4 Scams That Bypass EMV Security
It’s no secret that EMV compliance is a boon for your merchants’ security. Visa reports that fraudulent card-present transactions have dropped 43% for merchants who have made the switch1. However, criminals are not easily deterred. As card security measures become more sophisticated, so do criminals’ techniques. Here are 4 scams we’re seeing as criminals seek to bypass chip security.
1. Fuel Up Since EMV-compliant chip cards make fraudulent transactions more difficult at brick and mortar stores, criminals are turning their attention to card-swipe only environments, such as automated fuel dispensers. Gas stations remain easy pickings, for both fraudulent transactions and skimming. Because the EMV migration deadline for AFD merchants has been pushed back to 2020, we can expect fueling fraud to remain a significant concern. Many AFD merchants are doing what they can to prevent fraud, with measures such as zip code verification and security cameras, but these measures fall far short of chip security.
2. Fall Back Creating functional counterfeit chip cards is much too difficult for most petty thieves. However, in many retail settings, a working chip card is actually not necessary. Criminals can simply produce a mag stripe card with a dummy chip. By claiming that the chip isn’t working at checkout, fraudsters force cashiers to fallback on the mag stripe for transaction processing. That leaves your merchants on the hook for the chargeback.
3. Order It Online As card-present retail fraud decreases due to EMV security, online fraud has been skyrocketing. CNP fraud increased 15% in 20162, and it’s expected to continue rising in 2017. Criminals gravitate toward easy profits, and since many online retail sites don't optimize their ordering data authentication, it’s all too easy for fraudsters to place fraudulent orders.
4. Hack It While there are any number of ways that sophisticated hackers can steal payment data, the fact is, it usually doesn’t require much sophistication at all. The most common way fraudsters get your merchants’ data is through simple human error. Social engineering attacks are simple and effective. If an employee can be persuaded to download a seemingly valid file, there’s no limit to the malware that could be hiding within.
So what can payment service providers do to protect your merchants in these situations?
Fuel Centers: Encourage your AFD merchant to utilize the security tools at their disposal, such as address verification and real-time analytics to target fraudulent transactions. However, the greatest impact on fueling fraud will be the upcoming EMV migration. While the migration will undoubtedly be both expensive and inconvenient, encourage your retailers not to delay. Help them plan now to roll their migrations, as soon as it’s feasible in the market.
Fallbacks: Luckily, fallback transactions can be easy to curtail, by putting some simple identity verification policies in place at checkout. Your merchants can train cashiers to require a photo ID in case of a “bad” chip, before permitting a mag stripe transaction.
Online Fraud: By implementing a few extra steps into the online ordering process, your merchants can make it a lot harder for thieves to slip past the gates. Merchants can contract with an eIDV service, require confirmation emails for new accounts, and use automated protocols to verify the validity of data fields such as billing addresses. Verifying identity through a social media account such as Facebook is another helpful authentication strategy. For maximum security, online retailers should plan to adopt EMV 3DS 2.0 standards for CNP authentication, as soon as it's released later this year.
Hacking: Data breaches may seem overwhelming. But by implementing some practical policies, your merchants can minimize their vulnerability to hackers. Merchants should keep their software and operating systems up to date, maintain a culture of vigilance about data security, and train employees in common-sense measures, such as never downloading unknown files. Further, merchants should update their SSL or TLS certificates to a minimum of TLS 1.1 to prevent encrypted data from being stolen.
It’s a given that criminals will continue to innovate, but by educating your merchants, you can play an important role in helping protect their businesses and customers from transaction fraud.
1. http://www.cutimes.com/2016/12/02/emv-fuel-liability-delay-pumps-card-fraud-concerns
in Industry News, Security, Best Practices