What’s trending in digital payments fraud in the US?

Entersekt Editor|27 June 2018
What’s trending in digital payments fraud in the US?

As payments become more digitized, so do fraud schemes. Fraudsters always seem to stay just one step ahead of the industry’s relentless efforts to defeat them. Some of the most prevalent fraud methods today are card-not-present (CNP) fraud, account takeovers, new account fraud, and spoofing.

Card-not-present fraud

The incidence of CNP fraud has skyrocketed with the rise of e-commerce and the adoption of chip cards (credit cards with the added security of an embedded chip) in the U.S. CNP fraud jumped by 40 percent between 2014 and 2016, according to Javelin Strategy & Research’s 2017 Identify Fraud Study. Meanwhile, fraud at the point of sale (POS) has remained largely unchanged, Javelin says, and according to Visa, has declined markedly among retailers who have upgraded to chip-enabled terminals. These retailers saw POS fraud decline by 70 percent from September 2015 through December 2017.

Much of CNP fraud has been facilitated by data breaches, which have provided perpetrators with a treasure trove of data that they can use (or sell on the “darknet”) to steal consumers’ card information and credentials. Fortunately, a number of payments technology and services providers are developing ways for merchants to combat CNP fraud and in some cases even offering CNP fraud prevention as a value-added service.

Account takeovers

Account takeovers are still popular with fraudsters, too. These takeovers occur when perpetrators use stolen log-in credentials (again, often via data breach) to access consumer accounts with online merchants or other types of payment service providers. They then use whatever personally identifiable information (PII) they can access in the account to change account settings and begin making purchases. These takeovers are often assisted by automation; fraudsters deploy bots and/or scripts to test combinations of stolen usernames and passwords across multiple websites and applications until they are successful.

According to the same Javelin study cited above, after reaching a low point in 2014, account takeover incidence and losses rose notably in 2016. Total account takeover losses reached $2.3 billion—a 61 percent increase from 2015—while incidence rose 31 percent. Javelin’s 2018 study shows that merchant losses from account takeover fraud in 2017 totaled more than $5 billion—up 120 percent from 2016.

New account fraud

Another type of fraud, new account fraud, has been rapidly multiplying as consumers conduct more and more of their daily activities online. New account fraud occurs when a consumer’s stolen or compromised PII, “synthetic identities” (amalgams of real and created information from several sources to create a single false identity), or compromised primary account numbers are used with malware, phishing, or bots to open new accounts or to obtain lines of credit without the consumer’s consent. Javelin reports that account fraud more than doubled in 2015, with PII stolen from 1.5 million consumers used to create fraudulent checking, credit card, loan, and other accounts. Synthetic identities are a particularly popular way to commit this type of fraud; leading analyst firm Gartner estimates that synthetic identities now account for as much as 80 percent of credit card losses from fraud.

To make matters worse, these fraudsters have become better at evading detection. Victims of new account fraud often fail to detect the violation until they review their credit report (15 percent of victims) or are contacted by a debt collector (13 percent), says Javelin.

Spoofing

Meanwhile, many of the old methods of convincing hapless victims to part with their cash have not gone away. Spoofing, for example, is still all too effective and has spread to new channels.

Spoofing occurs when a fraudster impersonates someone else or falsifies identifying information to gain access to valuable data or to launch malicious attacks. When spoofing by phone, a fraudster might change the Caller ID information to look like someone else—often a bank, creditor, the government, or even the victim’s own phone—to trick whoever answers into giving away valuable data, such as account information. By email, the email address is falsified. In URL spoofing, a fake web site is created to trick users into entering information or into downloading a virus. Fraudsters also contact potential victims by hacking into their Facebook friends’ accounts and sending messages that appear to come from a trusted friend. Now fraudsters are even spoofing IP addresses and devices to hack into networks to steal data, launch DNS attacks, or spread malware.

In the U.S., some forms of spoofing--particularly phone spoofing--are legal, as long as they are not done "with the intent to defraud, cause harm, or wrongfully obtain anything of value," according to the Federal Truth in Caller ID Act of 2009. The best prevention is education: consumers should know never to give away their PII over the phone, email, or social media, and businesses should use security tools to protect networks.

Potential solutions

Fortunately, a lot of innovative individuals and companies—including Entersekt—are working diligently to come up with multi-faceted ways to detect and prevent fraud. A basic step is to use strong customer authentication methods such as mobile authentication, biometrics, device fingerprinting, and geolocation. Behavioral analytics (analyzing customer behavior to detect or predict fraudulent activity) and transaction monitoring are also effective. Promising tools are also emerging from advanced analytics—particularly machine learning and artificial intelligence (AI)—which will automate and augment fraud detection and prevention capabilities.

With fraudsters constantly working to find new, state-of-the-art ways to steal money, the industry must work even harder to innovate prevention techniques. The bad guys won’t give up—but neither will we.

About the author

Entersekt Editor

Entersekt Editor

Subscribe to our newsletter for our latest news, press releases and events

logo entersekt

Entersekt is an international software development company based just outside of Cape Town, South Africa.

We are leaders in authentication, app security, and payments enablement technology, offering a highly scalable solution set with a track record of success across multiple continents.