How will EMV impact fraud in the US?

This post originally appeared on Alaric’s blog.

The EMV roll-out in the US is building speed at long last. It’s been a long bumpy road to get to where we are today, and there is fair bit to go yet. Given all the effort so far it’s important that EMV has the desired effect; to reduce fraud.

But just how will the change impact card fraud as EMV is rolled out across the US? We recently looked at this issue in a whitepaper entitled EMV in the US – how far have we come and where are we going?

Where are we?

A recent report from EMVCo shows a sharp rise in the cards worldwide. There were 2.37 billion EMV payment cards globally, excluding the US, by the end of 2013, up from 1.62 billion 12 months prior.

But so far virtually nothing in the US. However, as the whitepaper shows, things are turning around. From October 2015 the liability for domestic and cross-border card-present transactions will shift to merchants. “The party that is the cause of a chip transaction not being conducted (either the issuer or the merchant’s acquirer or acquirer processor) will be held financially liable for any resulting card-present counterfeit fraud losses,” says Visa. In other words it will be merchants who have to foot the bill if they do not have a suitable terminal for the EMV card.

Jane E. Cloninger, partner at Edgar, Dunn & Company, tells us there is now “very little now to suggest that the timetable for implementation will be blown off course”. A recent Javelin Strategy & Research report suggested the US would achieve EMV “parity” with the rest of the world by 2018.

So if EMV in the US is a done deal, what will the effect be? How will it impact fraud?

Let’s look again at where we are. Right now more than 90 per cent of fraudulent transactions in the US used credit, debit or prepaid cards. Fraud on plastic cards costs more than ACH or check/cheque fraud. The Nilson Report reckons losses for the US payments industry from card fraud could hit $10 billion a year by 2015.

EMV will change the landscape. It will direct fraud away from the card-present sphere just as we have seen happen in other markets where the standard has been adopted. But this time we won’t see the same increase in cross-border fraud. Instead, card-not-present payments, identity theft, internet banking and corporate payments will be targeted.

As the whitepaper point outs, this means it becomes “critically important” for payment service providers, independent sales organisations, processors and acquirers to ensure they have effective fraud detection systems that can protect all channels, all accounts and all payment types from a single platform.

The fact is that EMV doesn’t eliminate fraud; it fragments it. This can be a challenge for organisations that have legacy systems that cannot adapt to the changed environment.

Even in the card present area we can’t expect the EMV wand to eradicate fraud as if by magic. Figures from Visa on EMV transition in other markets indicate merchants can be slow to get ready. If past experience is anything to go by we can expect just 50 per cent of US merchants to be prepared for the liability shift when it happens.

So EMV is not a silver bullet to fix all our payment fraud worries. Some people have even wondered if it’s worth skipping out EMV altogether to focus on new technology that could cut fraud losses. However, I’m certain that without EMV card fraud losses would be significantly higher.

For now I can’t see any point in hanging around to see what happens. Late adopters to EMV will be easy prey for criminals; whether you’re a financial institution or merchant, don’t be the one who’s left with the check at the end of the party.

To learn more, check out NCR and BAI’s webinar on Changing the Game in Fraud Detection.

Security: What It Takes to Lead the Way

You say Target, we say EMV—how’s that for a conversation-starter?

The recent mass hack of retail giant Target—it’s estimated that more than 100 million consumers’ information might have been compromised—has generated considerable attention, as does every data breach that cuts to the bone. Expect to see the usual hand-wringing and calls for newer and more effective procedures, and with good reason. It’s entirely fair to ask why and how a multimillion dollar security network of the kind Target surely has could be brought to its knees—allegedly—by a software tool created by a teenager, written in a common scripting language and widely available on underground sites for barely $2,000.

That’s why we should expect to be hearing a lot more about EMV. For the record, the acronym represents Europay, MasterCard and Visa, and it first saw life as a joint effort between those conglomerates to enable greater security and interoperability in chip-based payment cards. The specification covers everything from POS terminals to ATMs, meaning every store and bank simultaneously. The standard is now defined and managed independently, and Integrated Circuit (IC) or chip cards based on it are being rolled out throughout the world. The chip and related software ensures that each customer’s account number and other details are essentially invisible. The suggestion here, and it would be label the potential benefit any differently, is that it would help contain the damage wrought by the Target hack.

