Online card fraud up as thieves avoid more secure chip cards for in-store payments

Increasing use of biometrics may help protect online payments

One unfortunate side effect from the use of chip cards for in-store purchases has been an increase in online credit-card fraud.

Hackers have taken the path of least resistance, moving from in-store fraud to e-commerce fraud, according to security experts.

Deterred by the security capabilities of chip cards for in-store payments, thieves have resorted to stealing credit-card numbers and passwords or opening new accounts with false credentials to use in making online payments for purchases, according to recent studies. Botnets also comprise some of the biggest increases in online card fraud.

Chip cards were instituted on Oct. 1, 2015, and since then, e-commerce fraud on U.S. merchants has jumped 42% as of the fourth quarter of 2016, according to a study by research firm Pymnts.com.

"We predicted this [online fraud increase] would happen following [chip] cards in the banking industry years ago," said Mike Lynch, chief strategy officer at InAuth, a vendor of mobile and browser security products. (InAuth was recently purchased by American Express, but will remain a subsidiary.) Other countries, including Canada and Australia, also saw big jumps in online card fraud after chip cards were adopted, he said.

Lynch said the online fraud increase is probably higher for financial institutions than for merchants, but merchants are more open about the problem and discuss it more freely. "Banks don't typically want to disclose fraud," he said.

The amount of dollars put at risk by online fraud went up 55% from the second quarter of 2015 to the second quarter of 2016, according to the Pymnts.com study. That was a jump from $4.90 to $7.60 per $100 of online sales. For luxury goods alone, the dollars at risk were $12.10 per $100 in sales in late 2016.

Botnets were behind many of these attacks. The rate of attacks by botnets increased by 47% for the same period for all goods and by 87% for luxury goods alone, Pymnts.com said.

Javelin Strategy & Research this week reported that identity fraud of all types, the bulk of which comes from card activity, hit a record high in 2016. There were 15.4 million U.S. victims in 2016, up 16% from 2015. Losses from fraud in 2016 hit $16 billion.

"The increase in [chip] cards and terminals was a catalyst for driving fraudsters to shift to fraudulently opening new accounts," Javelin said in a statement. Fraud using existing cards also increased by 40% in 2016.

"After five years of relatively small growth or even decreases in fraud, this year's findings drive home that fraudsters never rest," said Al Pascual, research director in fraud and security for Javelin, in a statement. "When one area is closed, they adapt and find new approaches." He urged the payments industry to close security gaps.

Lynch said that banks and merchants will eventually need to move to more secure online payments that include multi-factor authentication, not just passwords.

Increases in online fraud "are going to raise the bar for authentication, and you'll see biometric techniques being used as the fraudsters evolve," Lynch said. "The companies that want to stop fraud know that they can't be the weak link."

InAuth works with four of the five largest U.S. banks, as well as many large retailers, to provide payment security products.

Among the biometric practices used for e-commerce payments is fingerprint authentication, which is available on some smartphones through the apps provided by major banks.

To protect online purchases made on laptops and desktops, many merchants rely on a one-time security code sent to a customer's smartphone, either by email or text. The user then types in the code when making a card purchase online.

But hackers have developed techniques to intercept those codes over text or email, "and it's not always the most secure," Lynch said.

InAuth has developed software that uses an encrypted channel to send a one-time code to a customer's phone.

Even with such products and enhanced biometric authentication, online card "fraud will never stop completely, but it should eventually reach a peak as companies put the right security in place," Lynch said. "But fraud never goes away."

Join the newsletter!

Error: Please check your email address.

More about American ExpressJavelin

Show Comments

Market Place

[]