Card fraud is a massive problem around the world, costing banks and consumers time and money. Even when we seem to be making headway the criminals find another way in, which is why we see stats such as those from the UK earlier this year, which showed that
fraud losses on UK issued cards climbed 14 per cent last year to hit £388 million, the first rise since 2008.
So how does fraud happen?
Card fraud begins when a card becomes compromised. This can be the result of hacking, for example details being stolen by cybercriminals when a consumer is initiating an online transaction. Or it can happen as the result of skimming – the practice of stealing
account details from the magnetic strip present on all cards – to name but a couple.
The criminal now has live data which they need to use quickly to exploit the breach. They have a range of options open to them, but in places such as Europe that have moved to EMV there are two main choices.
One is to attempt card-not-present (CNP) fraud – usually this is online. If we look at the breakdown of fraud losses on UK cards, we can see this borne out. CNP fraud has more than doubled in the last decade, while counterfeit card fraud and theft has sliced
in half, according to Financial Fraud Action UK figures. In fact, counterfeit card fraud in the UK has fallen by 75 per cent since its 2008 peak. These figures are reflected in other EMV countries – the UK is by no means unique.
Alternatively, criminals may ship the card details overseas to a non-EMV country. In fact a large percentage of fraud on cards issued in EMV countries is taking place in the US, which has been slow to adapt to the new standard. Between 2011 and 2012, counterfeit
card losses in the UK fell 17 per cent, while in other countries the figure rose 42 per cent.
Now we see where the two main avenues for the fraud are, the next stage is for the criminal to begin stealing money.
Usually, the next step is for the criminal to carry out a small test transaction. This is often for as little as £1, and can be a key flag for the financial institution, especially if the card holder doesn’t normally make such a low spend transaction on
Next, the main fraud occurs. After the criminal has verified that the data they have is usable, they will begin to carry out transactions of significant value. Criminals may build up a database of card details they can use to make fraudulent transactions
until one gets stopped. As soon as it is blocked, they simply move onto the next.
When can the fraud be stopped?
Along the way, there are several stages at which the fraud could be prevented. There are often steps that consumers can take to help protect themselves, such as protecting their PIN and not letting their card out of their sight, which helps prevent their
card being compromised in the first place.
For financial institutions, the task of fraud prevention begins once those details have been compromised.
Being able to identify the ‘point of compromise’ can play an important role in this. Intelligent fraud systems can analyse correlations between compromised cards and where these were used prior to fraudulent transactions being attempted. This can help providers
build up a library of data to pinpoint merchant locations where card details may become compromised, improving the chances of spotting when a fraud occurs in other potentially vulnerable cards.
The task for the payments industry is to prevent frauds occurring in the first place, which unfortunately means waiting until details are compromised, but acting before any losses are incurred. Being able to establish as quickly as possible once a card has
been compromised is the key task.
The test transaction by the criminal offers is a good opportunity for fraud prevention systems to act. This comes down to the way intelligent fraud systems work, by identifying unusual spending patterns.
If a card is used at a location known to be linked to previous card fraud, this should be the first red flag. Next, if an unusually small transaction is initiated, fraud prevention systems will be alert to the possibility that a fraud may be taking place.
When this is followed quickly by a large transaction, providers will be able to block it.
However, all these tips won’t pick up all fraud, as criminals never follow a set of steps when they commit fraud. The most important thing is for the bank to be able to identify if a transaction is unusual for that consumer and if it correlates with other
fraud trends. It is important that systems are able to evolve as fraud threats change, to ensure that they are always looking out for the latest fraud types.
Fraudsters are always changing their tricks – after all the expression ‘you snooze, you lose’ really applies to them. They are in the business of making money, and if they don’t employ different tactics, the banks will soon stop their revenue stream. And
that’s what the banks are up against. But with the right technology banks can do a good job at keeping the criminals on the run.