November 21, 2017
It seems as if every day reveals another cyber or transaction security incident. Reports of skimmers collecting information from fuel pumps or malicious hackers stealing personal information to the 2017 Equifax breach leads to only one conclusion—threats are everywhere.
“The challenge will be to address not only the fraud scenarios that we saw in the past but also the growing number of fraud scenarios we see with the eCommerce and mCommerce channel,” says Francis Limousy, principal advisor with UL Identity Management & Security.
Identity fraud increased 8 percent with 16.7 million people affected in the U.S. in 2017, according to publicly available numbers from Javelin Strategy and Research. This increase was driven by growth in existing card fraud, which saw a significant spike in card-not-present transactions (CNP).
CNP fraud involves the use of card-account information obtained from skimming and phishing scams or card breaches. Fraudsters use the information to make purchases online, over the phone or by mail.
Related , How to Spot a Credit Card Skimmer
As Limousy points out, it has become more difficult for fraudsters to physically duplicate credit cards due to the widespread adoption and activation of EMV technology.
And when fraudsters try, the transaction is being caught more often at the payment terminal as shown by the real-life story of a UL employee whose credit card had recently been cloned. When the fraudster attempted to purchase an item in-store, the credit card issuer denied the transaction because they knew the real card issued contained an EMV chip.
Safeguards such as EMV technology do not exist in the virtual world though. A consumer’s card may have been registered on multiple websites, along with poor password control, and the information could be easily acquired by a fraudster.
CNP fraud is now 81 percent more likely than point-of-sale fraud. Account takeovers (ATO) also rose significantly in 2017 with a total ATO loss of $5.1 billion reported.
Tips to help avoid fraud online
Limousy offers this advice to consumers:
- Consider the use of wallet platforms such as Paypal, Apple Pay, Android Pay or Visa Check out. Wallet platforms are available for both mobile and desktop environments and increasingly include a new technology called tokenization. Tokenization protects sensitive data on your credit card number by replacing it with an algorithmically generated number called a “token.”
- Routinely review credit card statements for fraudulent activity. This simple action may help you identify and shut down unauthorized use of your credit card.
- Check to see if your bank allows you to set up customized alerts as some allow customers to set up transaction alerts or withdrawal notifications when an amount is over a preset limit.
- Pay attention to changes in credit score. Some banks and credit card issuers will alert a customer when his/her credit score shifts up or down.
- Creating unique passwords for online banking, credit and other accounts with sensitive information may also help stem fraudulent activity. Passwords gleaned from one attack are often tested by fraudsters against other accounts with the same password protocols.
- Don’t be redundant! Mix up your choice of security questions. For example, many security challenges include one’s place of birth, an easy question to answer. The temptation is to continuously select this question—don’t! Use a mix of security questions to help minimize risk.
Related , I'm EMV Compliant...Now, What's Next?
Advice for merchants, too
Merchants can also protect themselves by monitoring sales transactions. Tools can be used to check IP addresses and filter out countries known for fraudulent activities. Scrutinize inconsistent shipping addresses and billing information before products are mailed.
The Address Verification System (AVS) is one tool you can use to verify the address of the person claiming to own the credit card. AVS compares the numeric portion of the shipping address with the address on file through the credit card company.
Additionally, a merchant should ask for the Card Verification Code (CVC) as part of every transaction. The Payment Card Industry Data Security Standard (PCI DSS) prohibits the storing of CVC, so the chances of virtually obtaining the code are practically zero, making it a smart requirement for most eCommerce and mCommerce sites.
Finally, keep software and platforms up to date as software vulnerabilities are continuously being found and security patches issued to prevent fraud and protect customers from malware and viruses.
By practicing good security habits like monitoring accounts and updating software plus utilizing available tools such as instant alerts and AVS, both consumers and merchants can help minimize the risks from fraudulent activity.