February 23, 2016 — As U.S. switches to EMV payment cards, fraudsters exploit still-open loopholes
A guest post by Ryan Wilk on Third Certainty. Until compliance and two-factor authentication are fully embraced, account takeovers and phony account creation will rise.
When an EMV card is inserted into a point-of-sale terminal, the chip generates a one-time authorization token, and also can require the user to enter a PIN as a second factor of authentication. This process greatly improves security of in-store purchases.
It has been all too easy for criminals to create counterfeit magnetic-striped cards, embed them with stolen credit and debit card account information, and then swipe the fake cards at POS terminals to make fraudulent in-store purchases.
In October 2015, the United States began complying with the mandated shift to EMV credit and debit chip cards. The U.S. market had the advantage of being able to observe and learn from its European counterparts.
We haven’t yet seen the same correlated increase, but account takeover rates, as well as fraudulent account creation, were rising before the switch last year—in fact, there was a 100 percent increase. And of the billion created accounts, more than 50 percent were flagged as fraudulent.
Some retailers lagging
While the deadline for the U.S switch was October 2015, not all merchants have upgraded. Furthermore, these new EMV cards are still compatible with old systems, which put them at the same risk for fraud as they were before the switch.
Compounding the problem, some issuers are deciding to phase in PIN compliance, as it was not part of the October 2015 deadline. Without the PIN, these EMV cards require the far less secure signature to authorize the transaction, stripping the card of its two-factor authentication protection.
For the full story at Third Certainty, click here.