I’m not much of a Nostradamus, but one thing I can predict with near certainty is that this time next year we are likely to find ourselves witnessing an all-time high in the rate of online credit and debit card fraud. Ironically, that surge in online theft will be the result of efforts to make the offline use of credit and debit cards more secure.
By Oct. 1 of next year, retail establishments are supposed to be able to accept new credit and debit cards that have a chip embedded and require the use of a PIN when making purchases at the checkout counter. The point is to make the cards smarter so that financial institutions can better detect fraudulent usage. Requiring a PIN clearly adds a layer of identification and protection that can deter such fraud.
How do we know that this effort to increase security at the point of sale is going to actually drive online fraud? We already saw it happen in Europe.
Related: Preventing Another Target Attack
In 2002, European financial institutions starting rolling out these very same cards and point-of-sale terminals. We call this technology EMV (Europay, MasterCard and Visa). Financial institutions intend to make EMV a global standard for authenticating credit and debit card transactions using integrated chip technology.
This technology has now been partially or fully deployed in about 14 countries and regions, including most Asian Pacific nations, all of Europe, most of Latin America and the Caribbean. Every country and region in which EMV has been deployed has seen a corresponding surge in online fraud.
Four years after beginning the deployment of cards and new point-of-sale terminals, about 99 percent of businesses and consumers were utilizing EMV. No doubt the cards were effective at cutting offline abuse. Before EMV, Europe saw fraud losses in stores of about 13 basis points of net sales. After EMV, the offline fraud rate plummeted to just 3.5 basis points, according to Douglas King in the study, “Chip-and-Pin: Success and Challenges in Reducing Fraud.”
However, the online world was a fraud nightmare. Online credit and debit card fraud rates more than doubled from the pre-EMV days. In 2004, Europe had an online credit and debit card fraud rate of 25 percent. By 2010, the rate had soared to 64 percent. Further, the European Central Bank’s February 2014 report on card fraud found that card-not-present (CNP) payments, i.e. payments via the internet, post or phone, were the source of 60 percent of total fraud incidents across Europe in 2012. With about $1.1 billion in fraud losses in 2012, CNP fraud showed the highest growth rate, up 21.2 percent from 2011, and analysts project this growth rate will continue to increase in 2013 and 2014.
Making credit and debit cards smarter made the crooks smarter. They stopped using cards with EMV technology in brick-and-mortar stores. Even the thieves knew that using one of the new EMV cards in a store was quickly going to get the card shut down.
So they doubled their efforts at stealing online, where the chips in cards did no good when all that was required were card numbers. Additionally, the bad guys shifted more of their nefarious online activity to foreign countries where it’s even harder to tell a legitimate card user from a thief.
When EMV technology was established, the crooks also started targeting debit cards over credit. Most debit cards use the magnetic stripe and therefore behave like credit cards without the chip and pin, making it easier for fraudsters to exploit both offline using the swipe and online using the debit card number.
Some will probably ask why online retailers don’t just require a PIN for all purchases as in-store clerks do with EMV. We may see more of that kind of adoption here in the U.S. than we’ve seen in other countries that saw this surge in online fraud, even as offline fraud declined. However, putting any barrier to check out in the ecommerce world means a lot of full shopping carts that never make it to purchase.
We’re all just going to have to be a lot more vigilant about how and when our cards are used. My financial institution now emails me every time one of my cards is charged. I can even set limits so I only get notified for charges more than $25.
But something tells me I’m going to be sitting in my living room in California when I get an email notifying me I just bought a couch in Russia. Let’s just hope I’m no Nostradamus.