The Hacking Economy

Hackers rush to cash in on $14 billion in fraud before chip cards take over

Maggie Overfelt, special to CNBC.com
WATCH LIVE
Fight against credit fraud
VIDEO0:4700:47
Fight against credit fraud
Cyber gang FIN6 sells credit card data for big bucks
VIDEO0:3200:32
Cyber gang FIN6 sells credit card data for big bucks
Preventing online identity fraud with Onfido
VIDEO3:4703:47
Preventing online identity fraud with Onfido

In 2016, hacked credit card fraud will reach $4 billion, a record level, and that's just the beginning of a counterintuitive aspect of the nationwide migration away from magnetic strip to chip cards.

In the short term, the switch to the chip card technology (known as EMV, which can process credit cards with embedded smart chips) will cause fraud to increase. You read that right. Beyond the $4 billion in fraud expected this year, there will be as much as $10 billion in fraud committed between now and 2020 as the window of opportunity narrows for hackers to cash in on stolen credit card data from magnetic strip cards, according to a new study from antifraud company iovation and financial industry consultant Aite Group.

There's a mad rush that's going to take place on the dark web to get the most value out of the stolen data before newer systems immediately recognize the magnetic strip card numbers as clearly fraudulent, and "it is going to get worse," said Julie Conroy, research director at Aite Group. "We should still be going to EMV, but people should not get a false sense of security."

Alex Segre | Getty Images

The iovation/Aite Group study's estimate of $10 billion in fraud that's coming in the next four years is an educated guess, but the sources of the data should have all merchants, banks and consumers concerned.

The study's authors interviewed 16 of the largest credit and debit card issuers in the United States, representing two-thirds of the credit card holders in the country, as well as the four largest payment processors. And the study had at its disposal the actual experience of countries that have already made the move to EMV technology. Britain, Canada and Australia in particular published detailed data on acceleration in fraud during migration periods. "It all went up as the counterfeit opportunity went away," Conroy said. "It's a bit of an arms race between the good guys and bad guys and there are lots of technologies that can help with this, but those companies that don't deploy will be the weakest link," Conroy said.

In the U.K., where EMV was implemented a decade ago, online fraud rose 79 percent in the first three years after the country switched to chip cards. The rate more than doubled in Australia and Canada, according to Aite Group.

Another reason it is going to get worse: Only 20 percent of credit cards and 10 percent of debit cards have already migrated to chip technology. "There's still tons of fraud opportunity out there, and upticks we are seeing now are database breaches and due to the rapid growth of e-commerce," Conroy said.

Conroy said the $4 billion record is similar to other countries' "burn-through stockpiles" of stolen credit card numbers from the magnetic-strip card era.

As that number sharply declines starting next year, with more EMV systems in place and the $4 billion in card fraud expected this year gets worked out of the system, that will put increased focus on three other types of fraud.

It is going to get worse. ... There's still tons of fraud opportunity out there.
Julie Conroy
research director at financial industry consultant Aite Group

The study estimates that the majority of fraud, or roughly $7.2 billion, will be use of stolen credit card numbers online and in mobile channels, known as card-not-present fraud.

Application fraud — when information stolen in a hack is used to open new credit card accounts, such as with the Anthem health insurance breach — will hit $2.1 billion by 2020. "What we saw in the U.K. in 2006 and 2007 immediately after it went to EMV, and in Canada even more so, application fraud sharply spiked," Conroy said.

Michael Thelander, iovation's product marketing manager, said that while stolen credit card numbers can still be bought on the dark web, EMV limits the use of counterfeit cards, or stolen cards, that have had their mag strips replaced or recoded.

A third type of fraud, called account takeover, whereas hackers use compromised data to log into consumer and business online accounts and drain them of money, could reach more than $1 billion by 2020.

Thelander said many companies have tools in place to combat fraud, such as for card-not-present charges (the $7.2 billion estimate), but they may not be prepared for the sudden uptick. "There's a fear of being flat-footed," he said, adding, "You need to double down on efforts."

The global economy that is booming, at your expense

Using your credit cards at brick-and-mortar stores has become much safer since the fall when U.S. merchants were required by credit card companies to have finalized the rollout of EMV. The new cards offer an extra layer of security for in-store transactions, depending on how they're used, and so far, they're nearly impossible for fraudsters to replicate.

"By the end of 2015, card issuers had seen a 25 percent decrease in their fraud occurrences, comparing the fourth quarter of 2014 with the fourth quarter of 2015," Conroy said. Approximately 20 percent of all their card-present transactions are going through as chip cards.

Roughly one-third of the nation's retailers had implemented EMV as of December, and experts expect the security problems that plague users of traditional magnetic swipe cards to greatly diminish over the next three to four years, when the majority of merchants — 84 percent, according to Javelin Strategy & Research — will have made the switch.

But as the iovation/Aite Group study predicts, "Criminals aren't going to get honest and get new jobs," Conroy said. "They're switching tactics and focusing on other areas."

That means that if you're accessing an increasing number of accounts from mobile phones, iPads or even your Xbox or PlayStation, as do the majority of Americans, you're at greater risk than ever before of becoming a victim of some type of identity fraud.

