It's naive to think EMV would get crooks to retire

Time flies when you’re fighting fraud. In the three-plus years since the October 2015 liability shift to EMV chip-secured credit cards, we’ve collectively made tremendous, demonstrable progress toward stomping out card cloning and POS fraud.

Upwards of 67 percent of U.S. storefront locations now accept chip, and merchants that have enabled their EMV terminals have enjoyed a 75 percent decline in counterfeit fraud dollars. (Furthermore, the drop in POS fraud dollars has been 46 percent for all merchants, regardless of EMV compliance.) Even so-called fallback fraud, a loophole exploited to work around EMV chips at POS terminals, is quickly being quelled.

It would be be naive to think fraudsters were just going to hang it up, call it a day and retire. Rather, they’ve evolved their strategies to focus on other flavors of fraud. It’s actually encouraging to see that retailers are still treating payment fraud as a top-of-mind concern as that evolution happens, according to the National Retail Federation and Forrester, but the multimillion-dollar question is where to remain most vigilant.

Let’s be clear: The post-EMV expectation was always for fraud to transition to online. Some of the exact forms of fraud were perhaps unanticipated, but all have roots that can be traced back to those former card fraudsters.

First, there’s a growing amount of new account origination fraud occurring as a result of synthetic identity theft, where a criminal leverages a blend of fictional and stolen (real but unreliable) personal information like a Social Security number to formulate an entirely new digital identity. With that identity established, fraudsters can freely move around online, opening false accounts, applying for credit cards and running up the maximums and becoming authorized users of bank accounts to make fraudulent purchases before dumping the identity and working up another to incur the next wave of account opening, card losses and untraceable financial damage.

Account takeover (ATO), where cybercriminals steal login credentials through phishing, social engineering and breaches and then gain control of bank, e-commerce or other accounts, has been on the rise. A stout 49 percent of respondents to a recent survey think that ATO is prevalent in their industry, but actually understanding, detecting and addressing its impact goes well beyond awareness. Instead of making just one fraudulent purchase before a card is replaced and becomes moot, ATO can many times go undiscovered and result in sustained fraud over time.

Just as historically difficult to detect is advanced malware that interrupts a consumer in the midst of a legitimate online transaction. The fraudster hijacks the session via a “man in the middle” or “man in the browser” attack without the customer or business seeing it, leaving the business believing that it was the real customer who made the transaction while the customer thinks they completed a transaction that never was. It’s a one-by-one approach to fraud, but it can be catastrophic when it comes to big-ticket purchases or emptying accounts.

Speaking of purchases, the most obvious progression for fraudsters was always straight card- not-present (CNP) fraud, where a stolen card number and accompanying PII — most often skimmed (sometimes online through malware), phished or ransacked during a data breach — is used to make an unauthorized, frequently high-value purchase from an online retailer or service provider with very little verification that the proper cardholder was behind it. Chances are, average Americans have experienced this type of fraud before. It’s most often the impetus for those fraud detection courtesy calls from a bank or the automatic, unrequested off-cycle replacement of a credit card.

Those emerging online fraud vectors represent the worst of the news. The better half is that there are already a number of technologies, tools and means that consumers and businesses alike can employ to mitigate them. A combination of silent authentication — including device profiling, IP geolocation and behavioral biometrics such as keystroke patterns — plus a step-up to two-factor authentication (2FA) when flags are raised can empower banks and retailers to better know their customers and thus prevent fraudulent purchases or account opening in real time. Encouraging dynamic passwords, eliminating password reuse and applying 2FA that includes a physical biometric feature like fingerprint or face ID as verification for a login or purchase can help combat ATO and, to some extent, CNP fraud. And malware prevention tools are getting ever more effective and intelligent at detecting exposed devices, thanks to developments in AI and machine learning.

Sometimes, taking active measures and implementing technology is the easy part. Knowing what fraud to fight and where it lurks … that’s a different story.