EMV: Countdown to the Fraud ShiftSummit Speakers Warn of First-Party Fraud, More Social Engineering
The fraud shift as a result of the migration to EMV chip payments in the U.S. will extend beyond card-not-present payments, experts said last week at Information Security Media Group's Fraud Summit San Francisco.
See Also: Defining and Refining Next-Gen AML
First-party or new account fraud and business email compromise attacks are likely to increase, too, as EMV shores up the security of card transactions at the point of sale.
"The personally identifiable information that has been compromised in massive data breaches over the last three years has given fraudsters all they need to steal identities or create synthetic identities."
In addition, one cybersecurity guru who participated in ISMG's Data Breach and Prevention Response Summit, which also took place in San Francisco last week, told me that banks should be bracing for more distributed denial-of-service attacks as well (see DDoS Attacks Against Banks Increasing).
While many hot fraud topics were discussed last week, the hottest topic, without question, was EMV's impact on the future of payments security.
Eduardo Perez, Visa's senior vice president of payment risk, noted during his opening keynote at the Fraud Summit that EMV is a step in the right direction, but that retailers and banking institutions have to brace for shifts in fraud.
Perez' comments were echoed by closing keynoter Barbara Pacheco, senior vice president and a member of the management committee at the Federal Reserve Bank of Kansas City, who said this anticipated migration of fraud is an area the Fed has been closely watching.
Ultimately, she said, the need for more secure payments options, as well as more cross-border payments interoperability, has spurred the Fed's push for faster payments in the U.S.
Pacheco said the convergence of legacy payments, such as ACH, credit and debit, with emerging payments, such as mobile wallets and crypto-currencies, including Bitcoin, will pose additional opportunities as well as risks.
Gray Taylor, executive director of Conexxus, a convenience and petroleum industry technology association, predicted that first-party fraud will skyrocket as EMV begins to take root in the U.S. The personally identifiable information that has been compromised in massive data breaches over the last three years has given fraudsters all they need to steal identities or create synthetic identities that they can use to open new accounts that can't be traced back to a legitimate source, he said.
Taylor called for the use of stronger authentication and identity management techniques to help fight first-party, or new account fraud.
Just as we saw with Apple Pay - where fraudsters were stealing phone numbers from unsuspecting consumers and using them to open new Apple Pay accounts under false or stolen names - fraudsters will exploit the ability to open a new account for an EMV card in the same way, Taylor said (see Apple Pay: Fraudsters Exploit Authentication).
One of the best ways to shore up authentication, Taylor said, is by incorporating mobile devices into payments. "Sitting in your hand is the greatest authentication device ever," he said.
And Perez said moving card payments to mobile is Visa's ultimate goal. "In 2011, Visa launched its EMV roadmap; and we did that to kick-start mobile adoption," he said.
Financial fraud expert Shirley Inscoe, an analyst at consultancy Aite who spoke at the Fraud Summit, also acknowledged that new-account fraud, whether it's linked to opening a new payment card account, an e-commerce account or checking account, is poised to increase significantly in the wake of EMV. She said banking institutions and businesses are already seeing upticks in socially engineered schemes, such as call-center scams, that ultimately exploit staff members' willingness to provide fraudsters with all of the information they need to perpetrate fraud.
Charles Gunther, program coordinator of complex financial crimes for the Federal Bureau of Investigation, said social engineering is a grave worry for law enforcement globally. Wire fraud perpetrated through business email compromise attacks has exploded in the last year (see FBI Alert: Business Email Scam Losses Exceed $1.2 Billion).
Since July, more than 7,000 U.S. businesses have reported being targeted by a business email compromise attack, also known as "masquerading," Gunther said. The attacks involve sending spoofed emails to accounting depart,ent employees that appear to be coming from executives within the organization. The emails request that emergency wire transfers be sent to overseas accounts, asking staff to bypass the normal verification protocols.
The estimated amount defrauded from those 7,000 companies since July is $750 million, Gunther said.
DDoS Threat Continues
One cybersecurity expert told me last week that U.S. banks are still the primary focus of DDoS attacks. What's more, the expert contended that the majority of these attacks are backed by nation states, and these attacks have been ongoing for the last three years.
The expert claimed the self-proclaimed hacktivist group known as Izz ad-Din al-Qassam Cyber Fighters, which attacked leading U.S. institutions from September 2012 through 2013, remains alive and well in the cyber-realm. Many in the industry believe al-Qassam was backed by Iran.
We know that DDoS attacks are on an upswing, as the extortionist group known as DD4BC - DDoS for Bitcoin - has been targeting banking institutions for the last year, threatening to take their sites down if they don't pay ransoms. But experts tell me it's not clear who is involved in this group.
A Look Ahead to Toronto
If you couldn't make it to last week's shows, be sure to check out next week's Fraud Summit in Toronto, which takes place Sept. 29.
Executives from Visa, TD Bank and Deloitte will be among the featured presenters, addressing such topics as emerging payments fraud, the use of big data for fraud prevention and the convergence of cybersecurity and fraud.
You can find out more on the Summit's registration page. I hope to see you there.