EMV shift creates new fraud opportunities

 Card on keyboard

The shift to EMV cards in the United States is now coming upon its second month. The liability shift for card issuers and retailers to convert their systems to EMV-capable solutions was Oct. 1, 2015 and though the transition has been a slow one, it has now begun in earnest with more and more chip-enabled cards making their way to American consumers. To date about 120 million people have been shipped new EMV capable cards, Business West reported, citing Smart Card Alliance data. Card issuers are increasing distribution rates, and the number of cards with an EMV chip should grow to 600 million by the end of 2015.

EMV cards create a dynamic transaction ID number for each purchase – an improvement over the previous magnetic stripe method. With the stripe, each card had its own transaction ID number that did not change, so if that number was stolen via skimming or a point of sale attack, the thief could easily create a counterfeit card with which to make fraudulent purchases. EMV makes such an attack essentially impossible, as the stolen code would be good for only one transaction and therefore couldn’t be used to create a counterfeit card.

“The EMV shift doesn’t mean that the payment structure is now safe from fraud.”

Counterfeit cards are still a problem
But that doesn’t mean that the payment structure is now safe from fraud – quite the contrary. Cybercriminals have gone into overdrive to try to take advantage of the last of the non-EMV cards as fast as possible before the window to use them expires as they are replaced.

“As EMV is rolled out, what we see is an incredible increase in the number of counterfeit cards that are happening prior to the actual re-issue of EMV chip cards. If a fraudster can get a hold of a set of cards that have not yet been converted, they will do their level best to counterfeit those cards and use the heck out of them before that transition actually happens,” Kim Ohlrogge, group executive of the global product group at credit card processor Total System Services, told Market Platform Dynamics CEO Karen Webster in an interview on PYMNTS.com. 

 Security Folders on Data

Fraud will move online
With the introduction of the EMV to the U.S. market, the instances of counterfeit card use, also known as card present fraud, should fall off. However that doesn’t mean that criminals will stop stealing and using credit card information. Cybercriminals could move online into a type known as card not present fraud. CNP means that the thief doesn’t require an actual copy of the card to commit fraud, just the information from it that anyone needs to make an online purchase: the cardholder’s name, card number, the security code and the billing zip code. This information can easily be taken in point of sale attacks and, with it, a cybercriminal can continue to make fraudulent purchases.

Cybercrime is like water, it will follow the path of least resistance. With the path of counterfeit cards closed to the fraudsters, they will move on to the next easiest method, card not present fraud. This shift has been demonstrated before in other markets that have already made the move to EMV. According to a report from the Mercator Advisory Group, card not present fraud increased 157 percent in the years that followed the EMV liability shift in the United Kingdom, even as counterfeit card fraud fell to extremely low levels. CNP fraud accounted for just 23 percent of fraud committed in the U.K. in 2001 prior to the change, but that number had risen to 63 percent by 2012, six years after the shift.

This data shows that while the EMV shift does prevent some instances of fraud, it is certainly not a solution to the overall problem. Card issuers need to remain vigilant, especially in the online space, to be certain their customers are protected going forward.