If the US is anything like Europe, you can expect that “Card Not Present” or CNP fraud will increase significantly in 2016.
We will have to wait and see, but some things are likely.
- Chip and signature – the alternative to chip and PIN that most US banks and almost no international banks chose – will do nothing to protect against stolen credit cards. Of course, you cannot steal a credit card from half way around the world, so this type of attack only works if you are near the victim. AND, the victim is much more likely to notice that their wallet has been stolen and cancel the card, so my guess is that this is not going to be a significant source of fraud in 2016.
- Service providers (anything from Uber to Etsy to Amazon) who match buyers and sellers are likely to see a significant rise in fraud. Online marketplaces such as Uber never see the customer and the representative (like the Uber driver) never see the credit card. Even service providers like AirBnB, where someone may talk to you, doesn’t have any information about the credit card used and likely does not ask you for ID. Even if they do, that ID could easily be fake.
- Even online product providers like Amazon are likely to see increases in attempted fraud. The fraudsters hire mules to provide their addresses and then get the products from the mules some other way, including via reshipping. If the mule gets caught, they don’t know very much about the fraudsters operation.
Merchants not only lose the amount of the fraudulent transaction, but also the cost of dealing with the fraud. According to Lexis-Nexis, merchants spend over $3.00 for every $1.00 in fraudulent transactions.
According to Lexis-Nexis, fraud as a percentage of revenue for all merchants, increased from 0.51% to 0.68% between 2013 and 2014. For merchants accepting payments via mobile (phones) the fraud rate went up from 0.8% to 1.36% – more than a 50% increase. I guess we know one place where fraudsters are going.
A couple more interesting stats from Lexis-Nexis. Merchants say that the number of prevented fraudulent transactions is up by more than 60% – meaning that the card services are doing a good job of detecting fraud, but the number of successful fraudulent transactions is also up – by around 45%. Merchants say that the dollar value of fraudulent transactions that are caught is equal to fraudulent transactions that are successful. Said a different way, by dollar value, only 50% of the credit card fraud is caught.
What is clear to me is that trying to get solid data is very hard. For example, in the Lexis-Nexis report, it says that merchants say that credit card fraud is down, but Lexis-Nexis says this is because merchants are accepting more payment types and that this is not a real decline – the fraud is spread across more channels.
This means that merchants need to continue to up their game in fraud detection. The Dark Reading article has several suggestions of things that merchants can do. The goal, of course, is to do as much as you can without scaring off the consumer. Jumio uses the camera in your phone to compare ID documents against a live image of the buyer to reduce fraud. While this is NOT an example of something that happens behind the scenes, companies like AirBnB are using it with minimal customer pushback. This is likely true because the average AirBnB customer only does a couple of transactions a year. But, I am sure, the crooks will also learn to improve their techniques. For example, if you compare a buyer’s actual face to a drivers license, how do you know that the picture on the drivers license is real. Still, you do have a picture of the fraudster and that can’t be all bad.
Businesses that accept credit cards will be fighting a cat and mouse game with fraudsters for the foreseeable future – they just need to make sure they don’t let their guard down.