When more U.S. issuers and merchants start using EMV-chip cards to improve security at the point of sale, fraud will likely surge online.
This is what happened in the U.K., which adopted EMV technology in 2005 and saw card-not-present rise 54% from 2006 to 2008, reaching £328.4 million before finally going down as financial institutions and merchants addressed the fraud occurring online, said Julie Conroy, an Aite Group researcher and fraud expert. In 2013, the U.K. dealt with e-commerce fraud losses of £301 million.
EMV cards improve security by deterring the counterfeiting of physical cards, but they do not improve security online. Fraudsters thus move their efforts to e-commerce after being thwarted at the point of sale.
"The bad guys come up with new ways to attack, so then the fraud rate goes back up," Conroy noted.
Conroy and Adam Dolby, vice president of business development at Boston-based Encap Security, shared their views on post-EMV fraud threats during a May 7 online presentation.
When determining the best way to thwart fraud, banks and merchants should think of EMV as a flu shot, Dolby said.
"The flu vaccine doesn't eradicate the flu, but if you get the flu it will go away faster and there won't be as much pain," Dolby said. "The same holds true for card security and the customer. If you get hit with a breach, it is imperative to make the data unusable and limit the use of the card, or in some cases take it away all together."
Encap provides in-app authentication software across channels, emphasizing ease of use for consumers, according to Dolby said. Credit unions, banks and retailers should rely on authentication that confirms a consumer's identity and intention, he added.
Financial institutions and businesses deploying strong security will be ready for any attack, Dolby warned.
"You have the opportunity to eliminate fraud across channels, not just [card not present], and generate new products and services if you have good security," he said. "I believe very strongly that if you can increase convenience and security, and do it with a solution that addresses both of those, you have a winner."
If security comes at the expense of the customer experience "somebody is going to be unhappy," Dolby predicted.
Conroy discussed the performance of the EMV CAP device, which consumers had to plug into a home computer to make a secure transaction online. It added a number of steps to the online shopping process, and consumers hated it, she said.
"That device is a non-starter in the U.S.," Conroy added.
Consumers don't like complicating the payment process, in part because they are not held liable for fraudulent transactions, according to Conroy. "Consumers have no skin in the fraud game."
Hackers are also targeting alternative payment methods by developing new strands of malware.
"There will be 82 million new strands by the end of the year," which equates to 180,000 unique new strands per day, Conroy said. A year ago, she mentioned that 95,000 new strands were developed a day.
E-commerce sites are an appealing target for hackers, who can test stolen passwords across multiple websites, she said.
"The good news is that counterfeit card fraud significantly drops when EMV technology takes hold. But the crime rings will attack other vectors."
Even though the Target breach received the most publicity, the Adobe breach was the most dangerous incident of 2013. The Adobe breach resulted in the compromise of 3 million credit card accounts and 150 million username and password combinations, according to Conroy.
In addition, hackers obtained the source code for Adobe's ColdFusion, used for building Web and mobile applications, and other popular Adobe web codings, she added.
"In the wake of that breach, we have seen two separate merchants get compromised who were relying on ColdFusion for their Web building. It shows there are many different ways for the bad guys to get in. They are nothing if not creative."