Of course, when something is a global standard, that doesn’t mean it covers every market—there are always exceptions. And in the case of EMV, there’s a big one: The USA. Many regions across the pond have embraced the new technology, but magnetic-stripe cards, which are far more vulnerable to data theft of the kind we saw at Target, remain the norm on these shores. Credit card companies, who are among those hardest hit by data theft at market-facing outlets like banks and stores, have been stepping up pressure on their partners to adopt the EMV specification and introduce IC cards. But it’s probably not going to happen for a while.

There’s a good reason for this, or perhaps 8 billion reasons. That’s the dollar figure attached to the estimated cost of a full-on conversion to EMV technology adoption.

The simple truth is that through sheer size and economic heft, the U.S. is the world’s largest market for just any product it embraces. That gives it enormous standalone power—it’s why, for example, music stars who sell out globally barely make a dent on the charts here, or the World Cup can be the biggest sporting event while remaining a second-tier event for American consumers. The U.S. plays by its own rules, because it can.

It’s also worth noting that while credit card companies are rightly concerned about data fraud and consumers have reason to fear identity theft, the retail industry can make the case that the cost of conversion to the EMV spec, despite the benefits, isn’t justified by the potential prevention of fraud, (losses from this type of attack has been estimated in the $1 billion a year range.) Besides, federal statutes protect consumers from having to pay for purchases made fraudulently with their credit and debit cards.

Most importantly, it’s always premature to see any technology as a panacea. Protecting financial information is an ongoing struggle, a non-stop effort to stay ahead of the bad guys. Whatever measures we put in place, sophisticated cybercriminals will find a way to circumvent. However, the fact that credit card fraud rates in America, previously among the lowest anywhere, have doubled since IC cards began proliferating in Europe is cause for concern.

Whatever the merits of the argument, the current interest in EMV makes for a case study in market leadership. The fact that the U.S. retail and banking economies are so massive and complex should not automatically be a reason for them to be technologically behind the curve. We always need to be doing better. The EMV specification is one option that seems to provide enhanced security, but that’s it—one option. Being the biggest, and arguably the best, means it’s our responsibility to lead the way identifying, developing and implementing many more.

What We’re Reading: Government Shutdown, Vendor Management, Cloud

Below are interesting stories the Banking.com staff has been reading over the past week. What have you been reading? Let us know in the comments section below or Tweet @bankingdotcom.

  • Banks Vow to Be Flexible with Customers Affected by Shutdown

American Banker

Banks are stepping up to meet the needs of customers who could miss their next paycheck or two due to the government shutdown. Several banks in the Washington, D.C., region say they are urging customers affected by the shutdown to contact their local branches if they are concerned about meeting loan payments or getting socked with hefty fees for overdrawing their accounts. Some, including Capital One Financial (COF) in McLean, Va., are actively promoting assistance programs while others say they will handle situations case by case.

Read more 

  • Bank of America Launches Next Gen Banking Centers

Bank Systems & Technology

Bank of America has announced the launch of five additional “express banking centers” dedicated to offering self-service technology to handle services and common transactions in Boston, Charlotte and New York City.

Read more 

  • MRDC Fraud Alert: Double-Triple Dipping

Credit Union Times

The headline on the story at an Oklahoma television station’s website said it plainly: “Mobile Banking Used To Steal Thousands From OKC Business.” The story elaborated that Paris Limo in Oklahoma City had been looted of some $15,000 by an employee who apparently made it a habit to deposit the same paycheck in multiple checking accounts, effectively doubling or tripling his income. Jimmy Paris, the company owner, acknowledged that nobody reconciled the payroll account on a monthly basis. All of which raises the question: how widespread is double dipping with mobile remote deposit capture? Alan Bernstein, president of Vertifi Software, a CUSO that offers MRDC to hundreds of credit unions, said, “This is totally contrary to what we have experienced in the three years we have provided MRDC.”

Read more 

  • The Morph from Vendor Management to Vendor Performance Management

Gonzo Banker

These days, when we are asked to work with any FI on looking at alternatives to systems, it very seldom is for quantitative reasons – vendor stability, financials, etc. At the end of the day, almost 100% of the time, it is because the FI does not feel that the vendor met commitments and managed the relationship well. And, when the incumbent vendor bids to keep the business, conversations always center on what went wrong with the relationship and how the vendor will promise to fix it. At that point, it’s usually too late for the promises to be credible.

