-
Bank of America is the second major issuer to buck a recent trend by using a PIN when it offers U.S. commercial customers cards that incorporate the EMV chip-card standard that is prevalent in Europe.
November 8 -
Banks are increasingly using mobile devices as an added layer of authentication for online banking, but messages sent to a phone can be intercepted. A security method developed in South Africa may close that security hole.
September 21
The U.S. is increasingly
Cards that incorporate the EMV standard use a secure chip that can support encryption and dynamic data, both of which are a strong improvement over the plain magnetic stripe, which is easy to copy and reuse. But once there is stronger security on cards, the fraud doesn't go away. It just moves.
Standard Bank of South Africa learned this the hard way. It saw credit card fraud shift to other products and devices as it began issuing cards with EMV chips.
"What we saw was our credit card fraud dropped significantly at an industry level. What the fraudsters had to do is they would migrate to the next … easy target, and that was mag stripe debit," says Carolina Reddy, global head of Standard Bank's financial crime control unit for its personal and business bank.
"And now we've started rolling out EMV debit and so we just see that it migrates to what is the next point of vulnerability," e-commerce and mobile, she says. "We've seen in the last two and a half years that online banking fraud has become quite prevalent and I don't think we were ready for it."
As many other countries have adopted the EMV standard to improve card security, the U.S. has largely resisted the move. However, that has begun to change, as many of the top banks this year announced plans to issue chip cards for travelers. The card networks also announced incentive plans to get U.S. merchants and automated teller machine owners to accept the secure card format within the next few years.
The credit-to-debit-to-Web path that Reddy described could easily be repeated in the U.S.
Banks need to be aware of this fraud migration path "to counteract what is commonly called the 'squishy balloon' of fraud: You squish in one area and it pops up somewhere else," says Adam Davies, director of global fraud consulting at Fair Isaac Corp.
If banks are aware of this, they can prepare for each fraud shift before it occurs, he says. Shoring up fraud companywide may be an overwhelming process, but it does not need to be done all at once.
"It's like trying to eat an elephant in the room … you have to bite in small chunks otherwise it's going to be difficult," Davies says.
Banks can use the savings they get from stopping fraud in one channel or product to fund their antifraud investment in another area, he says.
Standard Bank recently underwent an 18-month process to unify its antifraud personnel and processes across the company. By standardizing its approach to fraud, the bank can more quickly adapt to new fraud trends, Reddy says.
"You can't manage fraud in isolation at a product level," she says. "Your EMV journey has to look at the whole picture … not just plastic."
This updated approach also helps it from a customer service level, Reddy says. Under Standard Bank's new system, a customer who spots fraud on more than one account would not have to go through a group of distinctly different processes to get each incident resolved.
U.S. banks face another issue with the shift to EMV: This country is already considered the low-hanging fruit to fraudsters who were thwarted by chip cards in other countries.
"The EMV world is closing in … the U.S. has been the last frontier where all the bad guys are going," says Avivah Litan, a vice president and distinguished analyst at the Stamford, Conn., market research company Gartner Inc.
Bank executives are aware of the potential for fraud to migrate to other channels, but they have not been proactive in shoring up their defenses, she says.
"The risk managers know this is coming but they aren't getting the budget to pay for this," Litan says.
However, the U.S. typically has better fraud detection than other countries because the U.S. has a stronger communications infrastructure, she says. And although banks have so far been selective about which card products get the EMV upgrade, as the format builds momentum banks will likely boost security across the board.
"If the banks decide to move, I think credit and debit will get equal priority" from a security standpoint, Litan says.
