U.S. ATM Fraud Losses JumpFraud Migrating to Non-EMV Markets
ATM-related fraud losses are increasing in the U.S., and experts say that trend will continue until all U.S. debit cards make the conversion from magnetic-stripe to EMV chip and PIN.
See Also: 2016 State of Threat Intelligence Study
ATM-related fraud losses are migrating away from regions where the Europay, MasterCard, Visa standard has been adopted and are shifting to markets, such as the U.S., where magnetic-stripe transactions remain the standard, according to the European ATM Security Team's biannual fraud update, which was issued July 25.
In fact, from January to May, ATM-related fraud losses were reported in 34 countries and territories outside the Single Euro Payments Area, where EMV is the accepted standard. The U.S. ranks No.1 among those countries and territories for ATM-related losses, EAST reports.
"I'm not surprised that fraud is moving to non-EMV countries," says Avivah Litan, a financial fraud expert who's an analyst at the consultancy Gartner. "But banks don't want to spend money on EMV. ... [U.S.] banks are under a lot of financial pressure, and the security risks are just not high enough."
And when it comes to ATM-related fraud, Litan says it's less expensive for banks to invest in fraud detection systems than the EMV infrastructure.
EMV cards, unlike magnetic-stripe cards still common in the U.S., process payment transactions with a micro-computer chip. Card data stored on these chips is encrypted and cannot be skimmed or copied, unlike data saved to mag-stripes.
But because card-related fraud losses, at least until recently, have been absorbable, U.S. banking institutions have been reluctant to migrate payment cards to EMV because of the high cost associated with issuing cards embedded with chips, as well as the fact that the EMV infrastructure in the U.S. has not been built out. Most U.S. merchants and many U.S. ATMs are still not equipped to accept chip-card transactions.
Visa and MasterCard did set targets and liability-shift dates for migration to EMV, in hopes of spurring movement among U.S. card issuers. Visa had targeted April 2013 for transaction acquirers to have their processing systems upgraded to support chip and dynamic authentication. EMV card issuance was expected to follow a similar timeline, although experts said from the beginning that date was not realistic for most banking institutions and merchants (see Visa on EMV in the U.S.).
Visa also set an Oct. 1, 2017, liability shift date for all cross-border and counterfeit cards used at U.S. ATMs and pay-at-the-pump gas terminals on its network that result in fraud. The same liability shift for merchant POS systems is Oct. 1, 2015.
Visa notes that none of those dates, however, are mandates, and that card issuers are not required to issue EMV-compliant cards, nor are ATM providers and merchants required to upgrade their systems for EMV acceptance.
MasterCard also set April 2013 targets. The first April milestone was for acquirers to update their infrastructure and enable their core systems to support EMV transactions, says MasterCard spokesman Seth Eisen. The second April milestone, announced in 2011 as part of MasterCard's global Maestro EMV, which is used in Europe, was for shifting liability onto ATM owners and operators, he says. Fraud that results from transactions conducted in the U.S. with counterfeit cards created from internationally issued Maestro cards is now the responsibility of the ATM owner or operator.
In 2016, fraud liability for domestic transactions conducted at ATMs linked to MasterCard in the U.S. will shift to all ATM owners and operators, Eisen notes.
Both Visa and MasterCard have issued EMV roadmaps for the U.S. as well as guidelines to help issuers and merchants successfully launch and complete their EMV migrations.
Migration of Fraud
According to EAST, only five countries or territories within SEPA where EMV is the standard card technology reported over the last six months losses linked to ATM crimes, says Lachlan Gunn, who heads up EAST in London. That's proof, he says, that ATM fraud is migrating.
"This is just reinforcement of a trend first reported at the beginning of this year," Gunn says.
ATM fraud also ranked among the top five fraud loss areas reported by U.S. banking institutions in Information Security Media Group's 2013 Faces of Fraud Survey. Within the last year, 31 percent of the survey's respondents said they have suffered losses linked to ATM-related crimes.
Financial fraud expert Al Pascaul, an analyst for consultancy Javelin Strategy & Research, says the trend is alarming, but not surprising.
"What we're seeing here is a fraud ripple effect, where actions in one part of the industry will drive fraud to the path of least resistance," Pascual says. "Personally speaking, EMV can't come soon enough."
John Buzzard, who heads up FICO's Card Alert Service, says card fraud will continue to increase until the U.S. adopts chip authentication technology, such as EMV, at retailers' points of sale as well as ATMs.
"I think it's also important to note that U.S. card issuers today are continually exposed to payment card fraud within U.S. borders, as more and more retailers are experiencing data intrusions and malware attacks, in addition to the classic, physical POS and ATM skimming attacks that only seem to increase year after year," he adds. "Everyone is feeling the bite of fraud these days."
ATM Cash-Out Schemes
According to Javelin's 2013 Identity Fraud Report, Citibank is the only top 25 U.S. banking institution that has rolled out EMV debit. But Pascual notes that the rollout is primarily for card portfolios that cater to high net-worth international travelers, not cardholders who use the cards domestically.
"This does not bode well, given how pervasive ATM cash-out scheme fraud has become," he says.
An international $45 million cyberheist and ATM cash-out scheme revealed in May highlights how fraudsters are exploiting ATM transactions that continue to rely on mag-stripes, experts say.
On May 9, federal prosecutors charged eight alleged hackers for the roles they played in a massive cybercrime operation that involved hacking into card processors' networks, manipulating prepaid debit-card limits and then withdrawing millions from ATMs worldwide with so-called white cards - fake ATM/debit cards that had been encoded with mag-stripe data compromised during the attacks.
"The U.S. will remain a haven for such schemes until EMV becomes widely deployed," Pascual says.
More Woes for U.S. Cardholders
To reduce fraud losses, countries where EMV is the standard are increasingly blocking mag-stripe transactions, EAST's Gunn says.
Within the last six to 12 months, ATM-related card-skimming losses have migrated away from Europe toward the U.S., Latin America and parts of Asia-Pacific where EMV is not the standard, he notes. "As a result, an increasing number of European cards are now being blocked for usage outside of designated EMV-liability shift areas," Gunn says. "In many European countries, chip-only payment terminals are becoming more common. At such terminals it is only possible to use a chip or EMV card for payment, and therefore non-EMV-compliant, stripe-only, like those used in the U.S., will not work."