Card fraud rates are on the rise in many parts of the world despite the widespread adoption of fraud analytics solutions by financial institutions and retailers, along with EMV in most countries, according to a new global from ACI Worldwide (NASDAQ: ACIW) and Aite Group.
The report Global Consumers: Losing Confidence in the Battle Against Fraud (insert hyperlink) surveyed over 6,000 consumers across 20 countries. It reveals nearly thirty percent of global consumers have experienced card fraud in the past five years, classified as unauthorised activity on three types of payment cards (debit, credit and prepaid). 17 percent of respondents experienced more than one incident of fraud, compared to 13 percent in 2014.
The report warns that fraudsters worldwide are getting more sophisticated. It states that “the underground economy for user information has matured so much as to be indistinguishable from a legitimate economy.”
Widespread risky behaviours, such as leaving a smartphone unlocked when not in use, are another reason for rising fraud rates. According to the report, the overall risk for fraud is rising due to the global increase in smartphone and tablet usage. So-called application fraud is equally on the rise due to consumers publishing increasing amounts of private data on social media platforms.
Andreas Suma, global lead fraud and data, ACI Worldwide comments:
“Our latest report shows that card fraud remains an issue of deep concern for consumers worldwide. As fraudsters are getting more organized it is fair to say that at this point in time, the assumption should be made that almost all users’ credentials and card information has been compromised.
“It is also no surprise that there is a direct correlation between fraud rates and consumer trust and loyalty. As our data illustrates, for financial institutions it is more critical than ever to implement effective fraud prevention solutions.”
Countries with the highest percentage of card fraud
- In 2016, Mexico leads the way at 56 percent, followed by Brazil at 49 percent and the U.S. at 47 percent (In 2014, the UAE, China, India and the U.S. topped the list )
- The U.S. is the only country to remain in the top three list both years, due in part to being a laggard in the roll-out of EMV chip cards, so skimming and data breaches continue to be security challenges
- European countries experience less card fraud than countries in the Americas, mainly due to earlier adoption of EMV* and other security advances; fraud rates for the UK were 29 percent, Italy 27 percent and Germany 18 percent
Risky consumer behaviour
The reports also reveals that risky consumer behaviour is still widespread despite years of education by financial institutions and card issuers. It is surprisingly high in Europe although fraud rates in these countries are often among the lowest worldwide.
- 54 percent of global consumers exhibit at least one risky behaviour—such as keeping one’s PIN with the card—which puts them at higher risk of financial fraud, compared to 50 percent in 2014
- 25 percent of French, 29 percent of Spanish and 21 percent of Dutch respondents said they had left their smartphone unlocked in the last five years when not using it
- 20 percent of Spanish and 18 percent of Italian consumers have used online banking or shopping without security software on a public computer
- 19 percent of Italian respondents admitted they had made a note of their pin and carried it with them or kept it with their card
“The data demonstrates that while consumer trust is improving, financial institutions must be proactive in their efforts to prevent card fraud in order to retain customers,” said Ben Knieff, senior research analyst, Aite Group. “Consumer education and customer service remain a challenge for financial institutions, as risky behavior has a direct correlation to experiencing fraud.”
Consumer trust is improving, but loyalty is still lacking
- 14 percent of global consumers lack confidence that their financial institution can protect them against fraud, down from nearly 20 percent in 2014
- 40 percent of consumers who received replacement cards as a result of a data breach or fraudulent activity use their replacement card less than they used their original card, resulting in lost interchange and interest revenue from decreased usage
- 1 out of every 5 consumers changed financial institutions due to dissatisfaction after experiencing fraud
Commenting on this, Robert Capps, vice president at NuData Security, a company that predicts fraudulent transactions using behavioural biometrics, said
“Finally, we’re seeing data that’s corroborating what we’ve all taken for granted, that the credit card ecosystem has gigantic holes in its security, and the bad guys have not only identified them, but they are actively using them against us.
While fraudsters are getting more sophisticated and organised, they are also growing in numbers. The relative ease in which an individual can commit credit card fraud, along with the sheer volume of cheap card account data available on the black market, makes it a highly lucrative business to be in. When combined with the number of vulnerable merchants, and the lack of accountability, well, every day is Christmas day.
Here’s the math:
Ease of attack +
Bountiful cheap credit card data on the black market +
More opportunity to commit fraud +
Very lucrative +
Little down side of penalties/accountability
= more people who are willing to commit the crime.
So, why the US is the king of card fraud online? It’s the ubiquity of eCommerce merchants that accept credit cards for payment, coupled with a lack of preparation on the part of most eCommerce merchants to combat fraud risks, and made worse by a lack of consistent cooperation between merchants, card brands, and issuing banks, to take a holistic stand against the card fraud risks.
Contrary to some reports, EMV Adoption in the US is not currently driving the increase of Card Not Present (CNP) transaction fraud online – although in time, it will eventually reduce CNP fraud from counterfeit cards being created and used in store.
Consumers as an unwitting accomplice
Consumers are victims of financial/card fraud over and over, because they continue to shop at the same places, and use their cards in the same ways, even after cards have been replaced. Often, falling victim to the same ongoing skimming and data theft attacks against a compromised retailer.
Even our own devices are sometimes complicit in the theft, with malware and other threats often resident on them, leading to immediate re-compromise after a card is replaced by a financial institution.
We’ve seen that new account/application is fraud rising due to the ubiquity of rich consumer data available on social media, and via other sources. Making it easier for those with malicious intent to go out and apply for a loan or credit card in your name, or even engineering their way in to controlling your existing accounts. This puts good cards and accounts in the hands of the bad guy, allowing them more time, and greater access to the credit line of a legitimate consumer, often before the crime is detected and can be mitigated. In some cases, access may persist for months before it is detected – often because the overdue notices begin to arrive in the legitimate customer’s mailbox.
Close the door, for good
There are solutions that protect merchants and consumers from identity and credit card fraud risks. One solution that is seeing broad adoption is based on the science of Behavioural Biometrics, which provides continuous, multi-factor authentication that goes beyond the typical static data matching used to identify consumers to their creditors, merchants, and banks. Behavioural biometrics accomplishes this task, by evaluating the entire customer behaviour profile, built up over time. Providing true insight in to how a customer behaves, and comparing these behaviours to other interactions by this user, it accurately identifies them in future interactions – all without adding friction to the user experience, and without opening up the legitimate user to impersonation and account takeover.
Studies like this continue to highlight what we’ve all been thinking for a long time, namely that true authentication demands a higher degree of scrutiny of the end user at the keyboard, not just device in use, or the static data entered into a web page.”