May 9, 2017
The replacement of magnetic cards has shifted the threat matrix from the card to the consumer – and we’re more at risk than ever
Bank fraud is a big, ripe and juicy target. For many of us, it’s very satisfying to track it down and shut it down. But it’s also a moving target – we shut it down here, it moves over there. And at times, it moves much faster than us.
Example: Barely three years ago, the threat du jour was magstripe data theft. Massive breaches at major retailers like Target and Home Depot – and others that didn’t get the same attention – led to millions of credit card accounts being compromised. Security professionals worked frantically to rectify the vulnerabilities, retailers and banks alike took a financial hit, and consumers wondered how bad it would get. But on the bright side we got chip cards, which are more secure than the magnetic stripe cards we had before. Problem solved, right?
Wrong! Very, very wrong. In fact, 2016 brought us new records for credit card and identity theft leading to… bank fraud. And yes, the new kind is even worse than the old.
It’s not as if the fraudsters simply scrambled the chip, just as they did with the stripe. That may happen in some rare instances, but the truly worrisome threat is a more serious one – a strategy that targets the person rather than the card. In this iteration of modern-day fraud, the scammers impersonate unwitting individuals in order to obtain a replacement card, or even apply for a new one. The only obstacle here is in the identity verification controls used by the banks’ call center – and it’s not a very big obstacle.
Shortly after the introduction of chip cards, there was a sharp uptick in the number of data breaches in the healthcare industry. These exposed hundreds of millions of records containing personally identifiable information (PII) on US consumers. As a result, these cybercriminals now have massive repositories of their own version of Big Data, and they use it to prey on individuals and institutions everywhere. This is a more dangerous vulnerability than we’ve really seen before.
And in the free market, this is for sale. Fraudsters can roam the dark web and get a full profile of an individual – name, SSN, address, phone number, email addresses, age, passwords, answers to security questions and more, mostly stolen during those healthcare breaches – for as little as $35. This wealth of data makes it ridiculously simple to hijack someone’s identity, reset passwords, hack emails, and take full control of the bank account.
Again, this strain of fraud originates at the call center. Most of the authentication controls used in call centers are behind the times, or entirely broken, and with all the PII these criminals have, it’s easy to control an existing account, run up the credit card or get a new bank loan. Meanwhile, the financial services industry is having trouble implementing a truly effective solution, in part because any new security measure takes its toll on customer convenience.
But it’s not just banks and call centers feeling the heat – many online merchants are experiencing losses and brand damage too. Modern consumer expectations, particularly those related to instant gratification, lead to problems as well. For example, many retailers are adopting faster delivery models like in-store pickup, where the order is placed online and the goods can be picked up at any store in the US sometimes as fast as within 30 minutes. That’s perfect for many consumers – but because the goods don’t need to be shipped to a recorded address, the transactions bypass any blacklist of negative addresses that banks or merchants have on file. Meanwhile, every order is a potential chargeback for the merchant.
These attacks are relentless and create complex challenges for banks, credit unions, and online merchants. To effectively fight back, we need new solutions that go beyond the traditional approach based on ‘what you know’ and ‘what you have.’
Identity verification and authentication as a discipline desperately needs adoption of new technologies and strategies that cover the equation entirely: proving that the device is trusted, that it belongs to the customer and it is being used by the right person right now. We need measures that span every tactic, from identifying burner phones to biometric techniques such as facial intelligence.
Face recognition, for example, looks very promising, but it is not yet mainstream. There are several challenges that need to be addressed for this technology to become effective in fraud prevention. Banks are definitely under pressure and in need of a better solution than the existing ones. They need to implement new holistic solutions now, solutions that look at the individual behind the transaction in a more comprehensive way. Time is of the essence.
As a consumer and fraud-risk specialist, I have mixed feelings about chip cards. The technology was arguably better than its predecessors, but the shift somehow led to more dangers, more attacks, and more losses. The criminals have stepped up their game; we need to step up too, and develop broader and multi-layered defenses that keep them out.