Why those chips in your credit cards don’t stop fraud online
My wife and I recently marked the third anniversary of the credit card industry’s formal transition to “EMV” smart-chip security in the lamest way possible: by having to get two of our cards replaced after a $970 purchase at Lenovo’s online store that neither of us could remember placing.
This wasn’t the first time since the advent of circuitry in U.S. cards that we’ve had a fraudulent transaction happen online despite the chip’s added security. And it almost certainly won’t be the last.
Why? Because most of the card industry’s work to lock down in-person purchases has done very little for online transactions. Meanwhile, a bout of data breaches has given fraudsters more material for phony purchases.
Pushing fraud from offline to online
To card issuers’ credit, they warned us that this exact thing could happen. EMV—originally short for Europay, MasterCard and Visa—is designed to stop card counterfeiting, in which a thief copies the account data stored on a card’s magnetic stripe and uses that to make a new card.
It’s worked exceptionally well at that: In June, Visa (V) announced that at merchants accepting EMV purchases, counterfeit card transactions plunged by 75% from September 2015 to March 2018. But that hasn’t made a real difference in the larger universe of fraud.
“As the share of in-person transactions decline and digital transactions increase, the overall fraud rate is inching up—a three percent increase in 2017,” said Margaret Reid, a senior vice president on Visa’s global risk department. She noted that this overall rate “remains near historic lows – less than one-tenth of one percent.”
Visa did not release figures on fraudulent “card not present” transactions online and over the phone, but a third-party research firm’s numbers show that’s soaring. U.S. CNP losses went from $3.2 billion in 2015 to an estimated $4.4 billion 2018—and by 2020, they will have more than doubled to hit $5.9 billion, said Aite Group spokeswoman, Julie Conroy.
In other words, making one kind of fraud harder has yet to lead fraudsters to make an honest living.
“If you were to think about fraud traditionally, think of a balloon. You could squeeze/reduce the air in one part and it would flow to another part,” MasterCard (MA) spokesperson Robyn Cottelli said in an email. “That’s what you’ve seen as new technologies are introduced in-store or online”
Rivka Little, research director for payment strategies at IDC Insights, credited a flood of data breaches of personally identifying information (PII). “We have seen the largest amount of PII data matched with card data in the black market in history in the last 18 months,” she said. “It’s crazy, it’s just everywhere at this point.”
Sorry, we’ll have to leave this to big data
The U.S. EMV transition left out an ingredient of Europe’s earlier switch—its “chip-and-PIN” standard, which requires entering a personal identification number at each transaction—but that wouldn’t have made a difference in online fraud, because e-commerce sites there don’t ask for the PIN.
“Online, generally you don’t need a PIN,” Little said. “It looks just like the kind of transaction we do here.”
Requiring a PIN does defeat using stolen cards in stores. But Little noted that EU merchants are trying to dispense with that for many transactions, in much the same way that card issuers in the U.S. no longer demand signatures on receipts for low-dollar purchases.
Any future advances in in-person security—for instance, Visa is testing cards with built-in fingerprint sensors—won’t help with online fraud either, although Visa’s Reid said the company recently staged a successful test of biometric authentication for e-commerce in Brazil.
Visa and MasterCard have instead worked to get merchants to adopt what’s called tokenization, in which each retailer or service automatically replaces the usual card data with a unique code.
MasterCard’s Cottelli called out two customer benefits from this switch: Letting a retailer save your card in your account becomes less risky, and tokenization also lets retailers automatically update their data when you get a new card.
But among the larger universe of merchants who have yet to adopt tokenization, the fix will have to involve applying artificial-intelligence techniques to decide if a purchase is legitimate or not.
“The answer is not slapping on more authentication features,” Little said. “It’s around applying more smart AI.”
For example, Reid said Visa’s algorithm assesses such factors as whether a transaction involves a company at which you haven’t shopped lately, if it involves a high-end merchant, if it’s a weird time of the day, or if it otherwise parts with the pattern of your recent spending.
You really should phone this in
Most of the machinery meant to stop card fraud is outside your control, but you can do one thing today to cut down your card numbers’ exposure: Use your smartphone’s mobile-payment feature.
These systems—led by Apple (AAPL) Pay and Google (GOOG, GOOGL) Pay—beam your data to a card terminal without leaving your card’s digits open for later cloning.
“It does work,” Little said. “Once Apple Pay, for example, got it figured out, they had the lowest rate of fraud of anything.”
But mobile payments also requires merchants to support these systems, and many still don’t– for example, CVS (CVS) only recently ended its absurdly self-defeating boycott of NFC payments.
Customers, meanwhile, continue to ignore these options. Another IDC analyst, James Wester, told me in August that only 29% of iPhone users reported using Apple Pay within the last three months, while the corresponding number for Google Pay was only 15%.
“I don’t think the average consumer understands that it’s safer,” Little said. She admitted that this extends to her own family: “I keep trying to tell my kids.”
More from Rob:
What it’s like to use a search engine that’s more private than Google
Why it’s a big deal that Apple is finally updating its computers
Email Rob at [email protected]; follow him on Twitter at @robpegoraro.