Credit card security has no silver bullet

The rollout of chip-embedded credit cards, while slow, is eventually expected to cut fraudulent in-person transactions.

credit card reader
Credit: Thinkstock

The fight to curb credit card cybercrime might seem a bit like trying to force the air out of a sealed balloon: Squeeze it in one place, and it simply bulges out in another.

That is the image suggested by multiple predictions that, as the shift to EMV (Europay, MasterCard, Visa) technology makes in-person, point-of-sale (POS) transactions more secure, criminals are shifting the bulk of their attacks to online, or card-not-present (CNP) transactions.

Indeed, Javelin Strategy & Research predicted more than a year ago that CNP fraud will be four times that of POS fraud by 2018.

[ ALSO: Is EMV the silver bullet to credit card fraud? ]

Alphonse Pascual, senior vice president, research director and head of fraud and security at Javelin, said the company will update its forecast this year, “but we expect the general trend to remain unchanged.”

al pascual

Alphonse Pascual, senior vice president, research director and head of fraud and security at Javelin Strategy & Research

And if that were the whole story, it could raise questions about the EMV transition – estimated to cost about $35 billion. If a reduction in one type of fraud is simply offset by a similar or greater increase in another type, what is the point?

According to Javelin, it is not the whole story. The company immediately followed its prediction with the assertion that the spike in CNP fraud is not being caused by EMV but is simply because CNP transactions are growing so fast.

It is, “due to an increase in transaction e-commerce volume and has little to do with a change in criminal behavior post-EMV,” the company said.

Other experts agree that e-commerce is rapidly expanding, prompting criminals to focus on it because, as bank robber Willie Sutton famously said, “that’s where the money is.”

E-commerce is, “growing at breakneck speed with various types of payment apps and technologies continually entering into the fold,” said Jeremy Gumbley, CTO and CSO of Creditcall.

jeremy gumbley

Jeremy Gumbley, CTO and CSO, Creditcall

But he believes it is impossible to predict the level of either type of fraud several years out. “We don’t have a firm sense of what POS fraud is going to look like in a couple of years,” so any prediction would amount to, “an arbitrary number,” he said.

If the experience in the UK with the rollout of EMV, which began more than a decade ago, is any guide, POS fraud will decline in the U.S. Carson Sweet, chief strategy officer at CloudPassage, cites statistics gathered between 2004 and 2014, which show that card-present fraud declined while CNP fraud steadily increased.

And he believes that EMV in Europe did have an effect on the growth of CNP fraud. In the UK, he said, EMV prompted fraudsters to, “abandon one technique for an easier one. They perfected it, and now that's the new surging channel.”

carson sweet

Carson Sweet, chief strategy officer, CloudPassage

But it will take considerable time to know what the effect of EMV will be in the U.S., since the rollout is not even close to complete. ACI Worldwide reported last September, shortly before the Oct. 1 deadline that shifted fraud liability from issuing banks to merchants, that 59 percent of consumers, “had not yet received their new chip-enabled cards, or are simply in the dark about what EMV means.”

Four months later, “POS fraud is not significantly reduced, because we still haven’t made the jump into the post-EMV era,” said Andrew Komarov, chief intelligence officer at InfoArmor.

Beyond that, implementing EMV in the U.S. is a more complex undertaking. As the Electronic Transactions Association (ETA) put it, “countries that have managed their migrations in as seamless of a manner as possible generally have done so with government-backed, high-profile education campaigns. Those countries also tend to have had fairly consolidated banking industries.”

Neither is true in the U.S., which has, “8,000 banks and 4,000 credit unions, and the variety of payment options available serves to fragment the market,” the ETA said, comparing it to Australia, with about 7 percent of the U.S. population, four major banks and about 100 credit unions.

But Sam Fabens, spokesman for the Electronic Payments Coalition, said that while the EMV transition is gradual, it is happening. “There have been more chip cards issued in the U.S. than anywhere in the world,” he said, adding that, “it was designed to be a process.

