The $8 Billion Problem

 

Card-not-present fraud isn’t the only looming threat for payments providers and merchants. Account-takeover losses are also set to take off.

As criminals find it easy and affordable to use the Internet to obtain millions of pieces of personally identifiable information about consumers, the prospects of greater fraud overall are high.

Plus, the advent of EMV chip cards in the United States, combined with greater criminal savvy, makes this a ripe time for more payments fraud.

By 2018, losses from new-account and account-takeover fraud will increase 60% from $5 billion to almost $8 billion, forecasts payments-research firm Javelin Strategy & Research. Account takeover, as defined by the Federal Reserve Bank of Atlanta, is when an unauthorized party gains online access to an existing account and then conducts illegal transactions.

As it gets tougher for criminals to conduct fraud at the point of sale, they’ll turn to other avenues, such as online, to commit their nefarious deeds. And that means payments companies will have to contend with account takeovers.

Indeed, account takeovers in Apple Inc.’s Apple Pay service flared just a few months after the mobile-payments service’s 2014 debut. Criminals used stolen card credentials to create new Apple Pay accounts they then used to buy then-new iPhone 6 smart phones or other merchandise.

Part of the problem was that some issuers relied too much on static data, such as a birth date or address, to verify a prospective Apple Pay user’s card. Most issuers have since tightened their protocols and little has been heard recently about this type of fraud with the service.

‘A Different Environment’

The debut of EMV chip cards, which make it very difficult to use counterfeit credit and debit cards at the point of sale, means all sorts of card-not-present fraud are predicted to increase. It’s a pattern that’s happened in other nations following their EMV migrations. Many experts look to the United Kingdom’s conversion 10 years ago as the primary example.

While there are similarities to the U.K. case, much is not alike, says Al Pascual, research director and head of fraud and security at Pleasanton, Calif.-based Javelin. “We’re in a different environment than the U.K. in 2006 in a couple of ways,” says Pascual.

One big difference is that digital application forms, where consumers use identity information to complete account-enrollment forms, are much more common today than 10 years ago. Tens of millions of consumers are applying online for accounts. “We have introduced the ability to easily apply for new financial accounts,” Pascual says. “This will make it easier for criminals to get their hands on cards.”

The other massive change since the arrival of EMV in the U.K. is the introduction of marketplaces for stolen identity information. Fraudsters can go online and either buy the data or hire a proxy to complete the application, who will then have the card sent to the fraudster, Pascual says. “We know, based on what’s happened in other markets, that account takeover and application fraud will grow on consumer accounts,” he says.

‘A Serious Threat’

What’s the significance of this for payments companies, and what can they do to counter the potential loss this fraud carries?

It’s a problem not only for issuers, but also for acquirers and merchants. “Account takeover is a serious threat,” says Rich Stuppy, chief operating officer at Kount Inc., a Boise, Idaho-based fraud-prevention specialist. “It’s one of many that are becoming more and more pronounced.”

Devising a plan to counter account-takeover fraud requires understanding how users—be they consumers or merchants—interact with online data-collection sites, he says.

Many merchants use online portals to access their merchant accounts. “If that account gets compromised, then a whole variety of bad things can happen,” he says, such as criminals redirecting funds to other accounts, potentially leaving the acquirer, in this case, on the hook for the loss.

Acquirers, and others that touch merchant-processing accounts, may also find some risk from the consumer side, Stuppy says.

In an effort to make the online checkout process as frictionless as possible, many merchants that require consumers to authenticate to their platforms tend to assign lower risk to them once that authentication is complete. With that in place, fraudsters could take over the account and perhaps be able to make additional fraudulent transactions they otherwise might not be able to, he says.

“That will flow uphill to the payment processor or acquirer because of chargebacks that eventually will be passed on. Elevated risk permeates the whole system,” Stuppy says.

‘Number-One Priority’

The first step to combating account-takeover fraud is to have controls and safeguards in place that are aligned with the company’s business strategy, Stuppy says, to ensure they don’t inadvertently lead to decreased growth or shrinkage.

There are five major elements to this. One involves the creation of new accounts, making sure the underwriting tools can comprehensively assess the risk during the initial signup process, Stuppy says.

That includes collecting data on the type of device used during the enrollment process, including asking merchants about the number and locations of their stores. The ability to evaluate this data as it comes in is vital because of the risk associated with it, Stuppy says.

Second, organizations can take advantage of newer technologies that confirm a device’s location and identity, Pascual says. Some services can verify with the wireless carrier to see if the device-owner record it has on file matches the information submitted for a new account or account update.

Third, the provider should have a solid case-management system in place to follow up on suspect accounts.

The fourth tactic is vetting profile changes. Payments providers should routinely monitor their entire portfolio for unusual behavior.

And the last element is to provide the largest, most valuable clients with services that cater to their unique risks. Merchants want more than processing services from their payments providers, Stuppy says.

Most small-business owners are not cybersecurity experts, says Ben Knieff, senior analyst specializing in fraud detection and identity verification at Aite Group LLC, a Boston-based financial-services advisor firm. “They are a little bit vulnerable because they may not have the protection in place like a blue-chip corporation,” Knieff says.

One of the easiest tools to use to counter account-takeover fraud is dual authentication. In an example, an employee may place a wire transfer, but before the payment provider can initiate and complete that transaction, a second person needs to authenticate the transfer. “It’s a very simple thing that most financial institutions offer, and it’s incredibly effective,” Knieff says.

Another measure that small businesses may be unaware of is a system called positive pay. A small-business owner compiles a transaction file that discloses authorized payees and the amounts. The financial institution then checks the transactions as they are received against this payment file. If a match is not made, the payment is not authorized. “A lot of small businesses don’t even know it’s available,” Knieff says.

Financial institutions, in particular, are focusing on account-takeover fraud, Knieff says. “It’s generally the number-one priority for mitigating fraud.”

‘Less Than Optimal’

Most industry observers expect account takeover to continue to flourish, in part because of the EMV migration.

“There’s almost a perfect storm to make account-takeover risk higher,” says Stuppy. The advent of EMV, which makes counterfeit card fraud more difficult for criminals, plus the unyielding frequency of data breaches, coupled with the increasing use of mobile devices and new business models with new payment methods, all contribute to the problem, he says.

All of these changes mean organized criminals can make a really good living, Stuppy adds.

Harkening back to Apple Pay’s early identity-verification troubles, Javelin’s Pascual says payments companies offering mobile support or a mobile wallet have to think farther down the road than if they didn’t. For example, fraudsters have found ways to circumvent one-time passwords, he says. One-time passwords are sent directly to known users and expire after the first use.

“Right now, it’s not a big deal because there’s not a lot of money in mobile payments,” he says. “When mobile payments become ubiquitous, those one-time passwords will become less than optimal.”

But it’s not just mobile payments that will have to contend with outdated modes of verification, says Knieff. “Account-takeover fraud is here to stay,” he says. “It will be a big issue. It won’t go away until we find a way to replace passwords and harden networks.