer than what occurred in that market. We have the most mature e-commerce environment, where fraud is well entrenched and more consistent."