You’d think financial institutions and retailers in the U.S., with a long list of EMV migration examples to look to in other countries, would have been prepared for fraudsters shifting their attention to e-commerce after security improved at the point of sale.
But according to late 2016 data from fraud prevention company iovation and research firm Aite Group, there’s been a 35% increase in online credit card fraud since the EMV shift in the third quarter of 2015.
So what's happening?
According to industry experts, most of the card-not-present fraud is likely targeting smaller merchants and financial institutions that don’t have as many resources available to start securing digital channels.
Smaller institutions “may not have as many people in the fraud strategy and prevention roles … and may not have the development, technical resources and funding to implement those solutions,” said Mike Lynch, chief strategy officer at InAuth, an online and mobile device security company that works with four of the five top banks and nearly 50 merchants.
Despite this clear trend, InAuth hasn’t seen a spike in new clients stemming from the EMV transition, Lynch said. Most of its clients are larger companies that were prepared for EMV, but smaller merchants may not have the funding to catch up.
According to Julie Conroy, retail banking research director at Aite Group, this makes sense. A huge doubling of security investments is unlikely. Instead, only incremental investments will be made as retailers and financial institutions figure out how to protect all channels most effectively, she said.
This confluence of channels is one of the factors causing a fair amount of pain.
“Merchants want to engage customers in an omnichannel way yet their fraud systems aren’t prepared to keep up with that omnichannel environment,” Conroy said, offering an illustration. If a fraudster with a stolen credit card loads $100 into a merchant’s mobile app then goes into the store and buys five $20 gift cards, it could take days for the consumer whose card was stolen to notice and alert the bank, who then alerts the merchant, by which time the fraudster is long gone with the gift cards.
Even seeing a rise in card-not-present fraud, some merchants are hesitant to deploy tighter security, namely because added steps in the checkout process could lead to cart abandonment.
These merchants “do understand the risk, but see this as a necessary evil in working in the digital space,” said Lynch.
Although, that doesn’t mean the industry isn’t investing at all.
“Currently merchants are trying to find the right balance between the best customer experience and keeping fraud levels flat," said Lynch.
Big merchants are also vulnerable, said Conroy, who has seen a number of large merchants lose significant money to online fraud, mainly those that do most of its business via brick-and-mortar locations and don’t invest as much into digital channels.
Another reason larger enterprises are still getting hit is because fraudsters' techniques are becoming more sophisticated, said Lynch, who used to work on Bank of America’s authentication and fraud strategy before joining InAuth. For instance, he said, botnet attacks where one master source distributes malware to many unsuspecting computers that then continually create logins or accounts have been on the rise since the EMV shift.
“Distributed architecture is a lot harder to defend against,” Lynch said.