As Big Banks Prep for EMV, Fraud Relief Remains Far Off
Retailers will no longer be easy pickings for cybercriminals once chip-and-PIN technology is widely adopted. All well and good, but bankers fear hackers will redirect their energies to infiltrating banks.
Decisions about when and how to implement EMV technology in credit and debit cards are difficult. Many banks have decided to slowly phase it in, despite the fact the delay will open them up to greater potential liability.
Large banks and card issuers are ready for the U.S. shift to chip-and-PIN technology, according to a report issued Wednesday. But the drop in fraud that is expected to result is unlikely to come any time soon.
The use of EMV-style chip cards is supposed to make retailers like Target less appealing targets for hackers because they will be storing less card data. However, the way the U.S. is implementing EMV leaves plenty of room for the continued use of fake cards. And there is a plethora of ways hackers can use stolen card information without using a physical card.
"EMV's impact on fraud in 2015 could be pretty much a toss-up," said Steve Mott, CEO of BetterBuyDesign, a consultancy based in Stamford, Conn.
According to a study released Wednesday by CardHub, all 10 of the largest credit card issuers are in the process of issuing chip-based credit and debit cards and expect the majority of their portfolios to be updated by the end of 2015. All the major banks are issuing chip-and-signature cards, with 40% also supporting PIN capabilities. About 65% of retailers plan to accept chip-and-PIN cards as well.
This means the major banks are in good shape to handle the October 2015 "liability shift" deadlines Visa, MasterCard and Discover have set to encourage U.S. issuers and merchants to migrate from magnetic stripe cards to EMV.
"Right now, issuers incur the cost of card-present counterfeit fraud in stores," said Martin Ferenczi, president for North America at Oberthur Technologies, a manufacturer of chip cards. "After October 2015, the institution with the lesser technology will be liable for fraudulent charges."
The CardHub study also shows that the major card issuers are all putting magnetic stripes on their chip cards. This provides convenience all around the new cards consumers get in the mail will be usable on older point-of-sale terminals that are not yet EMV-ready as well as new devices. It also waters down the security promised by EMV.
As long as there are dual or hybrid payment terminals and ATMs that accept magnetic stripe cards, hackers will be able to use fake cards created with stolen credit and debit card data.
"Visa is projecting 29% of POS transactions to be chip-on-chip, but everyone I know believes the right number is more like 5% or less," Mott said. "If it's wildly successful, EMV chip-on-chip volume might hit a running rate of 10% by year-end, but only at the 200 top retailers."
Mott expects merchants probably will have 30% to 40% of locations equipped with EMV-ready terminals by year end, but most of them will not have the software installed and certified to make them work.
"Many will choose to turn them off until they can figure out how to get around the user 'gotchas,' such as leaving cards in the dip slots and not dipping them long enough," he said.
In some near-term scenarios, Mott said, EMV could actually increase fraud. For instance, EMV credentials sent "in the clear," or unencrypted, could be intercepted and used online on websites that don't require security codes.
Eventually, as the U.S. gradually shifts to EMV-only mode, fraudsters' ability to use fake credit and debit cards on physical machines (this is also known as "card present" fraud) will fade, as it has in other countries like the U.K. and Canada. They will then take their stolen card data and inclination toward thievery elsewhere.
EMV stands for Europay, MasterCard and Visa, a standard for chip-and-PIN cards that are considered far more secure than the magnetic stripe cards we use in the U.S. today. Card credentials will be tokenized, such that retailers will not receive the actual card number, but a temporary token generated by a card network. Hackers who break into a retailer's network the way thieves compromised Target more than a year ago would find a stash of useless numbers. On top of that, EMV chip credit and debit cards are almost impossible to duplicate, which means counterfeit card fraud should decrease.
Many industry observers expect the migration to EMV will increase fraud in all the places where credit cards are used but not physically presented, such as on shopping websites, over the phone, over the mail, and over fax machines. This is called card-not-present fraud. Some experts include mobile app payments, such as Uber and Apple Pay transactions, in this category. Card-not-present fraud already accounted for 45% of U.S. card fraud in 2014, according to Aite Group.
When the U.K. shifted to EMV cards, counterfeit card fraud fell 56%, according to Aite, but card-not-present fraud rose 79% in the first three years after the country switched to chip cards. It more than doubled in Australia and Canada.
"The experience in the U.K. is very indicative of what we'll see here," said Joram Borenstein, vice president of marketing at Nice Actimize, a provider of fraud analytics. "Understanding how card-not-present fraud is likely to spike, we need to retrain fraud investigators."
What would that fraud look like?
"If you're a criminal and you somehow steal five card credentials or you buy them on one of these [online] dark rooms, instead of walking into an electronics store and buying a flat-screen TV by swiping a card, because you need to use a chip card and you don't know the PIN, you can still use it on a computer and buy the same flat-screen TV online," Borenstein said. "It's more complicated because the fraudster has to have it shipped to an address that could be linked to him." But it's not unduly difficult to come up with an address to which items can be delivered. For instance, they can be sent to the home of someone who the thief knows is at work.
More brute-force attacks where only the user name is known and software goes through millions of guesses to stumble on the right password may also be launched against retailers this year.
One place criminals could redirect their energy is the setting up of fake new online banking accounts. The hundreds of millions of personal records and credit card data sets stolen over the past few years give fraudsters plenty of information with which to set up new accounts. In the early months of Apple Pay, for instance, criminals set up new accounts that they used to conduct fraudulent transactions representing about 6% of the total volume.
"There are going to be smart fraudsters all the time, and the modes of fraud continue to evolve," said Stephen Coggeshall, chief scientist at LifeLock. "We'll see that continue as we go to EMV chip and PIN. Identity fraud will tend to morph from the existing account fraud and more toward new account origination fraud."
What banks need to do to prevent this, Mott said, is get account credentials out of the clear and avoid setting up new accounts with credentials from other accounts that have ever been in the clear.
"Banks would love to support online and mobile account opening, and customers clearly want them, but we need to move to a new risk management paradigm, such as biometrics," he said. "Otherwise, we have the specter of Eastern European hackers mixing-and-matching 80 million Anthem accounts, with full PII, and 83 million Chase accounts with email and contact info with 600 million stolen credit and debit cards, and having a heyday getting new accounts and Apple Pay tokens."
EMV Card Fraud
Another possibility is that fraudsters will find new ways to perpetrate EMV card fraud. It was revealed a few weeks ago that U.S. and British spy agencies have had access to Gemalto's SIM card data since 2010, enabling them to listen in on phone calls without warrants or consent. This had some worried that the back door that let the agencies in could give cybercriminals access to the near-field communication payment features on SIM cards, or even to the EMV chip card data.
The latter possibility is remote, said Maarten Bron, director of innovations for transaction security at UL, a safety science company based in Northbrook, Ill. "From the government's point of view, getting access to the root keys of EMV chips is far less useful than having access to the root keys of the phone cards," he said.
Bron said he takes Gemalto's word for it when it says it's done everything it can to secure its chip card data. "For sure, they've taken all the reasonable measures to protect their customers and their business," he said. "This proves more the boldness of government than the alleged insecurity of Gemalto," he said.
In another, possibly far-fetched scenario, the EMV standard would fail to prevent a fraudster opening up a POS device and doctoring it to eavesdrop on data, Bron noted. Then the criminal could use that data to commit fraud on the Internet.
But "the payment industry knows this [is a possibility]. They're not going to sit back and relax," he said.