“In some cases, merchants looked at their risk profile in terms of when to make the transition (to EMV-enabled terminals), and small ones may have decided to wait for natural update,” he said.

Even when the rollout is complete, however, Sweet contends that EMV in the U.S. will be less effective than in Europe because the U.S. isn’t fully implementing it. Full EMV involves “chip and PIN,” a chip in the credit card, plus a requirement that the customer enter a PIN (personal identification number).

ccfrauduk Financial Fraud Action UK

“The U.S. version of EMV is not really EMV – it's chip and signature,” Sweet said. “Signatures are a very poor method to authenticate the cardholder, especially when compared to the use of a secret PIN that's centrally stored.

“So, right out of the gate, the type of implementation we typically see in the U.S. has less potential for reducing fraud than the common European implementation,” he said.

While others agree that a signature is less secure than a PIN, they don’t think it undermines EMV much. Pascual said the most significant benefit of EMV is the chip, “which renders card counterfeiting nearly impossible. If PINs were the solution for what ailed the market we would have switched from signatures long ago,” he said.

Some merchants do require a PIN, said Chris Strand, the resident expert on EMV and CNP at Bit9+Carbon Black. But he said a mix of requirements – some taking a signature and some requiring a PIN, “creates an environment of confusion for both merchants and consumers.”

However it is implemented, Pascual and others agree that EMV is not a “silver bullet” that will essentially end POS fraud. Criminals, he said, will increasingly try to defeat it through options including, “fraudulent applications, account takeovers, mail interception, and direct theft from consumers.”

Strand agreed. “Even with full adoption, EMV is only going to minimize the threat window on the front end and will not protect the entire payment transaction process.”

That means curbing credit-card fraud is going to take major security improvements in both POS and CNP environments.

And experts say the good news is that growth in e-commerce means CNP security is getting more attention. “There will be a lot more CNP fraud attempts, but there is already a lot of anti-fraud and fraud analytics going on for CNP transactions,” said Adrian Lane, CTO and security analyst at Securosis.

Fabens agreed. “No single technology is a silver bullet,” he said “but there are really effective ways to attack CNP fraud,” including end-to-end encryption, biometric authentication (such as fingerprints) and tokenization, which “devalues the data” because the data that handles the transaction is not the card number.

Merchants can also implement 3D Secure, a technology in more common use in other countries, which requires a separate password.

The less good news, however, is that all of these measures can create what retailers call “friction” in the buying process. According to Gumbley, the requirement of another password can create, “a notable amount of checkout attrition and shopping cart abandonment as users forget their passwords or lose interest and move on.”

Sweet said that prospect means merchants won’t use it. “Online retailers will resist this to the ends of the earth,” he said, “because it will impact the shopping experience and therefore their revenue. Consumers are used to one-click purchasing, and because consumers aren’t liable, they won't accept what would be seen as a nuisance in order to help minimize their bank's fraud liability.”

Lane agreed. “Typically, security is not adopted if there is a chance it interferes with commerce,” he said.

Pascual said there are ways to improve authentication without creating friction, including “biometrics, behaviormetrics and leveraging mobile device location solutions that correlate the location of the cardholder’s phone with that of the device used to make a payment online or in person.”

Or, some have suggested that the industry should skip EMV entirely and moving to near-field-communication (NFC) technology, such as that offered by Apple Pay and Google Wallet.

But that, while it holds promise, is not ready for prime time.

Lane said that if NFC systems became mainstream, it could, “knock out most CNP fraud.”

But, in the next breath he admits that will take some time to happen. “My parents run a Pentium processor and Windows 2003,” he said. “They don’t own a cell phone. They’ve never heard of PayPal. Ask them if they are interested in NFC.

“When you look at the tech divide between half of this country I’d say it (NFC) is a good idea that fails in the real world.”

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.