Online Exclusive

The fluidity of credit card fraud

Automate processes to manage 'newer' fraud risks

According to industry research by Aite Group, the cost of credit card losses is expected to rise to $28.6 billion globally by 2016. (See First Party Fraud: The Global Battle Against Diabolical Charge-Offs, by Julie Conroy, Oct. 1, 2012, Aite Group.) Despite technology and more overall awareness, credit card fraud is a flourishing business. And fraudsters are constantly evolving and changing the ways in which they retrieve and abuse information.

The number of U.S. data breaches tracked in 2014 hit a record high of 783, according to a report by the Identity Theft Resource Center. This number represents a hike of more than 25 percent (27.5 percent over the 2013 number of breaches reported and an increase of 18.3 percent over the previous high of 662 breaches tracked in 2010).

Chip technology, commonly called EMV (Europay, MasterCard and Visa), is being touted as one fix to this rising card-fraud epidemic. Chip cards use algorithms that are far more difficult than magnetic stripe cards to copy or breach, which can prevent criminals from stealing credit card data. (However, less than 30 percent of U.S. merchants had been expected to be EMV-ready by the Oct. 1, 2015, liability shift from the card companies to the merchants. See EMV: U.S. Won't Make October Deadline, by Tracy Kitten, Jan. 20, 2015, BankInfo Security.)

Chip-and-PIN cards, which aren't in U.S. markets yet, provide an additional layer of security by requiring the customer's personal identification number, or PIN, as a second validation point. A fraudster with access to a physical card would also need the PIN number before making fraudulent purchases.

Extra precautions are beneficial. However, as merchants and other businesses are migrating to EMV technology, fraudsters have upped their collective game to hit the new security measures head on.

Card-not-present fraud

Credit card fraud incidences during in-person transactions might now decrease in the U.S., but online "card not present" fraud and account takeovers could accelerate.

This scenario is playing out in Europe: A 2015 report from the European Central Bank (ECB) stated that fraud affecting EMV cards issued or acquired in the Single Euro Payments Area (SEPA) in Europe jumped 8 percent in 2013. (See Europe Suffers a Post-EMV Fraud Spike, by David Heun, July 23, 2015, PaymentsSource.) This was about the same time most merchants, retailers and other organizations in the SEPA zone had adopted EMV at the point of sale. Therefore, much of this fraud was attributed to card-not-present transactions, the ECB stated.

Fraudsters misrepresented themselves by either constructing fake identities or hijacking existing ones and more aggressively transacting online. Savvy criminals can trick phone agents into giving away individuals' personally identifiable information (PII). Also, fraudsters can take over accounts by changing emails or physical addresses. Merchants then try to collect their money from surprised, duped consumers.

Aside from EMV technology, retailers and other organizations can incorporate automation in comprehensive, strategic approaches to tackling fraud — in both physical and online environments.

Balancing automation and human involvement

Many organizations are hesitant to automate their sales processes because they don't want to create friction and alienate their customers. Human involvement remains a necessary and important component in managing identity and fraud risks, but companies need to closely examine their risk and customer profiles to determine the right mixes of automation to human involvement.

For example, customers don't have to give their PII to agents over the phone; organizations' automated systems can take photos of their driver's licenses, which contain most of the necessary information. Now there's less chance of agents stealing PII and more saving of organizations' resources.

Companies should rely on automation throughout a possible fraud lifecycle beginning with the first customer interaction when a retail website asks for PII. Fraud begins then because a company doesn't yet have account details to compare with the information that the potential customer is entering. Unfortunately, at this point in the relationship-building process a consumer often views identity verification and other automation tactics as intrusive, time-consuming and not worth the effort.

To avoid consumers abandoning their "shopping carts" and ending their purchases, companies don't always implement all the available preventive measures, which can lead to increased fraud costs down the road. Balancing fraud detection rates with acceptable false positives to ensure optimal customer experiences is paramount for industry practitioners.

Go passive. Be aggressive.

Companies use passive automated tools that don't interrupt customers' experience. For example, they can install device reputation to link consumers' PII to the specific tablets, laptops or phones they used to buy merchandise. If a fraudster tries to use the same device he once used to commit attempted fraud, the fraud detection system recognizes the pattern and flags the interaction. Conversely, if a device has a clean reputation from past transactions, it will slide through more easily.

Fraud detection personnel are using the social media anomaly behavior analysis passive tool to corroborate an identity by checking social media accounts associated with the applicant. And the account applicant doesn't have to do anything extra.

Biometrics, while not totally in the background, provide an accurate and convenient way to confirm an identity. Many customers will be more inclined to use their voice or fingerprint to verify their identity than to give away their personal information, which takes more time and seems more invasive.

Passive tools are becoming more effective in detecting and deterring fraud, and legitimate customers' experiences during application processes are better. Less frustrated customers, more sales.

Leverage a layered approach

Automation isn't created equal when it comes to fighting fraudsters and preserving the customer experience. No one-size-fits-all fraud detection and mitigation approach exists. So organizations must construct layered defense strategies with the best technology tools to meet their fraud prevention goals.

They must use the most passive tools at the right time in customers' lifecycles to gather necessary PII that won't alienate them but will prevent the most fraud. Organizations should reserve tools that cause the most friction only for the highest-risk transactions and customers.

Fraudsters aren't slowing down, so the sooner companies adopt a variety of automated fraud prevention methods — including device reputation and biometrics — the more likely they are to stay ahead. 

Gasan Awad is vice president, identity and fraud product management at Equifax. He brings more than 20 years of professional experience in the fraud and risk management area to Equifax, where he's responsible for the development and execution of product strategy for the identity and fraud portfolio. His email address is: