Cases of card not present (CNP) fraud are continuing to rise across all corners of the globe, as EMV forces criminals away from traditional fraud channels. The latest evidence for this trend comes from Australia. According to figures from the Australian Payments Clearing Association (APCA), the country saw credit and debit card fraud increase by more than a quarter (26 per cent) between 2013 and 2014. It now stands at 58.8 cents per $1,000 transacted – up from 46.6 cents the year previously, and significantly higher than the less than one cent per $1,000 registered for cheque fraud. Of this increase, CNP fraud – which can occur in transactions made over the phone and via mail, but today mostly involves payments made online – accounted for a staggering 94 per cent. In itself, it increased 42 per cent year on year, costing Australians $299.5 million over the 12-month period, the Australia Payments Fraud – Details and Data report revealed.
In no respect is the trend unique to Australia. The APCA noted that the rise in Australian CNP fraud has been consistent with that in other countries, including the UK, where it cost consumers and businesses a massive £331.5 million in 2014 – up ten per cent year on year. The report also pointed to the suspected root cause of this phenomenon: that fraudsters tend to migrate from one set of techniques to another as merchants and financial services providers incrementally fix the vulnerabilities they would have previously preyed on. So, for example, as EMV technology – or Chip and PIN – becomes more mainstream criminals are gradually moving online “where frauds are easier to perpetrate”.
This has happened concurrently with an increase in the scale and frequency of cyber attacks that target credit and debit card numbers, such as the recent high-profile data breaches. These incidents resulted in tens of millions of customers’ records ending up on online black markets, giving would-be fraudsters ample material to commit CNP fraud.
How can CNP fraud be prevented?
The APCA report suggested that one of the payment industry’s most important weapons in the fight against CNP fraud is tokenisation. This describes a technique in which credit and debit card numbers themselves are not stored in merchants’ systems, with non-sensitive values – or tokens – taking their place. It could, however, be a long time before tokenisation is ubiquitous, as it would require countless payment processors to upgrade their systems. Moreover, it offers nothing to prevent the unauthorised use of card numbers that have already been compromised – although older card numbers are, by their very nature, less likely to prove fruitful for criminals.
Another potential safeguard against CNP fraud is the use of two-factor authentication, in which criminals armed with compromised data are given an extra hurdle to jump – they might be required to enter a one-time passcode sent to the cardholder’s mobile phone, for example, or else submit to a biometric scan. The benefits of this are obvious, although one common complaint is that it sacrifices usability in favour of security – customers often find themselves having to jump through hoops simply to make a small transaction on a secure and trusted device. Visa and MasterCard are already looking beyond their online password systems (Verified by Visa and MasterCard SecureCode) because they just don’t think they are secure enough and because they are another barrier to seamless payments.
In reality, it’s probably a combination of tokenisation, risk-based authentication – in which additional security measures are only mandated for high-risk transactions – and fraud detection software that will ultimately drive down the increase in CNP fraud. The last of these – fraud detection – is key. No system is 100 per cent secure, so card details will always be compromised. By analysing potentially fraudulent transactions in real-time we can block suspicious activity and ensure we keep a lid on CNP fraud.