Fraud is Dead! Long Live Fraud?
I think it’s objectively clear now that EMV has stopped card present counterfeit fraud. Truth to tell, it has been for some time, but it’s worth restating – EMV works. The simple graphic below, from UK finance, tells the story quite succinctly. Counterfeit card fraud has changed from 18% of the total in 2009, to only 2% of the total in 2018.
Fraud in the UK, 2009 vs 2018 1
What does that mean in actual dollars and cents? Well, the next graphic (from the same source) sums that up too, showing a reduction in counterfeit fraud from £80.9M to £16.3M.
Fraud in the UK, 2009 vs 2018, Counterfeit vs Lost and Stolen 2
However, at the same time, lost and stolen fraud has almost doubled from £47.2M to £95.3M – or, expressed in another way, lost and stolen fraud is now larger than counterfeit fraud was in 2009! Similar trends are happening with card not present fraud as well, as shown in the below image from a European Central Bank paper from last year.
Fraud in the EU, 2012 vs 2016 3
Squeezing the Fraud Balloon
The above poses a few different questions:
- If EMV works so well at reducing counterfeit fraud, why is there still 2% of this type of fraud in the UK?
- Are we ever going to solve fraud, or are we doomed to playing ‘whack-a-mole’ and just moving it from one area to another?
So, starting at the start, how do we still have counterfeit fraud? Well, as I discuss in my Payments book (shameless plug: https://connect.ul.com/eBook-Securing-Digital-Payments.html), one problem can be in how EMV is implemented. The security of EMV is essentially based on authentication, of the customer, of the transaction, of the card, and this authentication is facilitated with cryptography on the card and at the payment backend. However, unfortunately, it is not unheard of for Issuers to incorrectly configure their cards, or to incorrectly check the responses from the EMV transactions, such that the fraud protection provided by the authentication in EMV is not realized.
Additionally, EMV only helps reduce fraud when EMV technology is used. We still (still!) have people around the world being issued and using magnetic stripe cards, and even EMV capable cards may undergo ‘technological fallback’ to magnetic stripe used (or even embossed use!) if there is a problem with the terminal or card in respect to interacting with the EMV chip.
Security vs Usability
Can we ever hope to stop fraud completely then? Probably not. Not completely. However, I think we can mitigate it and reduce the overall level. But there will always be some residual level of fraud that is inescapable, either because it’s intractable or because driving that last bastion of fraud away is just not feasible from an economic or operational point of view (for example, if we stopped accepting payments, we’d reduce payment fraud to zero – job done! No??).
This speaks to the fact that we operate within a risk landscape, and reduction of that risk is managed through controls (operational, physical, logical). This reduces the threat to an acceptable level of residual risk, but we do need to be mindful that the more we reduce the risk, the more controls we need to place on ourselves and our systems. You can think of this as a Venn diagram (as shown below).
As we’ve reduced the residual risk of counterfeit fraud through controls such as EMV, fraud has migrated to other channels – card not present, or lost and stolen. These types of fraud will require different controls to mitigate, and as an industry we’re working on that with things like the requirements in PSD2 for strong authentication, and technical solutions such as risk based authentication and EMVCo 3DS v2.
However, these controls have impacts on how we perform and process payments. The requirements in PSD2 to have limits on contactless transactions with no CVM (up to 5 transactions, or a total of €150 in cumulative purchases) impact the way you have to personalize your cards as Issuers, and how contactless systems may work for things like the upcoming PCI Contactless Payments on COTS (CPOC) standard.
Even if we get these controls right, and reduce CNP and lost and stolen fraud (which I personally think we will be able to do), it really just means that fraud is going to migrate somewhere else. Backend security, and the controls around enrolment, digitization, and open-banking are the next big areas to be addressed and definite growth areas for fraud. As we close the existing bolt-holes the fraudsters are scurrying down, how are you ensuring you’re not going to be the next target?