This article previously ran on CUInsight.com.
Typically, at this time of year, we start to look back at the events that shaped our work lives in order to predict or hypothesize how our new year may take shape. Will fraud be worse in 2017? Perhaps many of you are wondering if we will see a new threat emerge that takes up our resources and whittles away at our member experience.
There will be some challenges – there almost always are. The financial services industry, particularly the cards industry, is struggling to close the books on EMV to the extent that adoption rates are simply not where they need to be but they are indeed headed in the right direction. We need to see a greater balance of ATMs and POS devices authenticating chip transactions. Until we see that in greater numbers, we remain somewhat at the status quo and still married to the presence of mag-stripe technology. The mantra that card-present fraud will cease to be a threat while card-not-present fraud will increase is pretty standard conversation filler at every event I attend. Are you all seeing this as a valid fraud trend today? Probably not, but then again we are still on the move and our fortunes can change on a dime depending on certain nuances like regulations, extensions on liability and overall changes to technology.
Let’s take a look at our recent past.
2016: A Snapshot of Recent Events
- VISA and Mastercard announced an extension to the liability shift for automated fuel dispensers or AFDs. Merchants now have until 2020 to outfit their fuel pumps with chip-enabled POS equipment. This extension has been viewed by many industry insiders as devastating because it simply prolongs the threat of mag stripe fraud emanating from or at the AFDs.
- Card skimming throughout 2015 and all of 2016 has continued unabated. Issuers have struggled with reissuance in tandem with the larger-than-life reissuance associated with EMV rollout. FICO’s claim in April 2016 that ATM card skimming increased by 546 percent sent electricity throughout the card industry as further validation of the extent of this issue.
- Yahoo has made many announcements about their “recent” data breach. News agencies have uncovered information that suggests that Yahoo has been aware of a major data breach since 2013 with roughly 1 billion exposed users at risk. This latest data leak is completely different than a previous breach at Yahoo that exposed 500 million accounts.
- Ransomware has gained the attention of many industries this year from healthcare to finance making this malware and encryption scam something that is now at the top of the threat list for many financial institutions.
- The FBI has cited serious risks associated with Business Email Scams or BEC. In April 2016, the FBI reported that at least $2.3 billion had been lost simply because organizations were not carefully screening and scrutinizing emails to weed out imposters. The result of this weakness has simply catapulted employees into a special risk category as the weakest link and highest risk for cybercrime.
- Data breaches are continuing to contribute to the amount of personally identifiable information or PII that is available on the world wide dark web where hackers barter and exchange information. Last year saw a bevy of data breaches for hospitality and restaurant chains, email providers and healthcare explode, including one high profile case affecting Oracle’s MICROS Payment terminals.
2017: Feeling the Shift to a Cash-For-Information Economy
It’s easy to assume that card fraud rates will increase as they have in previous years, but the intensity that is building around information in general is palpable. Criminals have already shifted into a “cash-for-information” economy and quite frankly we are just beginning to see and feel these changes affect consumers. Here’s what I am predicting for 2017 and beyond, in no particular order:
- Expect fewer retailer breaches, with an uptick in data breaches that are designed to harvest deep and meaningful consumer data beyond a payment card. Healthcare, higher education and state-sponsored data breaches are becoming the norm because they deliver an enormous payload for criminals who can then later sell their stolen information through the marketplace on the dark web.
- Footprint fraud will continue to grow. As a result of this increase we will see the industry shift to a machine learning-based mentality that builds a more realistic transactional profile of where the consumer is transacting and how logical (or illogical) the purchase behavior is in comparison.
- EMV pain will continue. The misinformation around fallbacks and fraud will most likely garner more attention from the card associations and other industry players. There will still be a great deal of uncertainty as to how much criminal exploitation is possible through fallback transactions. Expect an improvement with stronger efforts to educate and share information throughout the year.
- Financial institutions will turn the tables on criminals with more ingenuity through stronger authentication. Creative, out-of-the box thinking is on the tips of everyone’s tongues wherever I go today. Account-based questions combined with a true empowerment for front line staff is happening. We are realizing that there is not a single methodology to authenticating a consumer, so expect to see a mixed varietal approach in 2017 that involves a stronger human element.
- ATM fraud is here to stay for a while. Expect to see a significant number of unauthorized ATM withdrawals through the first three quarters of 2017. Eventually we will see a compression as to where the ATM cash out activity is occurring as more ATMs are equipped to authenticate chip. The liability shift looming in the distance for VISA in October 2017 will also have a positive impact by narrowing the criminal’s playing field and possibly shifting fraud more strongly into the card-not-present category, as predicted by many.
CO-OP Financial Services will continue to perpetuate the sharing of information each month during our FraudBuzz webinar events. Be sure to register now for the 2017 series, held monthly on the third Thursday at 11 a.m. Pacific (2 p.m. Eastern). Register today www.co-opfs.org/fraudbuzzwebinar.