The Federal Reserve’s recently released 2016 Payments Study shows that counterfeiting was the biggest type of U.S. card fraud last year. But other types of fraud, especially card-not-present fraud, are rising quickly, thanks in part to the coming of EMV chip cards and the aftereffects of data breaches.
The Fed study says counterfeit fraudaccounted for 44% of U.S. payment card fraud last year. Next, at 39%, was what the Fed calls “fraudulent use of card number,” another term for fraud in which the card is not physically presented to the merchant. A distant third was lost-and-stolen card fraud at 11%, followed by fraudulent application, 3%, and fraud on cards issued but not received by the legitimate cardholder, 1%. All other types of fraud accounted for 2% of the total.
Including ATM fraud, so-called in-person fraud accounted for 54% of U.S. general-purpose credit and debit card fraud in 2015 versus 46% on what the Fed terms “remote” channels, which include card-not-present crimes.
While the Fed’s numbers for lost-and-stolen are a bit higher than those estimated by Aite Group LLC, a Boston-based research firm that closely tracks fraud trends, in general they’re close to what Aite has found for the various types, according to research director Julie Conroy. As have other observers of the fraud scene, she predicts that counterfeiting will soon lose its place as the leading fraud type as EMV chip cards proliferate and merchants’ new chip card-reading terminals make it much harder at the point of sale for criminals to use counterfeit magnetic-stripe cards made from stolen cardholder data.
“We will see counterfeit take a precipitous drop” in 2017, Conroy tells Digital Transactions News.
But EMV chips provide no better protection than mag-stripe cards for Web or telephone-based purchases. With e-commerce booming and EMV cards cutting into counterfeiting’s allure, U.S. card fraud already has begun migrating to card-not-present channels and will continue to do so, experts predict. In the United Kingdom, which converted to EMV about a decade ago, CNP fraud accounted for 70% of all fraud in 2015, according to Fed data.
In addition to CNP fraud, another big growth area for fraud is account openings, even though it’s small now, according to Conroy. The continuing breaches of databases, including those of health-care providers that contain such sensitive consumer information as Social Security numbers, is making fraudulent applications for credit cards, mobile-phone accounts, and other types of financial accounts more appealing to criminals, according to Conroy. She says card issuers are reporting to her that they’re experiencing 100% to 150% increases in application fraud.
“I’m hearing of huge application-fraud pain from issuers,” she says. “Basically we’re looking at all of those data breaches and data in the hands of criminals, and they’re using it.”
Criminals frequently obtain stolen credentials for a specific cardholder and apply for a credit card in that person’s name, but there are other iterations of application fraud. In cases of “synthetic” identity fraud, they create an identity using the data of more than one individual, according to Conroy. Or, in cases of “wholesale” fraud, they may make up an entirely new identity from scratch.
Crooks specializing in fraudulent account openings often will attempt to get a mobile-phone account, according to Conroy. Mobile-network operators tend to do “a little less vetting” of applicants than do banks, she says. And if a criminal succeeds in opening an account, the phone company may report his payment history to the credit bureaus, paving the way, at least for a while, for further fraud.
Such fraud has been around for years, but “we’ve really seen it compounding over the past couple years,” says Conroy. She attributes part of the growth to the massive amount of consumer data being sold after breaches, and to the desire of companies to add customers.