In 2016 the checkout line is going to look a lot different, as EMV and mobile payment adoption by merchants accelerates. Accepting these new payment methods is a substantial change to our payment system, and one that is set to shift fraud patterns. There is a lot of speculation about what will happen to fraud globally after the implementation is complete, and this webinar will sift the fact from fiction
In this webinar we will cover:
* How will EMV and mobile payment adoption impact global fraud trends?
* Is it possible for EMV cards to be hacked?
* Are Apple Pay and other mobile payments systems safer than EMV cards?
Watch the replay here: http://www.easysol.net/resources-how-emv-and-mobile-payments-are-shifting-fraud
1. How EMV & Mobile Payments are Shifting Fraud
Dee Millard
Anti-Fraud Solutions Consultant
info@easysol.net
2.
3. Why EMV in the U.S.?
Source: https://www.firstdata.com/downloads/pdf/FirstData_EMV_TimelineAS.pdf
4. October 1st, 2015
Businesses still using magnetic stripe terminals after October 1, 2015, are on the hook for
the costs if someone uses a lost or stolen credit card.
Source: https://www.firstdata.com/downloads/pdf/FirstData_EMV_TimelineAS.pdf
5. Simply blocking off one of the
avenues of attacks by fraudsters
isn't enough to make fraud vanish.
Ross Anderson
Professor of Security Engineering at University of Cambridge
http://www.npr.org/sections/alltechconsidered/2013/12/19/255558139/outdated-magnetic-strips-how-
u-s-credit-card-security-lags
7. Shift to Card Not Present Fraud
What we can expect:
• Online and Phone channel
• Purchases of high value items
• Gift cards, electronics, jewelry, etc.
What others have done to prepare:
• Improve controls – add additional authentication methods
passwords, security questions, etc.
• Train call center staff
8. • Credit Card Data
• PII Information – used to create fake identities to obtain credit cards
• Stolen goods from Online CNP present fraud
Shift to Black Market Data for Sale
9. Shift to Non EMV Compliant Terminals
October 2016 EMV Deadline October 2016/2017 EMV Deadline
Card Skimming: Where a customer's card information and PIN are captured
Card Trapping: When a customer’s card is physically captured
Cash Trapping: A device that will trap any cash that the ATM tries to dispense
ATMs Gas Stations
10. How chip cards can be
hacked...
• Second chip embedded in
card, glued on over original
chip
• Allowed transactions to go
through when the terminal
tried to verify if the PIN was
correct
• Classified as Man-in-the-
Middle as the attackers
were able to change
communication between
parties who think they are
talking with each other
directly
http://www.networkworld.com/article/2997794/security/how-hackers-compromised-chipped-credit-
cards-and-how-the-authorities-discovered-it.html
11. EMV Mobile Payments
• Older technology
• Can use tokenization,
but not standard
• Does not factor in
online
• Payment terminals are
required to accept
• Newer technology
• Most use tokenization
as standard
• Same security for
online payments
• Segmented mobile
wallets mean different
acceptance
13. Is Apple Pay Fraud Growing?
• In theory should cut down on fraud, by generating essentially new credit card
numbers for each transaction
• Vulnerability in “onboarding” new credit cards – just need basic information
• Banks desperately wanted to be the default card for Apple Pay, so did not
question information Apple gave them (fear of missing out on initial sign ups)
• Affected users often directed to call centers, who often fall prey to social
engineering
“Leads to a thriving black market where thieves enter stolen credit
card numbers into iPhones, essentially turning the device into a
credit card, and walk out with merchandise.”
– Andrew Sorkin, New York Times
14. 87% of Millennials say their phones
never leave their side
80% reach for their smartphone
first thing in the morning
78% spend more than two hours a
day texting, surfing, talking,
tweeting and — more importantly
for businesses — shopping, banking
and more
Source: http://www.usatoday.com/story/money/personalfinance/2014/09/27/millennials-love-smartphones-mobile-study/16192777/
16. The bottom line: Each dollar
worth of fraud committed using
mobile devices costs the
scammed merchant $3.34.
http://www.bloomberg.com/news/articles/2015-02-13/mobile-payment-fraud-is-becoming-a-pricey-problem
“We certainly see a surge in
mobile payment attacks,” says
Tomer Barel, chief risk officer at
PayPal, who says his company
deals with more cases of fraud
on mobile devices than on PCs.