"The rate of online fraud is increasing faster than the rate of e-commerce transactions in the United States," said Al Pascual, director of fraud and security at Javelin. He notes that while the number of card-not-present (online) fraud victims rose 24 percent last year, the volume of online retail payments was expected to increase 7.7 percent, to reach $407 billion. EMV will eventually nudge card hackers to move most of their efforts online, but "criminals have been conducting online fraud for many years in the U.S.; they're good at it," Pascual said.

According to Javelin, the number of victims of card-not-present fraud reached 6 million in the United States in 2015, up from 4.8 million in 2014. Card-present (in-store) fraud saw 5.6 million victims in 2015, up from 5.4 million in 2014.

Massive data breach at Anthem
VIDEO1:4501:45
Massive data breach at Anthem
The FICO score of hacking
VIDEO3:0203:02
The FICO score of hacking
A hacker's target could be anything, anyone: Intel Security
VIDEO4:0104:01
A hacker's target could be anything, anyone: Intel Security

While experts say that hacking via in-store transactions will continue as long as magnetic-strip credit cards exist — for at least another seven to 10 years, according to Avivah Litan, research vice president at Gartner — it's the fraudulent activity online that will soar.

Some card-not-present problems stem from stores not having a secure enough payments system online, where "merchants have been left on their own to figure out how to protect their online channels from fraud," said Mark Horwedel, CEO of Merchant Advisory Group, nodding to the aggressive directive by credit card companies for stores to implement EMV, which right now doesn't solve anything for web-based shopping. Because shoppers don't have to sign or enter a pin when checking out online, stealing a card number is usually all that's needed to commit fraud.

"There is not enough emphasis placed in their online channels from a consumer perspective," said Angel Grant, director, fraud and risk intelligence at network security firm RSA. "People are now shopping from all different types of devices, not just a PC. From a user-interface perspective, they're designed to be optimized, but not from a security perspective."

Merchants are trying all kinds of things to bolster their online payments systems. Some use fraud detection software, 3-D Secure or tokenization, a technology that eliminates the need for retailers to store sensitive data on their network. According to Litan, at least half of the nation's largest merchants use tokenization; it's at the center of Apple Pay and Alphabet's Android Pay, and many credit card companies offer their own version.

We may also soon see various types of two-step verification systems when checking out of stores online, but it won't be too much longer until "Visa and MasterCard win out eventually and the merchants are forced to move on EMV online … because credit cards and debit cards aren't going anywhere," said Litan.

Experts point out that the actual act of shopping online doesn't necessarily make consumers a target, and consumers are not liable for the fraudulent activity, according to legislation.

The greater threat is related to the ever-growing black market, where fraudsters are buying and selling our Social Security numbers, account numbers and other personal information stolen during recent high-profile breaches of places like The Office of Personnel Management, health insurer Anthem and the Home Depot. The credentials are used to open new credit cards or to take over online accounts to make fraudulent purchases.

"Being able to get the most important information around you allows a criminal to take over an account," said Steve Casco, CEO of Cardnotpresent.com, an online publication that covers issues in the e-commerce and mobile payments industries. "They can call up an entity — a Netflix, a bank, a school — and give all your information to the customer service rep on the other end, and now it's under their control. They can do things that you have no clue about."

Casco cites a December 2015 incident involving Neiman Marcus Group, where criminals launched an automated attack trying various login and password combinations to access some of its customers' accounts. Although the retailer suffered a high-profile data breach in 2013, it blamed the more recent attack on breaches at other firms, where user login names and passwords were stolen and then used for unauthorized access to other accounts around the web.

"Account creation and account takeover are the bane of most fraud departments inside of retailers," Casco said.

Another big health risk that can really hurt you

While customers aren't usually liable for fraudulent credit card costs, such attacks, which are hard to detect for both parties, can be devastating for merchants. According to Javelin, the average loss amount for existing cards in 2015 was $980, while the average for new-account fraud — which accounts for 20 percent of all fraud losses — was $2,379.

There's not a lot that consumers can do to monitor — or even know — what type of fraudulent activity is being committed in their name. Using different passwords at each online account they hold is a start to warding off account takeovers, but for people worried about more far-reaching ID theft, finding someone to check the Under-web to see if their social security number is being sold may be a good investment, said Aite Group's Conroy.

She also recommends checking bank and account statements at least weekly, and for people who aren't looking to open new credit cards anytime soon, they might want to consider putting a freeze on their credit file so criminals can't open credit in their name.

RSA, which has a team monitoring cybercrime chat rooms on the dark web, said in-store crime will continue while quirks in the EMV system get ironed out. Fraudsters are zeroing in on the stores that still accept magnetic stripe cards and ones where they can exploit poorly-implemented EMV technology. "We're already starting to see that with replay attacks at stores where the information isn't properly tokenized or sent with the proper messaging protocols, because folks are rushing to implement terminals," said RSA's Grant.

Even if the retail industry and card issuers eventually come together to implement a safer, more uniform payments security standard, some experts say we won't ever be able to match the speed of hackers finding their way to our personal data.

"I doubt we'll ever get to that point where fraud is diminished," said Seth Ruden, a senior fraud consultant with payments solutions firm ACI Worldwide. "We've created greater opportunity for fraudsters to manifest a presence in our world, and that's the kind of place we're at now — they've done what they needed to do to secure their position in our economy."

— By Maggie Overfelt, special to CNBC.com