The use of card payments grew in 2018 yet again. As you might expect, as the volumes of card payments have risen, so have the related fraud losses. For this reason, it's more important than ever for financial institutions to have the proper policies and procedures in place to detect and eliminate card fraud, stay in constant communication with their customers and members, and educate them on how they can join in the fight against fraud.
Card Fraud Trends and Schemes
In the world of plastic card fraud, the only constant is change. As payment cards continue to gain market share in the payments space, fraudsters are responding by growing increasingly creative. These criminals will go to great lengths to steal assets from your financial institution and its cardholders. In the past couple of years, there's been an evolution in card fraud. Here are the top 3 card fraud trends and schemes:
- Application Fraud
- Transaction Fraud
- New channels of point-of-sale fraud
- Credit and Debit Card Chip Replacement
- Credit and Debit Card Skimmers
- Credit and Debit Card Cracking
By now, most of us have used, or at least become aware of contactless cards. In 2018, the United States market was gradually introduced to credit and debit cards that you can just "tap-and-pay." Due to the extreme convenience factor of these new cards, they are growing quickly as a preferred method of payment. In fact, according to a recent statement, Visa expects to issue more than 100 million contactless cards by the end of 2019. If these predictions come true, contactless cards will represent about 12% of Visa's overall portfolio. While these contactless cards may make things easier on the consumer at the point-of-sale, they also expose new avenues for fraudsters to exploit.
Contactless card payments fraud happens frequently, as criminals devise more and more ways to take advantage of this method. In response, the contactless cards have been equipped with improved security features with several layers of protection to minimize the risks. The first layer of protection is EMV. The EMV standard was created to make forging cards very difficult. The second layer of protection is having unique, dynamic transaction data - each transaction generates a unique code. These codes are only good for one transaction, and contain no sensitive information. The next layer of protection is authentication protocols. In combination with the unique transaction data, the card issuers have a powerful fraud detection system which will reject any other transaction attempt made using the same code. Yet another advantage of these dynamic codes is that they obscure confidential cardholder information. By enabling this tokenization, your primary account number will be replaced by an encrypted number, which means when you are making transactions, the true details of the card are not sent. Instead, a token is sent consisting of 13 to 19 characters that act as a proxy for real account information.
Reducing Card Fraud at Financial Institutions
All financial institutions strive to keep fraud losses low. In order to accomplish this goal, financial institutions should keep in constant communication with their account holders, continually educate them on all things fraud, and have the proper fraud prevention tools in place.
Stay Connected and Educated
Communication with your customers and members is key. Having the proper fraud policies and procedures in place will help reduce and eliminate overall losses. Some best practices to reduce card fraud are:
- Email/call/text alerts
- Stop, block, and reissue as quickly as possible
- Have a fraud hotline
- Strong Customer Identification Process
It is also important for financial institutions to keep their customers and members educated and updated on current fraud schemes, trends, tactics, etc. Most consumers rely on their financial institution to provide them with peace of mind when it comes to their finances. Keep your consumers informed by providing free, accessible financial literacy either by email or on your website, and encourage consumers to take the proper steps to protect their identity and card credentials.
Debit and Credit Card Fraud in Action
Stealing card information using skimmers at gas pumps and ATMs may still be a problem, but fraudsters have become more sophisticated. Before, fraudsters would place a card skimmer over the card reader on ATMs and gas pumps, which would then transmit the stolen data wirelessly from the card's magnetic strip. These criminals have come up with a new card fraud tool called "shimmers," a tiny type of skimmer that is capable of reading the data from chip-based debit and credit cards. A shimmer sits between the chip on the card and the chip reader in an ATM or point-of-sale (POS) device, which then records the data on the chip as it is read by the underlying machine. Fraudsters can print this data onto fraudulent magstripe cards, and use these cards at those points-of-sale which are not yet EMV enabled, or at which they can force what's called a "fallback" transaction. Fallback transactions refer to those purchases made at a EMV-enabled merchant, using a fraudulent card that tricks the POS-device into believing the card's chip to be bad, thus "falling back" onto the data from the magstripe.
Another problem we face is the rising amount of data breaches. A data breach occurs when a cybercrimal successfully gains access and infiltrates a data source to extract sensitive information. While these breaches can take many forms and target a number of different types of information, plastic card numbers are one of the "usual suspects." These breaches can occur either through the criminal physically breaching a machine or networking room, or through the fraudster bypassing network security remotely in order to gain access to valuable information. Cybercriminals will then take the stolen data and use it to make money by duplicating credit and debit cards, using any stolen personal information for fraud, identity theft, and even blackmail, and/or simply putting the information up for sale in bulk on Deep Web marketplaces. These breaches have harmful effects for consumers and their financial institutions alike. When a data breach occurs, credit and debit cards are compromised, which means that financial institutions have to swallow significant cost to stop, block, and re-issue thousands of cards each year to their customers and members. Here are some of the most recent data breaches:
- Quora breach
- Marriot Starwood breach
- Facebook breach
In this day and age, the internet is used for anything and everything. Whether it be paying bills, making purchases, or simply browsing the web to do research or pass the time, the internet is our playground. What consumers may not realize is that cybercriminals are lurking under the surface to steal their personal information while they conduct these daily tasks. Websites may be secure, but these criminals will go to great lengths to compromise these security features in order to steal any morsel of information from which they can derive financial gain. These criminals will then take the stolen information and put it on the Dark Web and Deep Web for other cybercrimals to buy and use.
The Deep Web is a subset of the internet that is not recorded or tracked by major search engines. The Dark Web is a subset of the Deep Web, which represents a major hub of identity theft, malware, and payments fraud activity. Cybercriminals frequent these sites, which are anonymous and inaccessible via normal web browsers, to buy and sell stolen identities, card numbers, and online banking credentials. If your institution is experiencing losses due to payment card fraud, wire fraud, or new account opening fraud, it is likely that many of those schemes originated on the Dark Web.
Card Fraud in the Digital Underground
We all have private information that we think is kept to ourselves but unfortunately, that is not always the case. The scary reality is that consumers' private information can easily be accessed by cybercriminals via the "Digital Underground," which includes the Dark Web and Deep Web. We recently partnered with Q6 Cyber, a leading provider of cyber threat and anti-fraud intelligence software, to integrate their data feeds directly into our TrueCards® fraud prevention software platform. In partnering with Q6, there is greater potential for reducing fraud losses by giving your institution the ability to detect stolen data before any dollars go out the door. This integration between Q6 and TrueCards® helps your fraud prevention become both proactive and dynamic. To learn more about the partnership and integration, check out the Fighting Card Fraud In The Digital Underground blog.