Digital Transactions Authoritative, insightful and timely information for payments professionals
Counterfeiting is still the king of U.S. payment card fraud, according to the Federal Reserve’s recently released Payments Study 2016, but probably not for long thanks in part to the coming of EMV chip cards and the aftereffects of data breaches.
Counterfeit fraud accounted for 44% of U.S. payment card fraud last year. Next, at 39%, was what the Fed calls “fraudulent use of card number,” another term for fraud in which the card is not physically presented to the merchant. A distant third was lost-and-stolen card fraud followed by fraudulent applications, fraud on cards issued but not received by the legitimate cardholder, and all other types.
The Fed used fraud data from general-purpose card networks and ATM networks for its study.
Including ATM fraud, so-called in-person fraud accounted for 54% of U.S. general-purpose credit and debit card fraud in 2015 versus 46% on what the Fed terms “remote” channels, which include card-not-present crimes.
While the Fed’s numbers for lost-and-stolen are a bit higher than those estimated by Aite Group LLC, a Boston-based research firm that closely tracks fraud trends, in general they’re close to what Aite has found for the various types, according to research director Julie Conroy.
As have other observers of the fraud scene, Conroy predicts that counterfeiting will soon lose its place as the leading fraud type as EMV chip cards proliferate and merchants’ new chip card-reading terminals make it much harder at the point of sale for criminals to use counterfeit magnetic-stripe cards made from stolen cardholder data.
“We will see counterfeit take a precipitous drop” in 2017, Conroy says.
But chip cards provide no better protection than mag-stripe cards for Web or telephone-based purchases. With e-commerce booming and EMV cards growing, U.S. card fraud already has begun migrating to card-not-present channels, experts say. In the United Kingdom, which converted to EMV about a decade ago, CNP fraud accounted for 70% of all fraud in 2015, according to Fed data.
Another big growth area for fraud is account openings, even though it’s small now. The steady stream of data breaches, including those of health-care providers that contain such sensitive consumer information as Social Security numbers, is making fraudulent applications for credit cards, mobile-phone accounts, and other types of financial accounts more appealing to criminals, according to Conroy.
She says card issuers are reporting to her that they’re experiencing 100% to 150% increases in application fraud. “I’m hearing of huge application-fraud pain from issuers,” she says. “Basically we’re looking at all of those data breaches and data in the hands of criminals, and they’re using it.”
Criminals frequently obtain stolen credentials for a specific cardholder and apply for a credit card in that person’s name, but there are other iterations of application fraud. In cases of “synthetic” identity, they create an identity using the data of more than one individual to use when applying for an account. Or, in cases of “wholesale” fraud, they may make up an entirely new identity from scratch.
Crooks specializing in fraudulent account openings often will attempt to get a mobile-phone account, according to Conroy. Mobile-network operators tend to do “a little less vetting” of applicants than do banks, she says. And if a criminal succeeds in opening an account, the phone company may report his payment history to the credit bureaus, paving the way, at least for a while, for further fraud.
Such fraud has been around for years, but “we’ve really seen it compounding over the past couple years,” says Conroy. She attributes part of the growth to the massive amount of consumer data being sold after breaches, and to the desire of companies to add customers.
—Jim Daly