Read more 

  • Gartner: 50% Of Enterprises Use Hybrid Cloud By 2017

InformationWeek

Actual hybrid cloud computing deployments still “rare,” Gartner says, tempering optimism about future adoption rates. Gartner predicts that almost half of large enterprises will be engaged in a combined, public/private cloud operation, often described as “hybrid” cloud computing, four years from now. Gartner analyst Thomas Bittman makes the projection in an Oct. 1 report, “Private Cloud Matures, Hybrid Cloud Is Next.” The report implicitly assumes that the opposition to public cloud, which looms large in many enterprise IT surveys, will fall away in the near future, at least for limited hybrid operations.

Read more 

  • Online Bank Customers Are Surprisingly Short-Tempered

The Street

42% of digital banking users will leave a website or mobile site after experiencing poor customer service. Survey respondents may not be coming entirely clean with study researchers, at least when it comes to showing patience online. “Of all of the survey questions we posed to consumers in this study, the answer that was most surprising is that 22% of consumers are willing to wait up to three seconds for pages and images to load on a bank’s website or mobile site,” says Jared Polidoro, vice president of U.S. client services at Maxymiser. “But what they were telling us doesn’t match their actual behavior.”

Read more 

  • Android biometric sensors on way ; Tech alliance pursues standard

USA Today

Michael Barrett cringes every time he has to enter a password on his smartphone. But six months from now, Barrett says, he will be able to choose from the latest Android models that will come equipped with a biometric sensor capable of letting him swipe his fingerprint to access a wide range of his online accounts. That’s the scenario being proactively pursued by the FIDO Alliance, a group of 48 tech companies, led by PayPal and Lenovo, hustling to implement a milestone technical standard. “The intention of FIDO is absolutely that it will allow consumers to have access to mobile services that they can use with very low friction, while keeping good security,” says Barrett, president of the FIDO Alliance. “That’s explicitly what we want to build.”

Read more 

 

What We’re Reading: Mobile Money, Outages and PFM

Below are interesting stories the Banking.com staff has been reading over the past week. What have you been reading? Let us know in the comments section below or Tweet @bankingdotcom.

 

  • JPMorgan Chase Endures Website Outage

American Banker

JPMorgan Chase’s (JPM) website was shut down for some Friday, stopping bank customers from retrieving their accounts. The New York bank took to Twitter to tell customers its online banking was “experiencing intermittent issues” that the company was working to resolve. The outage endured for a few hours, bank spokesman Tom Kelly told American Banker. “We’re back to normal response times now,” Kelly said. JPMorgan Chase is researching the cause of the outage, Kelly said.

Read more

  • Moven From Mobile Banking to Mobile Money

Bank Marketing Strategy

February is definitely a pivotal month for the start-up previously known as Movenbank, having changed its name to Moven, winning the best of show honors at Finovate Europe and gearing up for a February 25 closed beta launch of its mobile-optimized financial services application. Similar to Simple, while not having a banking charter, Moven provides a unique customer experience interface with a traditional banking organization working in the background (with banking licenses, FDIC insurance, etc.).

Read more

  • A Look At What Citi Is Doing With Online Platform

Credit Union Journal

After Forrester Research dubbed Citi’s online banking site the best in the U.S. recently, Tracey Weber, Citigroup’s head of internet and mobile banking and Bank Technology News’ Mobile Banker of the Year for 2012, spoke about the bank’s latest initiatives. The developers made the site simpler, cleaner, and easier to navigate, she says. “We elevated a lot of the quick tasks that you do on a regular basis, like paying a bill, without having to continually have to find your way back to the dashboard. We also integrated PFM and account integration into the dashboard.” Citi partners with Yodlee for PFM and account aggregation.

Read more

  • Four Common Misjudgments About Whether Consumers Want PFM

Javelin Strategy & Research Blog

There is a spirited conversation occurring in a Personal Finance Management subgroup on LinkedIn, spurred by Mary Wisniewski’s column in American Banker about how “PFM Defies Definition.” The heart of the discussion points to the growing awareness that PFM must break free from the 1980s definition of budgeting and investment tools for do-it-yourself PC enthusiasts with a masochistic delight for details, tracking, and quantitative analysis. The financial services industry makes a number of fundamental mistakes in their thinking and approach to PFM.

