Beware Fraudulent Card Applications and Account Takeovers

Crooks test certain card fraud strategies in advance of the EMV conversion.

April 29, 2013

The transition from magnetic stripe debit and credit cards to the new EMV (Euro MasterCard/Visa) standard has barely begun, but fraudsters already are probing for security weaknesses that will allow them to thrive even after the technology is widespread.

Karen Postma, client service director and fraud expert at The Members Group, sounded the alarm last week during a webinar, “The Fight Against Card Fraud—ROI Knockout.”

She says fraudulent card applications and account takeovers are on the rise in the U.S. and around the world. “Fraudsters are trying different mechanisms to understand in a post-EMV world where they can commit fraud and how easy it is.”

As fraud continues to expand, traditional means of deception such as phony transactions by mail and telephone and counterfeit cards continue to lead the way, Postma says. Keyed-in transactions at big-box merchants have been particularly successful of late; crooks ask clerks to manually input the account number and CVV2 code, explaining away the useless magnetic strip on the phony card.

EMV, which relies on a computer chip embedded into a card as well as dynamic password authentication, promises to make fraud more difficult to commit. The technology is easing its way into the U.S. in some markets ahead of the Oct. 1, 2015 deadline that shifts liability for fraudulent transactions to merchants. It’s forecasted to be the dominant means of point-of-sale and online sales by the end of the decade.

In the long run, EMV will make fraud less prevalent, Postma says.

However, only 40% to 45% of merchants and issuers will be EMV-capable by the 2015 deadline, Postma says, and a complete migration will take many more years.

Although the transition to EMV is costly, Postma advises adoption as quickly as possible because “fraudsters are going to target those merchants and those issuers that are not EMV-enabled.”

Fighting two emerging threats
Still, no system is failsafe. Crooks have been exploring two pathways to beat EMV that focus on obtaining what at face value is an active, legitimate card.

One method is to establish multiple fraudulent accounts at financial institutions through which the fraudsters make fictional deposits into a checking account and attempt to use a debit card to pay off their credit card balance—a circle in which no real funds exist.

Another method is account takeover. Fraudsters equipped with standard account information and customary validation responses—Social Security number, mother’s maiden name—contact a call center to report a lost or stolen card. They’ll ask for a replacement card to be sent to the address where the cardholder purportedly is on vacation, when in reality it will be delivered to their base of operations.

One way to combat this technique is by alerting your front-line staff to the threat, and training them to go beyond the norm in validating a caller’s identity by asking questions that only the cardholder would know: What’s a restaurant they like to frequent? What was their last valid transaction?

“This is your best line of defense,” Postma says. “That will trip them up.”

Monitoring accounts for suspicious activity also can limit fraud. Postma presented the example of a longtime cardholder who typically uses just 30% of the credit line suddenly extending that use to 90% of capacity while reducing monthly payments.

Digital wallets a concern
Another area of concern is digital wallets, which allow a consumer to conduct electronic commerce via credit card info and other data embedded into a smartphone or another device.

The level of fraud exposure isn’t yet certain, Postma says. However, the sector is ripe for exploitation because 50% of smartphones and tablets have some sort of malware on them, potentially exposing cardholders using those devices for mobile payments. It’s uncertain whether encryption and other embedded security measures will be a barrier to fraudsters.

Just because a credit union isn’t directly involved with digital wallets doesn’t mean they’re a nonissue. Some members, for example, use the service with credit cards issued by the credit union.

If staff isn’t familiar with digital wallets, they will be hard-pressed to answer specific questions, recognize fraud, or aid in recovering funds.

Mitigating fraud fallout
When a situation emerges, credit unions turn to their vendors for assistance. But it’s advisable to develop an in-house expert on these topics and train employees to rely on a response plan, which you should craft in advance of a crisis.

“Empower your people with knowledge,” Postma advises.

Your credit union’s safeguarding efforts should include compliance with Payment Card Industry (PCI) Security Standards and Federal Financial Institutions Examination Council (FFIEC) standards. Approximately 40% of financial institutions don’t follow basic FFIEC compliance regarding online banking, according to Postma, and hackers are targeting them as a result.

Last year, 17 financial institutions were hacked, representing less than 4% of all data compromises. Already this year, seven financial institutions have been compromised, boosting that figure to more than 5%.

Two credit unions suffered distributed denial of service (DDoS) attacks, which don’t affect cardholder data but create the perception of vulnerability because they paralyze online banking systems.

Credit unions should involve members in safeguarding measures. Inform them of your big-picture security initiatives and offer services such as fraud and transaction alerts.

“The more you engage your cardholders in a near-real time environment, the more you’re going to stop fraud, and the more they’re going to understand about the steps that you’re taking to prevent fraud from happening,” Postma says.

If a member falls victim to fraud, respond aggressively. Assure them you are fast-tracking their concern. Apply account credit quickly when it is due. Follow up with the cardholder.

“I know this sounds weird but … try to make it a positive experience,” Postma says. “It has been proven statistically that you can enhance your relationship with a cardholder or member if you react in a positive, quick manner to fraudulent activity.

“This is your time to shine as a financial institution, to take these steps to put a cardholder at ease.”

Big-box retailers a common target
Nearly one-quarter (23.6%) of all fraudulent transactions in the U.S. during the first quarter of 2013 emanated from California, followed by Texas (9.3%), New York (8.65%), Florida (7.51%), and Illinois (3.81%), The Members Group reports.

The most common fraud targets are big-box retailers, such as Super Wal-Mart and Super Target, followed by electronics warehouses and bookstores, including

“Those are hotbeds for fraudsters,” Postma says. Gift cards for Visa and assorted merchants are the most popular items purchased, essentially laundering the fraudulent purchase.

The end goal for card issuers isn’t limiting the number of fraud cases—Postma says that rate will continue to rise—but rather limiting losses.

“You have no control over the merchants that get comprised,” she says. “What we do have control over is the amount per case that the fraudsters get.”