Credit and debit card fraud at the point of sale is declining precipitously two years after the payment card networks’ EMV chip card liability shifts took effect, but identity, online, and so-called fallback fraud all have risen, according to an analysis of card issuers’ experiences from Auriemma Consulting Group.
New York City-based Auriemma recently posted a summary of its findings in a report titled “EMV Two Years Later: Six Key Trends to Watch,” on its Web site. The summary is based on a second-quarter survey of approximately 34 issuers representing about 90% of U.S. credit card accounts.
“It’s clear that chip technology is having the desired effect: reducing fraud at the physical point of sale,” the report says. “Counterfeit fraud claims have declined for five consecutive quarters, and are down 34% from their peak in early 2016. Counterfeit card use will only continue to decline as the EMV acceptance market grows.”
Unlike the magnetic-stripe cards they’re replacing, EMV chips are difficult to counterfeit—good news for both issuers and merchants. But, in a predicted and well-documented shift, more security at the point of sale has caused fraudsters to turn their attention to online channels, and given them incentives to create so-called synthetic identities from stolen consumer credentials in order to carry out payment card fraud. On a positive note, some recent reports indicate that after a big jump, online fraud is beginning to abate.
Synthetic identity fraud, however, was responsible for up to 20% of issuers’ credit losses in 2016 and shows no signs of slowing down, according to Auriemma. “That’s where major dollars are at stake here,” Ira Goldman, a senior director who manages Auriemma’s fraud roundtables with issuers, tells Digital Transactions News.
The hack of credit-reporting agency Equifax Inc. compromised more than 145 million consumer records, including many Social Security numbers, and seemed to give fraudsters a huge amount of new raw material for carrying out identity fraud. But how much of that data really is actually new to the hacker underground is unknown. “The general consensus is that much of the data [was] out there prior to the breach; Equifax gave it a headline,” Goldman says, adding that issuers will be watching carefully for the potential effects of the breach in the coming months.
In any case, fraudsters often take the long view with synthetic ID fraud, making payments on time under their false identities for two or even three years in order to raise their credit scores and credit limits, says Louis Buccheri, senior manager at Auriemma. Then, boom—a huge balance that suddenly goes unpaid.
“The key thing is they’re trying to build up that credit limit … before they’re actually busting out,” says Buccheri. The average loss on such accounts is $15,000, he says.
One new form of fraud, also predicted because it happened in countries such as the United Kingdom that converted to EMV cards years before the United States did, is fallback fraud. That’s when the POS terminal can’t read the chip, causing the terminal to “fall back” to the card’s back-up mag stripe in order to complete the transaction. Criminals initiate fallback fraud by deliberately damaging the chip, or inserting the card the wrong way into the terminal. Then, old-fashioned counterfeit fraud can happen if the fraudsters have encoded the mag stripe with fake or stolen data.
Fallbacks occur in less than 2% of chip credit card transactions, according to Auriemma. Fallback fraud, however, was involved in 24.4% of counterfeit card transactions and 43.3% of lost-and-stolen transactions in the second quarter, the firm’s research shows.
Identifying and thwarting fallback fraud isn’t always easy. “Sometimes it’s very difficult for the issuer to determine what is a legitimate fallback transaction and what is fraudulent,” says Goldman, noting that issuers don’t want to cause “friction at the point of sale.”
“Card issuers want to find a balance,” he says.
So-called velocity checks are one defense. Too many fallback transactions in a given time period on the same card account can be a red flag for fraud, says Buccheri.