Read more

  • Banks to spend $118B on tech, mobile banking in 2013

Mobile Payments Today

Retail banks worldwide will increase their IT spending by 3.4 percent this year — to a total of $118.6 billion. Industry analysts at Ovum predict that spending in Asia will rise 5.1 percent, followed by North America at 3.3 percent, and Europe at 1.8 percent. In a new business trends report, Ovum said that mobile banking would be a “clear IT investment priority in 2013.” The company suggested that total spending for online channels — including online and mobile browser-based services — will grow by 6.2 percent in 2013.

Read more

  • More Than 12 Million Identity Fraud Victims in 2012 According to Latest Javelin Strategy & Research Report

PYMNTS.com

The 2013 Identity Fraud Report released today by Javelin Strategy & Research reports that in 2012 identity fraud incidents increased by more than one million victims and fraudsters stole more than $21 billion, the highest amount since 2009. The study found 12.6 million victims of identity fraud in the United States in the past year, which equates to 1 victim every 3 seconds. The report also found that nearly 1 in 4 data breach letter recipients became a victim of identity fraud, with breaches involving Social Security numbers to be the most damaging. Over the past year, companies are responding more quickly which means a consumer’s information is being misused for fewer days than ever before, and the mean cost per victim has been flattening.

Read more

  • Finance and the American poor: Margin calls

The Economist

In December the Federal Deposit Insurance Corporation (FDIC) released a survey that found roughly one in 12 American households, or some 17m adults, are “unbanked”, meaning they lack a current or savings account. The survey also found that one in every five American households is “underbanked”, meaning that they have a bank account but also rely on alternative services–typically, high-cost products such as payday loans, cheque-cashing services, non-bank money orders or pawn shops. Not all the unbanked are poor, nor do all poor people lack bank accounts. But the rate of the unbanked among low-income households (defined in the FDIC survey as those with an annual income below $15,000) is more than three times the overall rate.

Read more

  • Mobile Banking Now Vital To Customer Acquisition

The Financial Brand

A survey recently fielded on FindABetterBank uncovered that 88% of shoppers who said mobile banking is a “must have” feature are already mobile banking users. Therefore, as more consumers download their bank’s mobile apps and begin using them, you can expect the number of consumers demanding mobile banking when they’re shopping for a new institution to increase steadily. Few people, however, defect from an institution simply because mobile banking isn’t offered.

Read more

  • Every company now a digital business

ZDNet

The convergence of social media, mobile computing, analytics and the cloud is transforming the way businesses operate. Companies that adopt available technologies to “go digital” will be better positioned to take advantage of rapidly shifting business opportunities and leap ahead of the competition, according to Accenture’s Technology Vision 2013 report. Since technology is now core to virtually every aspect of a business, every company is a digital business and all senior leaders–not just CIOs–must be able to understand, embrace and drive value from new technologies that affect their organizations, it added.

Read more

Fast Facts: Child Identity Theft

The Financial Services Roundtable recently released another iteration of its Fast Facts, reliable, bullet-point research about issues facing the financial services industry. Topics span TARP, Dodd-Frank, insurance, lending, retirement savings and more.  Below are some updated Fast Facts on child identity theft as children may be an easy target for identity theft and often don’t discover it until years later when they apply for a job or attempt to take out a loan.

FACT: One in 40 households in the US with children under the age of ages 18 is affected by identity fraud.

FACT: 56% of child identity theft cases reported misuse of the child’s Social Security Number (SSN).

  • Thieves will often create a ‘synthetic identity’ using the child’s SSN and a different name, date of birth, and address, to obtain new bank or credit accounts for financial gain, or services such as utilities, phone, cellular, and Internet.
  • Children’s information is also used to commit non-financial identity theft, including obtaining fraudulent tax returns or government benefits, housing rental, employment, medical treatment, or evading criminal charges.

FACT: Lower income families are disproportionately affected by child identity fraud, with 50% of victims living in households with incomes under $35,000.

  • Of victims who were able to identify the perpetrators of these crimes, 36% found them to be family members, and an additional 35% were family friends.

FACT: Child identity fraud can be avoided. Check early and often.

  • Keep personal information like birth certificates and social security cards locked away and sensitive computer documents password protected. Use a cross-cut paper shredder before disposing of paper documents of this nature.
  • Teach children how to be safe online, particularly while visiting unsecured websites and using social media.

FACT: Federal law under the U.S. Fair Credit Reporting Act allows for the request of one free credit report per year.