18. • Utilize the lessons learned from previous shifts
• Understand your Risk based on your customer base and product offerings
• Strengthen the security of Card-Not-Present channels
• Deploy solutions that can easily use a mix of techniques and attributes
- Suspicious events and not just for transaction behavior
- Geolocation, Device IDs
- Multiple card used with same IP or single card with multiple emails
• Continually provide training
• Evaluate existing fraud strategies – identify gaps, bridge the gaps
• Retest existing channels
• Implement and document an action plan
Are you prepared?
19. Take a proactive approach
to understanding the
threats
Rogue App Monitoring | Compromised Card Monitoring
20. Why is it Important?
Brand and Fraud Intelligence
• Proactively shut down threats
• Continually monitor for threats
• Social Media
• Card Monitoring
• Similar Domain
• Email Spoofing
• Website Defacements
• Rogue Mobile Applications
The U.S. is the last member of the top 20 world economies to commit to a liability shift associated with chip payments.
Card losses are getting out of control.
Businesses still using magnetic stripe terminals after October 1, 2015, are on the hook for the costs if someone uses a lost or stolen credit card.
https://www.firstdata.com/downloads/pdf/FirstData_EMV_TimelineAS.pdf
Through the EMV technology adoption Card fraud will not significantly reduce but will more or less just shift the fraud to other channels
Talk about US Chip and Signature vs Chip and Pin (nationally) adopted, Online and eCommerce will increase, The countries before us reported the shift of card fraud from the POS to other channels like Card Not Present.
Black Market traffic has also increased and is a big business for Fraudsters. The Black Market is a thriving business for criminals. They can buy stolen Credit card data which they use to buy online merchandise and can sell on this market as well. There is also a lot of PII they can buy which they c an use to create synthetic fraud identifies to apply for bank accounts and credit card.
I recently sat on a fraud summit panel both in Toronto and NY and some of the biggest concern amoung many institutions was synthetic identifies. Basically when bits and pieces of information from various individuals is taken and combined with fake information to create a vitural id, it becomes very scarey. They can go online, apply for credit, open bank accounts, apply for credit cards, Once all the fraud occurs, it is very hard to detect because there is no single individual, the institution is the one that ends up writing off the loss to bad debt.
We have seen such an increase in PII type of information being sold in the black market. Think of all the information and personal information floating out there, like with the Anthem and other breaches, the concern is not so much over medical fraud around some of this but around information being used to create synthetic IDs, children’s social security numbers that have been exposed. These black markets are a vital source for organized criminals. They are easy to use, have Easy check out, great customer service, money back guarantee, so if you test out cards and they don’t work, you can get your money back, they even have their own technical support. This is a projected trends that will continue to grow for years to come.
Some other related attacks already being seen in US and was a result of EMV rollout in other countries is at the non compliant terminals such as ATMs and Gas stations. While these are not new fraud trends here in the US, there is expected to be some focus from the fraudsters on these channels since they can utilize the typical card skimming devices to get card and pin information. Card trapping devices have also been reported and on the increase, they fit over the card acceptance slot and prevent the card from being ejected to the customer after the transaction is completed, it also stops the ATM from retracting it.
Cash traps are also being used – it is basically a claw like device that is inserted into the cash dispenser to hold the cash until the fraudster comes to remove it. This type of fraud typically takes place outside of the normal banking hours of course, and usually after the event occurs, fraudulent transactions start occurring 10-15 minutes later at other ATMs.
ATM and Gas Stations deadline for EMV compliance is still a year away so it is important merchants and institutions continually monitor their terminals for any tampering.
Because many have been trying to get in the game of mobile payments. It provides a more safe way since cards are stored in phone, device of phone can be used to authenticate payments. Less exposure to cards getting compromised, however, still many variations of methods would need to be accepted based on supported devices and technology – however with this widely being adopted, fraudsters and on their horses to figure out ways to perpetrate these methods as well.
During the introduction of apple pay, fraudsters were quick to take advantage of vulnerabilities and while Apple, card issurers and merchants were quick to react to fix the problem, millions of dollars in fraudulent charges were successfully completed and taken by fraudsters.
http://www.nytimes.com/2015/03/17/business/banks-find-fraud-abounds-in-apple-pay.html?_r=0
We can contribute this increase and growth in mobile to our Millennials.
So with new payment types and new technology comes new risk. Where the money goes, the fraudsters follow. Mobile consisted of 52 Billion worth of http://www.bloomberg.com/news/articles/2015-02-13/mobile-payment-fraud-is-becoming-a-pricey-problem