STAMFORD, Conn.–The number of fraudulently opened new card accounts nearly doubled during 2017, according to a new analysis.
Credit unions and other financial institutions must move away from their reliance on traditional identity verification to prevent fraud during the digital application process, the report states.
The report found that “card-not-present (CNP) fraud has accelerated and shows no signs of slowing down, as fraudsters are increasingly leaning into application fraud and with great success.”
The new report, produced by Javelin Strategy and Research and sponsored by FIS, examines payment card fraud, especially at the application stage. It found that the advent of EMV chip cards has forced criminals to change strategies.
“The number of victims of new card account fraud is sharply rising — with crooks increasing their focus on private label credit and debit cards to find new profits,” the report states. “The onus is on FIs and issuers to simultaneously build higher walls, increase customer engagement, and better utilize digital technology to navigate the ever-shifting sands of payment card fraud.”
Javelin reported that application fraud is a $1.7-billion problem annually and that during 2017 the number of victims of fraudulent card accounts rose to 1.6 million from 0.9 million in 2016.
Three-Fold Increase
“In 2017, roughly 3.4 million people lost control of their prepaid cards — nearly three times as many as the previous year,” the report stated. “The average amount per fraudulent transaction is declining. In the same period, debit card fraud victims rose from 5.2 million to 6.6 million. But the amount of cash those crooks are netting has been steadily falling over the past few years, from $9.7 billion in 2014 to $8.1 billion in 2017.”
What has happened, states the Javelin report, is that the traditional ID verification is broken and has given birth to new schemes such as synthetic identity and automated attacks.
“Fraudsters rely on the widespread industry practice of simply verifying personally identifiable information (PII) to determine the identity of an applicant,” according to the report. “Continued reliance on traditional identity verification to prevent fraud during the digital application process has exposed FIs to the risk of rampant new account fraud as criminals take advantage of this oft- predictable process.”
‘Precipitous Rise’
Javelin said the “precipitous rise” in data breaches means that nearly all consumers’ personal details are for sale on underground forums, which is only increasing the risk. Moreover, the report adds, malware and social engineering are filling the gaps. This includes rudimentary types of devious software, “such as keyloggers, and more advanced crime kits, which can include remote access Trojans and the ability to intercept ID data and circumvent identification and authentication controls. Criminals have also taken to conning customers and employees into releasing PII and granting access to accounts by phone, email, and even SMS texts.”
“Fraudsters are leveraging the breadth of PII at their disposal to open new accounts in the names of victims as a means by which to monetize existing accounts they have already compromised. The number of victims of these types of schemes has tripled in just the past year,” the report continues.
The criminal activity isn’t just costing consumers financially.
“Between transaction and application fraud, the time victims spent resolving fraud more than doubled over the past two years, rising from 45 million hours in 2015 to 100 million in 2017,” the report states. “Victims spend roughly 17 hours sorting through the details. That’s almost three times as long as victims of existing credit card fraud take working through their issues. This results, unsurprisingly, in those customers’ feeling frustrated and often quitting their banking relationships.”
What Credit Unions and Issuers Can Do
The report recommends financial institutions:
- Empower customers with alerts, notifications, and cardholder controls.
- Give cardholders the ability to set limits on how a card can be used, including value thresholds and geographical boundaries, along with alerts that loop customers in on suspicious activity in real time, even prompting them to confirm or deny the legitimacy of pending transactions.
- Create a holistic remediation process. FIs and issuers should take a holistic approach to managing the risk of card fraud in their portfolio and the subsequent negative effects on cardholders, which includes steps designed to prevent, detect, and resolve fraud to control losses and bolster loyalty.
- Identify breaches early and adjust controls or reissue cards to get ahead of fraudsters. Being able to identify compromised cards as soon as possible is critical to preventing fraud from starting or escalating. This includes the use of common point-of-purchase analysis in which cards with known fraud become canaries in the coal mine for potential cases of account data compromise.
- Issue EMV cards. Chip cards have proven to lower fraud at the point of sale as they effectively eliminate counterfeiting. They cryptographically prevent criminals from forging the plastic and using those fake cards at merchant locations.
- Attack card-not-present fraud with technology. Implementing the recently enhanced 3D Secure protocol (3DS 2.0) facilitates the exchange of more useful data among the merchant, issuer, and network to authenticate the cardholder while controlling friction.
- Use machine learning, document capture, behavior, and other identity proofing tools.
- Adjust Day Two processes to catch application fraud sooner. Such processes are critical, as not all fraud will be caught during the application process. Strategically tightening controls on newly opened accounts and monitoring these new accounts for the first 90 days will help limit losses.
- Give consumers an easy, digital means of reporting fraud.