Change up vul­ner­a­bil­i­ties Slow tran­si­tion to chip-based credit cards leaves av­enue to fraud wide open

The Washington Times Weekly - - Culture, Etc. - BY TOM QUIMBY

It’s the lat­est weapon to com­bat iden­tity theft in the U.S., but chip card tech­nol­ogy won’t do much to stop bil­lions of dol­lars worth of credit fraud over the next few years, ac­cord­ing to the FBI. “With tech­nol­ogy ad­vances and the sig­nif­i­cant in­crease in data breaches and iden­tity theft from com­puter in­tru­sions, we con­tinue to see sig­nif­i­cant in­creases in credit card theft/fraud,” a rep­re­sen­ta­tive from the FBI’s Crim­i­nal In­ves­tiga­tive Di­vi­sion Fi­nan­cial Crime Sec­tion told The Wash­ing­ton Times. “The new EMV chip cards were de­signed to help cur­tail credit card fraud; how­ever, there are still vul­ner­a­bil­i­ties with th­ese cards.”

EMV (which stands for Euro­pay, Master­card, Visa) cards store user data on in­te­grated cir­cuits, or chips, that must be phys­i­cally in­serted into a spe­cial reader in or­der to be ac­cessed.

The in­te­grated cir­cuits, which are nearly im­pos­si­ble to du­pli­cate, pro­vide a layer of se­cu­rity that far sur­passes the mag­netic-stripe tech­nol­ogy that has been in use on credit cards since the 1960s.

Many U.S. busi­nesses have be­gun switch­ing to the tech­nol­ogy, which has been em­ployed widely in Europe for a decade.

But Al Pas­cual, di­rec­tor of fraud and se­cu­rity at cus­tomer trans­ac­tion con­sul­tant Javelin Strat­egy and Re­search, said that un­til the EMV tech­nol­ogy is fully im­ple­mented in the U.S., credit card fraud and iden­tity theft will con­tinue to plague Amer­i­can com­mer­cial and fi­nan­cial in­sti­tu­tions.

“The fraud doesn’t nec­es­sar­ily go away lick­ety-split,” Mr. Pas­cual said. “Some­times it changes, but ei­ther way, we’re in for a bit of a ride un­til about 2018-19,” when full im­ple­men­ta­tion is ex­pected.

U.S. chip cards are vul­ner­a­ble be­cause they also em­ploy mag­netic stripes so that busi­nesses that have not yet made the tran­si­tion to EMV tech­nol­ogy can still ac­cess users’ credit data.

Thieves can eas­ily ex­ploit mag­netic-stripe se­cu­rity weak­nesses to coun­ter­feit credit cards by us­ing some­one else’s per­sonal in­for­ma­tion. They also can ac­quire ac­count in­for­ma­tion by in­stalling tiny card scan­ners in­side cardswip­ing de­vices.

To pre­vent such a breach, credit card is­suers even­tu­ally will have to pro­vide EMV cards that have no stripe or stripe-scan­ning ca­pa­bil­i­ties.

It’s a chal­leng­ing tran­si­tion that Mr. Pas­cual said is long over­due.

Euro­pean mar­kets switched to EMV tech­nol­ogy about 10 years ago, and con­sumers there foot the bill for fraud. Be­fore last month, U.S. banks that is­sued credit cards were re­spon­si­ble for pay­ing for fraud.

“The U.S. is one of the very last mar­kets to go to EMV,” Mr. Pas­cual said. “We’re on a short list with Pa­pua New Guinea and Mon­go­lia. You start to con­sider that. Where does that leave crim­i­nals to go?”

Some ex­perts say they an­tic­i­pate an in­crease in In­ter­net fraud be­cause of the new EMV cards, which are driv­ing crim­i­nals to seek out eas­ier fraud op­por­tu­ni­ties on­line. How­ever, Mr. Pas­cual said the new cards have noth­ing to do with grow­ing e-commerce fraud, which re­sulted in a $10 bil­lion loss for U.S. busi­nesses in 2014.

Fi­nan­cial in­sti­tu­tions had been re­quired to pay for credit and debit card fraud un­til Oct. 1. Now who­ever has the old­est tech­nol­ogy when the fraud oc­curs — the bank or the merchant — de­ter­mines who cov­ers the cost for the crime.

Mean­while, e-commerce fraud in com­ing years is pro­jected to surge by 90 per­cent over 2014’s mark.

“It’s go­ing to grow to $19 bil­lion by 2018, but it was al­ready on that tra­jec­tory,” Mr. Pas­cual said. “It had noth­ing to do with EMV. Crim­i­nals are very good in that space [e-commerce]. They hide be­hind a whole lot of le­git­i­mate trans­ac­tion vol­ume.”

For ex­am­ple, card-not-present (CNP) fraud is grow­ing briskly, thanks to the In­ter­net. Such fraud is com­mit­ted with­out the phys­i­cal card in hand. Ac­count in­for­ma­tion can be gleaned via an on­line data breach, a card scan­ner or by some­one briefly in pos­ses­sion of a card such as a sales­per­son. CNP pur­chases can be made with that in­for­ma­tion on­line, on an or­der form or over the phone.

Com­pli­cat­ing ef­forts to fight on­line fraud is the fact that grow­ing num­bers of hack­ers and fraud­sters are op­er­at­ing over­seas. U.S.-based op­er­a­tives called “run­ners” do the leg­work for their for­eign coun­ter­parts, such as buy­ing gift cards us­ing coun­ter­feit credit cards.

“Cy­ber­crime can vic­tim­ize mil­lions of users and orig­i­nate any­where in the world, so in­ter­na­tional co­op­er­a­tion is cru­cial,” the FBI rep­re­sen­ta­tive said. “It is an un­der­state­ment to say that main­tain­ing or­der in a bor­der­less, vir­tual world poses sub­stan­tial chal­lenges for law en­force­ment or­ga­ni­za­tions lim­ited by na­tional, po­lit­i­cal and le­gal bound­aries. We face con­flict­ing laws, dif­fer­ent pri­or­i­ties and di­verse crim­i­nal jus­tice sys­tems while com­bat­ing cy­ber­crime.”

Per­sonal in­for­ma­tion gleaned from data breaches can be used to open fraud­u­lent credit card ac­counts. Mr. Pas­cual said that’s what hap­pened in Bri­tain af­ter it switched to EMV tech­nol­ogy 10 years ago.

“We saw an in­crease in ap­pli­ca­tion fraud and ac­count takeovers, be­cause when the crim­i­nals couldn’t coun­ter­feit the cards any­more, they started ap­ply­ing for the cards, or they started tak­ing over ex­ist­ing ac­counts and had [EMV] cards mailed to them,” he said.


U.S. chip cards are vul­ner­a­ble be­cause they also em­ploy mag­netic stripes so that busi­nesses that have not yet made the tran­si­tion to EMV tech­nol­ogy can still ac­cess users’ credit data.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.