Photographer: Simon Dawson/Bloomberg

Credit-Card Thieves Move Online as Chips Thwart In-Store Fraud

  • Use of stolen card data rose 40 percent last year, report says
  • Retailers spending billions to protect e-commerce sites

The adoption of credit-card chip technology by U.S. retailers is having an unintended consequence: Criminals are moving from brick-and-mortar stores to the internet.

The use of stolen card data to pay for merchandise on websites, in mobile apps and by dialing call centers surged 40 percent last year, according to a report from Javelin Strategy & Research released Wednesday. That’s forcing merchants to spend billions on online fraud protection in an effort to detect when a crook is using someone else’s card number.

“We are seeing more sophisticated type of fraud moving into the online environment,” said Erika Dietrich, global director of payments risk management at fraud fighter ACI Worldwide.

By the end of last year, almost 1.81 million U.S. merchants had switched to accepting European-style chip cards, more than double the number the year before, according to Visa Inc. Issued by banks, cards containing the so-called EMV technology are much harder to counterfeit, which cuts down on in-person fraud at stores.

With worldwide e-commerce surging and more stolen data available on the black market, retailers are ramping up spending on online security. E-commerce merchants and financial institutions will spend $9.2 billion annually in fraud-detection solutions by 2020, up 30 percent from current levels, according to Juniper Research.

As recently as October, the fraud-protection company Radial Inc. used to get one to two inquiries from new large customers a month. That number has since climbed to more than 12 a month, said Stefan Weitz, chief product and strategy officer. Radial’s more than 100 clients include Walgreens Boots Alliance Inc., StubHub and Ralph Lauren Corp.

Fueling the surge in interest are an increasing number of data breaches at companies ranging from Target Corp. to Wendy’s Co., which potentially exposed private financial information from millions of customers to identity thieves. U.S. government agencies and companies suffered a record 1,093 data breaches last year, up 40 percent from 2015, according to the Identity Theft Resource Center in San Diego.

Javelin, which began tracking fraud in 2003, said the number of U.S. identity-theft victims rose to a record 15.4 million last year from 13.1 million in 2015. Fraud losses, however, have remained fairly stable over the past three years, totaling $16 billion last year. That’s down from $22 billion in 2012, the researcher said.

“There’s a great deal of investment not only from StubHub peers, but also from the vendors,” said Joseph Asaro, head of operations for North America at StubHub, a unit of EBay Inc. “The vendors would not be investing so heavily if there’s not great profit in it.”

Defense Spending

To bolster its arsenal, Visa acquired CardinalCommerce in December to help merchants and banks authenticate e-commerce transactions. New vendors are also entering the fray: This year, Tender Armor LLC, a Fort Lauderdale, Florida-based startup, will offer its fraud-fighting technology to debit-card customers of InComm Holdings Inc., which issues prepaid cards. Tender Armor texts or e-mails customers a daily code that replaces the one on the back of their cards for purchases.

“Because the code is dynamic and only known to the consumer, the fraudsters can’t use it,” Madeline Aufseeser, Tender Armor’s chief executive officer, said in an interview. “This simple solution deputizes the consumers and puts the control back in their hands.”

Meanwhile, payment processor Cayan, which serves mid- to small-sized businesses, plans to integrate security software from Kount. That company uses artificial intelligence and machine learning to help merchants pinpoint fraudulent sales. For each transaction, Kount’s engine analyzes hundreds of relevant variables and activity across the globe in real time to predict risk of fraud.

Detective Work

Existing fraud-fighting companies’ business is blooming. Easy Solutions Inc. says sales of its product that helps banks and retailers monitor transactions grew 128 percent last year, up from a 75 percent gain in 2015. Radial, which promises to shoulder its clients’ fraud costs, saw its sales rise 15 percent last year.

Radial’s software can use about 800 rules to determine if a transaction is fraudulent. Suspicious transactions are flagged and sent to several dozen human analysts around the world who can verify addresses, or even call the customers to weed out fraud.

“They do detective work at some point,” said Weitz. “We guarantee to our customers that they pay zero fraud.”

Bot Crimes

Online sales worldwide are projected to rise to $27.7 trillion in 2020, up from $22 trillion last year, according to researcher eMarketer. North America, the second-largest e-commerce market in the world behind Asia, is expected to see double-digit growth through 2020, eMarketer said. Expansion into new categories such as grocery, and increasing sales through mobile devices are helping to boost sales, the company said.

More shopping online means more opportunities for crooks, who are now using sophisticated attack tools such as bots. The software programs can run through online checkout pages and place orders using stolen data automatically -- without a human being needing to be involved.

“Right now the environment is more challenging than it’s ever been,” said Al Pascual, research director and head of fraud and security at Javelin, a consulting firm focused on the financial industry. “And things will get worse before they get better.”

    Before it's here, it's on the Bloomberg Terminal.
    LEARN MORE