This article originally appeared in the March 2016 issue of the CFCA Communicator.
by: Jeffrey Kirchick (firstname.lastname@example.org) and Tim Prugar (email@example.com)
In Steven Kerr’s On the folly of rewarding A, while hoping for B, Kerr points out that change agents often unwittingly undermine their own efforts to solve a problem by rewarding behaviors that run counter to the agents’ ultimate goal. To make his point, Kerr references basketball coaches who espouse the value of teamwork but readily hand out MVP awards and Universities who desire professors who are strong teachers but only hire or promote according to research and publication. The current EMV migration project being undertaken by American credit card companies follows a similar challenge – hoping to eliminate credit card fraud while only addressing the type of fraud that involves the physical card (“Card Present” fraud). In this article we will discuss the specifics of the EMV migration, the lessons we can learn from Europe’s experience with this migration, and the extreme likelihood that the United States will experience a significant surge in “Card Not Present” fraud during and after the migration – specifically, an increase in phone fraud.
The credit card industry is no stranger to the law of unintended consequences. Outside of de-railing theft, credit cards offered customers the ability to not have to carry one’s money around or risk having it lost or stolen. However, with the rise of the credit card also came new challenges: merchants memorizing customers’ credit card numbers, fraudsters sifting through the mail to find newly-issued cards, and even criminals sending applications using other peoples’ information to obtain credit in their name. Criminals have even mastered the art of cloning the magnetic strip from the back of a card or wholesale counterfeiting strips in order to make fraudulent purchases. As all of the members of CFCA know intimately – where there is money to be made, there will be fraud.
These are the exact challenges that the credit card industry is seeking to address through the introduction of EMV chips to cards in the United States. To put it in its simplest terms, the EMV chip is computer chip that replaces the traditional magnetic stripes used to make a credit card transaction. The main difference, however, is that traditional magnetic stripes never change, while the EMV chip “changes” with every transaction – every time an EMV chip is used it creates a new transaction code, unique to that transaction. This development (hopefully) makes it exceedingly difficult for fraudsters to commit “Card Present” fraud. In fact, it already has. So difficult, in fact, that fraudsters have reverted to more historically profitable techniques of financial fraud. Specifically, phone fraud.
European credit card companies began large-scale introduction of EMV chips during the 1990s. While this may appear as a technological acceleration on behalf of Europe, it was actually a response to significant legal, cultural, and technological differences between Europe and the United States. At the time of the European introduction, American credit card companies were significantly more advanced and effective in detecting and stopping fraudulent attempts at the point of sale. Furthermore, European companies were expected to take responsibility for covering the cost of credit card fraud in a way that their American counterparts were not – as they say, necessity is the mother of invention. Lastly, the sheer volume of card users in the United States was significantly larger than the population of cardholders in Europe, making for a much more expensive and time-intensive roll-out process.
While the European EMV roll-out led to an immediate and massive reduction in “Card Present” fraud, it also universally led to an increase in phone fraud and other “Card Not Present” techniques. After the roll-out, France, England, and Australia all experienced statistically significant increases in CNP fraud, and Cifas (a European fraud prevention agency) estimated that 36% of internal fraud was taking place through call centers. The image of a balloon works well: by squeezing the “Card Present” fraud side of the balloon, the “Card Not Present” side swelled with fraudsters and criminals looking to commit financial crimes and identity theft via phone fraud.
We have every reason to believe that the United States will experience a similar increase in phone fraud and other “Card Not Present” scams – and financial institutions, telecommunication providers, and health professionals should all be prepared. With the rise of VOIP, it has grown significantly easier to execute telephonic scams through spoof tactics. These scams include, but are not limited to: commercial phishing, swatting, consumer phishing, and outright impersonation/identity theft. Businesses, merchants, and providers can all expect to see a significant increase in non-spoof scams as well, including cramming, subscriber fraud, and PBX hacking.
So where does this bleak picture of the next five years in phone fraud leave us? Namely, that it is never too early to start preparing for what inevitably lies before us. Securing phone systems should be a top priority for Chief Security Officers or any individuals involved in IT Security Infrastructure. The response to these attacks that are growing increasingly technologically-enhanced and automated in nature will not be single-channel. A strong omni-channel approach to preventing phone fraud that includes a combination of state-of-the-art spoof detection technology, biometrics, agent training in social engineering tactics, and predictive analytics to identify irregularities in billing or network usage will all be necessary to combat this coming threat. An ounce of prevention is worth a pound of cure, and well-prepared firms will be equipped to address the challenges that will accompany the EMV migration.
image courtesy of pymnts.com