In the U.K., next-level fraud types — involving technologies such as push payments and P2P — are gaining traction now that EMV has been in place for more than a decade.
And these more seasoned fraudsters could be offering a glimpse of what’s to come to other regions such as the U.S., which is already seeing fraud trends shift after its own EMV migration in recent years.
Research shows that more U.S. consumers are bearing the burden of these complex fraud types. In 2018, 3.3 million U.S. consumers shouldered some fraud liability — nearly three times as many in 2016 — and their out-of-pocket fraud costs more than doubled in two years to $1.7 billion in 2018, according to the 2019 Identity Fraud Study by Javelin Strategy & Research.
“There’s more sophistication to all things digital today than there once were. So all things online is increasingly up for grabs. We’re seeing that everywhere,” said Al Pascual, head of security for Javelin.
Card fraud losses in the U.S. have actually dropped from $8.1 billion in 2017 to $6.4 billion, and the incidence fell from 5.47% to 4.4%, according to the Javelin report. But the incidence of high-intensity fraud types like account takeover and new-account fraud remains extremely common, signaling that fraudsters are actively seeking out new targets.
In other parts of the world, fraudsters with more experience in a post-EMV payments landscape, are a decade and a half ahead of their U.S. counterparts in seeking new fraud opportunities. Of particular concern has been push payments fraud, involving P2P platforms such as Zelle and Venmo, Pascual said.
P2P payments enable users to send money to anyone — regardless of whether the recipient has a formal relationship with the sender's bank, or whether that person is enrolled in the P2P network.
“For criminals, it’s a goldmine,” Pascual said. “You give me a password, and I can download the bank’s mobile app and go to town.”
That's not to say P2P networks are defenseless. Zelle is operated by Early Warning, an anti-fraud venture run by major U.S. banks.
"We do 13 different checks," Lou Anne Alexander, Early Warning's group president of payments, said at SourceMedia's Card Forum in May. "You don't enter a password but we are checking the device information that we have; we have access to the mobile carrier for a variety of information there as well. We have our own database that is longstanding banking information that we have developed over the past 30 years."
Early Warning also works with third parties to determine any risk attached to the email addresses used to identify Zelle users, Alexander said.
Sizing up the problem
Pascual cites the example of push payment losses in the U.K. According to 2019 research by U.K. Finance, the trade association for the U.K. banking and financial services sector, personal losses due to authorized push payment fraud — which relies on P2P networks — reached £228.4 million in 2018. By comparison, P2P losses in the U.S. reached $630 million in 2018, a 14% increase over the previous year, according to Javelin research. Although it might appear that the U.K. experienced a fraction of the losses the U.S. did, the numbers signal a troubling trend, Pascual says.
“You might say that’s bigger than £200 million, even when adjusted for exchange. But our payments market is considerably larger,” he said. “So while we’re seeing year-over-year growth in losses around this kind of fraud, they’re having a relatively much harder time than we are.”
As technologies like EMV and contactless payments become more ingrained in the U.S. card market, Pascual says it’s entirely possible fraudsters in the U.S. could take a cue from their overseas counterparts by making push-payment and P2P fraud the next frontier.
“That happened in a big way in the U.K., and maybe we can expect to see more of that here,” he says.
In the U.S., fraudsters who are turning their attention away from card fraud continue to set their sights on unconventional targets.
Loan products, for example, were a major growth area for fraud in 2018. Fraud rates more than doubled for car loans, mortgages, student loans and home equity lines of credit, according to Javelin. That’s another trend that follows in the footsteps of U.K. fraudsters. Pascual points out that when EMV rolled out in the U.K., there was a significant amount of application fraud. “If you’re a criminal, what’s your next best option? It’s to open new accounts and just use old cards,” he said.
Europe has taken a leadership position in the fight against fraud, in recent years having rolled out EU directives such as PSD2, which mandates strong customer authentication, and the GDPR (General Data Protection Regulation), which protects consumer data and aims to lower the incidence of breaches that are often the source of fraud.
Daniel Kornitzer, chief business development officer for U.K.-based online payments firm Paysafe Group, predicts the introduction of the 3-D Secure 2.0 protocol, combined with PSD2 Strong Customer Authentication requirements, will significantly reduce card-not-present fraud throughout Europe.
“Fraud is an arms race, and threats around the world do not just come from hackers in their basements. Far more important threats originate from organized crime, rogue nations, cause-motivated hacktivists, and from internal fraud within organizations, among other areas,” he said. “Criminals keep changing their MOs. So now, more than ever, it’s essential to use adaptive systems that leverage the latest technologies — such as rules, machine learning, behavioral analysis, and biometry — to identify and protect against changing fraud patterns.”
Daniel Wolfe contributed to this story.