  • If your child’s identity has been stolen, contact the three credit reporting agencies to place a fraud alert, and then file the theft claim with the Federal Trade Commission.
  • Because a child’s SSN is often used as part of a synthetic identity, ask each of the three major credit reporting agencies, Equifax (1-800-525-6285), Experian (1-888-397-3742) and TransUnion (childidtheft@transunion.com), for a manual search for your child’s credit report, based only on the child’s SSN.
  • Ask each agency for its mailing address, because you will need to provide a cover letter with proof that you are the child’s parent or legal guardian.
  • You may consider placing a credit freeze to prevent thieves from opening additional accounts under your child’s name.

For more information on how to combat child identity theft and learn preventative measures, visit the Identity Theft Assistance Center website.

 

Copyright © 2013 The Financial Services Roundtable, All rights reserved.

Bank Robbing 2.0

Financial institutions have plenty to worry about these days: robbers, hackers, fraudsters, scammers, viruses, malware, trojans —and the list goes on. One little talked about threat to FIs and their customers is ATM fraud in the form of skimming.

Skimming is the act of hijacking account information through the use of a card reader, usually installed on an ATM and fabricated to look like a part of the machine. Thieves have even utilized the readers used to unlock after-hours ATM kiosks. Often, a camera accompanies the card reader attached directly on ATMs and records customers entering their PIN.

Fraudsters can then withdraw money directly from the compromised account or sell the information to other criminals. Guns, drugs and other illicit materials can then be purchased with the stolen funds and card information, or criminals can perpetrate identity theft.

A recent post on the Krebs on Security blog, a banking and finance security blog, shows the latest in skimmer technology recovered from a compromised ATM. The unit is an all-in-one card reader with a built-in pinhole camera, seamlessly attached to an ATM — pretty sophisticated stuff.

One expert estimates more than $350,000 stolen from ATMs worldwide every day via skimming. With ATMs seemingly everywhere one could go – grocery stores, movie theaters, malls, gas stations – there is no shortage for opportunity. This reveals another part of the problem: unless you are a bank security expert, chances are remote that anyone from your FI has mentioned skimming or how to minimize the risk.

Here are some simple steps both FIs and their customers can use to lower the chance they will be victimized:

  1. Before inserting your card, always scrutinize the ATM for parts that look out of place, been added on or just plain don’t belong. Check for mismatched and uneven seams or other irregularities.
  2. Use your hand as a shield while you enter your PIN. This is perhaps the easiest preventative measure one can take. It will also prevent shoulder snoopers from spying on you.
  3. Educate yourself about skimming (and other forms of fraud). FIs can do a better job teaching their customers about skimming to help customers and members minimize the risk of being victimized. Hang a poster next to the ATMs or print warnings right on the machines, so it is fresh on the ATM user’s mind.
  4. Remind customers to check their account activity often, and report any unfamiliar transactions to the FI.

As FIs continue to utilize ATMs for both convenience and cost-savings, the frequency of skimming attacks will only increase in both volume and sophistication. Should these attacks be thwarted, FIs, customers and law enforcement must stay vigilant and ahead of the criminals and their ever-advancing technology.

Does your FI already have preventative measures in place against skimmers? Let us know in the comments section below or Tweet @bankingdotcom.

Editor’s Note: David Sutton has a BA in economics and a MS in business journalism, and his articles have appeared on Forbes.com and in the Boston Business Journal. David has had a bank account since he was three.

FDIC Outlines Top 10 Online Resources for Consumers

This week, theFederal Deposit Insurance Corporation (FDIC) honored National Consumer Protection Week by sharing 10 online resources to keep consumers safe while managing their finances. In an era where “Googling” reliable information is standard, the FDIC wants to ensure that consumers are getting practical and dependable tips to help avoid fraud while managing their bank accounts.

A few of the resources offered by the FDIC include:

  • Bank Find: Our online directory that consumers can use to locate an FDIC-insured institution, learn what happened to a bank that changed names or no longer exists, and more.
  • Small Business Web Page: Useful information for small businesses, especially regarding access to loans, plus an online form to ask the FDIC a question or register a concern.
  • Foreclosure Prevention Toolkit: A Web page that provides easy access to helpful information for homeowners on avoiding foreclosure and foreclosure “rescue” scams.

To read the remainder of the tips, visit the FDIC.

What does your FI do to inform customers about the danger of online fraud? Let us know in the comments section below.