Recently there has been a lot more focus on fraudulent card-not-present (CNP) transactions, as more people are shopping online than ever before. For many years credit card fraud has been the favorite method for identity thieves because it was fairly easy to get credit card information – the data thief could either get it himself or purchase it inexpensively. It was simple and relatively low risk for the average fraudster. But since the EMV liability shift in October of 2015, card-present fraud has been curtailed, as the tiny chips embedded in the payment cards have made it more difficult to make counterfeit cards and to use stolen cards.
But that doesn’t mean fraudsters are giving up their trade. They’re just switching strategies. There has been a steady increase in two types of what is known as “remote fraud” – account takeover and account application fraud (also called new account fraud) – that is often conducted online and/or over the phone. Experts at payments research firm Javelin Strategy & Research estimate that losses from account application and account takeover fraud will increase from $5 billion to $8 billion by 2018, an increase of 60 percent.
Even before the EMV mandate went into effect in October 2015 there was a nearly 100 percent increase in fraudulent account creation in the first two quarters of last year, with just about half of the one billion created financial accounts between April and June flagged as fraudulent, a huge increase from 28 percent in the first quarter. Experts believe the increase was due to fraudsters taking advantage of the coming end of the magnetic-stripe only era, trying to get all of their criminal activity in before the chip cards made it more difficult, and meaning payments companies will have to contend with more account takeovers
Merchants can help to reduce their chances of account takeover and account application fraud by implementing “know your customer” (KYC) and alternative identity theft strategies that can identify customers by determining whether they are connected to the account, and not just who they are. When you authenticate the customer’s credentials during the transaction, the anonymity that protects criminals is gone, giving them nothing to hide behind. Failure to do so can leave both merchants and customers exposed to security breaches and fraud.
Other tools merchants can use to reduce account takeover fraud are dual authentication and positive pay. Dual authentication, which is also known as two-factor authentication, adds a second level of authentication to an account log-in. Most online accounts only require a user name and a password – single factor authentication. This, as we are all painfully aware, is too easily hacked, despite efforts to make passwords more and more complicated. Dual authentication requires two credentials to access the account, like something you know (password, PIN number, pattern), something you have (ATM card, phone or keyfob), or something you are (biometrics – fingerprint, voice print, facial recognition, etc.). Positive pay is a system in which a small business owner compiles a transaction file identifying authorized payees and the amounts they should be paid, and the transactions are checked against the file by the financial institution as they are received. If there isn’t a match, the payment is not authorized.
Customers today are quite aware of the massive data breaches, like those at Target and Home Depot, which have occurred in recent years. ID authentication practices, which are common for banks and financial institutions – can be integrated into the transaction process and help reduce the number and scope of breaches and are a tool that can benefit any organization.