The Aite Group reported last week that card fraud costs the U.S. card payments industry $8.6 billion per year. Although this is just 0.4% of the $2.1 trillion in U.S. card volume per year, the analyst group noted it's still a number card providers would like to reduce. There are measures banks and others in the card processing chain can take to deter card fraud experts from their dastardly work; however, many of them are costly and hard to execute.There are three main forms of U.S. third-party fraud, according to Aite's researchers, each of which account for about 15% of cases. They are: card-not-present fraud, in which a criminal steals card details and uses them to make purchases over the internet, by phone or by mail order; counterfeiting, where criminals create fake cards using data from real cards and then use the cards anywhere, even to withdraw cash from ATMs; and lost-and-stolen fraud, referring to any use of a card that's been reported lost or stolen. ID theft, in which a criminal uses a fraudulently obtained card or card details to open or take over a card account in the name of a legitimate user; and non-receipt card fraud, where legitimate cards are intercepted while in transit from the issuer to the cardholder (this is why so many issuers require cardholders to activate new cards by phone) account for only 1.5% and 0.3% of card fraud respectively. Another common type of card fraud that is not often tracked but causes an estimated 7% to 10% of overall issuer charge-offs, according to Aite Group, is first-party fraud, where cardholders intentionally max out their credit cards without intending to repay them. "That's perpetrated by either legitimate card holders who decide for whatever reason that they're not going to pay off their balance, they're just going to become bad debtors, or by criminals, maybe using a manufactured ID, running up to the credit limit on cards pretending they're a legitimate cardholder when in fact they're just taking the money and running," said senior analyst at Aite and report author Nick Holland in a recent interview.
In a chilling note in the report, Holland writes that "carding" sites, where cybercriminals sell the card information they've stolen, have gotten more sophisticated over time. "Initial offerings were mostly 'dumps' - information copied from magnetic stripe cards revealing track-one and track-two data. Market demands have increased, however, with carding sites now offering 'fulls' - a complete package of data relative to a victim, such as Social Security number, address, mother's maiden name, credit history, commonly used passwords and other individual-specific information."
From a technology point of view, the easiest type of card to rip off, Holland asserts, is the magnetic stripe card because it is easy to replicate. Yet while an apparently obvious solution would be for the U.S. to migrate from magnetic stripe to computer chip cards the way many other countries have, this won't happen for a long time, he says. "There are a variety of reasons why the U.S. isn't moving to the next type of point of sale infrastructure or the next level of cards," Holland says. "The main one is cost." More than a billion magnetic-stripe debit and credit cards are currently in circulation in the U.S.; it would cost about $12 billion to replace them all with chip cards. (When you refer back to that total fraud cost estimate of $8.6 billion, it's easy to see that the ideal of reducing fraud won't drive a movement toward chip cards.)
But there are ways to make magnetic stripe cards more secure, Holland says, such as asking the cardholder to provide his address or the card security code (the three-digit number on the back of most credit cards) at the point of purchase. End-to-end encryption is another approach, but it requires merchants and acquirers to make expensive software and hardware upgrades. Where encryption is most needed, Holland says, is to protect transmission between the merchant (such as, in one famous data security breach case, TJ Maxx) and the card processor. "That's where the big data breaches are happening; it's probably the weakest link," he says. "There have been big leaps in terms of fraudsters hacking into networks and getting data en route, rather than while it's in a static database." (Databases containing customers' personally identifiable information by law must be encrypted and protected from unauthorized access.) Networks between issuers, banks, acquirers and processors, on the other hand, tend to have robust security, he says.
So what should banks be doing to alleviate the problem of card fraud? For one thing, "it's up to the industry as a whole to push for better standard encryption," Holland says.
Out of band, two-factor authentication would also help. "Given the short life span of out-of-band codes and the requirement that fraudsters have a second item (either the cardholder's token or their cellular phone) to commit card fraud, we estimate that three-quarters of card-not-present, counterfeit and lost and stolen card fraud could be eliminated with the implementation of such a system - more than 35% of total U.S. card fraud," the Aite report states. Holland notes, however, that these technologies are cumbersome to put in place and expensive. For card and payment providers throughout the U.S. to deploy two-factor authentication using text messaging would cost about $400 million, the Aite Group estimates. A physical token-based system would cost about $950 million, the group says.
Requiring customer signatures is not that helpful, Holland says, because retailers rarely check them and those that do are usually not handwriting experts. PINs, though more reliable, are not infallible. "A lot of people write their PINs down on Post-It notes, or on the card itself," Holland notes.
"The biggest thing banks need to do is encryption and making sure the card data isn't exposed at any point," he says.