The $8 Billion Problem

Card-not-present fraud isnäó»t the only looming threat for payments providers and merchants. Account-takeover losses are also set to take off.

As criminals find it easy and affordable to use the Internet to obtain millions of pieces of personally identifiable information about consumers, the prospects of greater fraud overall are high.

Plus, the advent of EMV chip cards in the United States, combined with greater criminal savvy, makes this a ripe time for more payments fraud.

By 2018, losses from new-account and account-takeover fraud will increase 60% from $5 billion to almost $8 billion, forecasts payments-research firm Javelin Strategy & Research. Account takeover, as defined by the Federal Reserve Bank of Atlanta, is when an unauthorized party gains online access to an existing account and then conducts illegal transactions.

As it gets tougher for criminals to conduct fraud at the point of sale, theyäó»ll turn to other avenues, such as online, to commit their nefarious deeds. And that means payments companies will have to contend with account takeovers.

Indeed, account takeovers in Apple Inc.äó»s Apple Pay service flared just a few months after the mobile-payments serviceäó»s 2014 debut. Criminals used stolen card credentials to create new Apple Pay accounts they then used to buy then-new iPhone 6 smart phones or other merchandise.

Part of the problem was that some issuers relied too much on static data, such as a birth date or address, to verify a prospective Apple Pay useräó»s card. Most issuers have since tightened their protocols and little has been heard recently about this type of fraud with the service.

äóÖA Different Environmentäó»

The debut of EMV chip cards, which make it very difficult to use counterfeit credit and debit cards at the point of sale, means all sorts of card-not-present fraud are predicted to increase. Itäó»s a pattern thatäó»s happened in other nations following their EMV migrations. Many experts look to the United Kingdomäó»s conversion 10 years ago as the primary example.

While there are similarities to the U.K. case, much is not alike, says Al Pascual, research director and head of fraud and security at Pleasanton, Calif.-based Javelin. äóìWeäó»re in a different environment than the U.K. in 2006 in a couple of ways,äó says Pascual.

One big difference is that digital application forms, where consumers use identity information to complete account-enrollment forms, are much more common today than 10 years ago. Tens of millions of consumers are applying online for accounts. äóìWe have introduced the ability to easily apply for new financial accounts,äó Pascual says. äóìThis will make it easier for criminals to get their hands on cards.äó

The other massive change since the arrival of EMV in the U.K. is the introduction of marketplaces for stolen identity information. Fraudsters can go online and either buy the data or hire a proxy to complete the application, who will then have the card sent to the fraudster, Pascual says. äóìWe know, based on whatäó»s happened in other markets, that account takeover and application fraud will grow on consumer accounts,äó he says.

äóÖA Serious Threatäó»

Whatäó»s the significance of this for payments companies, and what can they do to counter the potential loss this fraud carries?

Itäó»s a problem not only for issuers, but also for acquirers and merchants. äóìAccount takeover is a serious threat,äó says Rich Stuppy, chief operating officer at Kount Inc., a Boise, Idaho-based fraud-prevention specialist. äóìItäó»s one of many that are becoming more and more pronounced.äó

Devising a plan to counter account-takeover fraud requires understanding how usersäóîbe they consumers or merchantsäóîinteract with online data-collection sites, he says.

Many merchants use online portals to access their merchant accounts. äóìIf that account gets compromised, then a whole variety of bad things can happen,äó he says, such as criminals redirecting funds to other accounts, potentially leaving the acquirer, in this case, on the hook for the loss.

Acquirers, and others that touch merchant-processing accounts, may also find some risk from the consumer side, Stuppy says.

In an effort to make the online checkout process as frictionless as possible, many merchants that require consumers to authenticate to their platforms tend to assign lower risk to them once that authentication is complete. With that in place, fraudsters could take over the account and perhaps be able to make additional fraudulent transactions they otherwise might not be able to, he says.

äóìThat will flow uphill to the payment processor or acquirer because of chargebacks that eventually will be passed on. Elevated risk permeates the whole system,äó Stuppy says.

äóÖNumber-One Priorityäó»

The first step to combating account-takeover fraud is to have controls and safeguards in place that are aligned with the companyäó»s business strategy, Stuppy says, to ensure they donäó»t inadvertently lead to decreased growth or shrinkage.

There are five major elements to this. One involves the creation of new accounts, making sure the underwriting tools can comprehensively assess the risk during the initial signup process, Stuppy says.

That includes collecting data on the type of device used during the enrollment process, including asking merchants about the number and locations of their stores. The ability to evaluate this data as it comes in is vital because of the risk associated with it, Stuppy says.

Second, organizations can take advantage of newer technologies that confirm a deviceäó»s location and identity, Pascual says. Some services can verify with the wireless carrier to see if the device-owner record it has on file matches the information submitted for a new account or account update.

Third, the provider should have a solid case-management system in place to follow up on suspect accounts.

The fourth tactic is vetting profile changes. Payments providers should routinely monitor their entire portfolio for unusual behavior.

And the last element is to provide the largest, most valuable clients with services that cater to their unique risks. Merchants want more than processing services from their payments providers, Stuppy says.

Most small-business owners are not cybersecurity experts, says Ben Knieff, senior analyst specializing in fraud detection and identity verification at Aite Group LLC, a Boston-based financial-services advisor firm. äóìThey are a little bit vulnerable because they may not have the protection in place like a blue-chip corporation,äó Knieff says.

One of the easiest tools to use to counter account-takeover fraud is dual authentication. In an example, an employee may place a wire transfer, but before the payment provider can initiate and complete that transaction, a second person needs to authenticate the transfer. äóìItäó»s a very simple thing that most financial institutions offer, and itäó»s incredibly effective,äó Knieff says.

Another measure that small businesses may be unaware of is a system called positive pay. A small-business owner compiles a transaction file that discloses authorized payees and the amounts. The financial institution then checks the transactions as they are received against this payment file. If a match is not made, the payment is not authorized. äóìA lot of small businesses donäó»t even know itäó»s available,äó Knieff says.

Financial institutions, in particular, are focusing on account-takeover fraud, Knieff says. äóìItäó»s generally the number-one priority for mitigating fraud.äó

äóÖLess Than Optimaläó»

Most industry observers expect account takeover to continue to flourish, in part because of the EMV migration.

äóìThereäó»s almost a perfect storm to make account-takeover risk higher,äó says Stuppy. The advent of EMV, which makes counterfeit card fraud more difficult for criminals, plus the unyielding frequency of data breaches, coupled with the increasing use of mobile devices and new business models with new payment methods, all contribute to the problem, he says.

All of these changes mean organized criminals can make a really good living, Stuppy adds.

Harkening back to Apple Payäó»s early identity-verification troubles, Javelinäó»s Pascual says payments companies offering mobile support or a mobile wallet have to think farther down the road than if they didnäó»t. For example, fraudsters have found ways to circumvent one-time passwords, he says. One-time passwords are sent directly to known users and expire after the first use.

äóìRight now, itäó»s not a big deal because thereäó»s not a lot of money in mobile payments,äó he says. äóìWhen mobile payments become ubiquitous, those one-time passwords will become less than optimal.äó

But itäó»s not just mobile payments that will have to contend with outdated modes of verification, says Knieff. äóìAccount-takeover fraud is here to stay,äó he says. äóìIt will be a big issue. It wonäó»t go away until we find a way to replace passwords and harden networks.