A World without Fraud?

Written by: Andrew Jamieson

May 2, 2016 - Is anything currently changing the payment landscape?

Since the wide-spread introduction of EMV throughout Europe in the early to mid 2000s through to the still embryonic deployment of EMV in the US, we have seen a consistent trend in payment fraud as magnetic stripe cards are phased out. Initially, and at first blush somewhat paradoxically, card present fraud goes up. This strange statistic is actually not that hard to understand – it is literally a representation of the criminals ‘last chance’ to make use of the skills and stored card data that they have established over the preceding years. We are seeing this trend in the US right now, as ATM fraud spikes to almost 600% YoY growth (see http://www.fico.com/br/blogs/fraud-security/news-flash-atm-fraud-in-the-us-jumps-sixfold/ ). This type of spike tends to be short lived, lasting a year or so, but it may be longer in the US given the larger migration time expected for both POS and ATMs, as well as for other unattended systems such as pay-at-the-pump. However, eventually, card present fraud goes down as EMV replaces magnetic stripe data and card not present fraud increases (as ‘traditional’ EMV does not do much to prevent fraud in this domain). Once again, statistics bear this out as CNP fraud is currently spiking in Europe and other areas of the world where EMV has driven card present fraud into virtual non-existence.

A question I ask myself, though, is if these trends are really going to stay the same over the next few years. Have payments stayed the same since (most of) the rest of the first world went over to EMV, and even if so is there anything that’s currently changing the payment landscape virtually as we watch?

Let’s start with PINs. PINs are dead. Well, that may be overly dramatic, but they’ve got a nasty chest infection and aren’t getting any better. PINs are a solution to a magnetic stripe problem, and we are very quickly moving to a world where most people won’t need such a solution. The reason for this is not really EMV, or at least not just EMV, it’s mobile and biometrics. Within another 3 years I expect the vast majority of people to have a phone that accepts biometrics for authentication of the user (you can hold me to that). I also expect at least 80% of these people will have a phone that has some form of mobile payment mechanism (most likely an ‘OEM pay’ of some form – ApplePay, AndroidPay, SamsungPay, etc – but probably another local variant in addition to that as well). Given that these people will therefore have a single device that is both their payment mechanism and their authentication mechanisms, the only thing that will ensure the on-going use of PINs is a lack of contactless acceptance. This is already not a problem in Australia, where I sometimes call home and enjoy using my contactless cards in basically any shop I care to enter, and I don’t expect it to be a problem in most parts of the world by this time.
Except maybe the US; the US is currently re-terminalising for contact EMV, and the future of contactless there is up for debate (which is kind of surprising when you consider it’s the home of the two main OEM-pay operators). However, the US is also the main region which is pushing back against PINs already, so I feel confident that my deadpool draw on PIN will still come about.

Assuming then that you have either the contactless infrastructure or a deep-seated and historical distaste for PINs, why would you use your PINs at a POS in the future? Oh, there’ll still be PINPads, for those people who are not confident / wealthy / technically savvy enough to have a new mobile phone with a payment option installed and operational. But I expect that will be a minority. Moving on with this future shock version of payments, with fewer PINs on POS systems, the cost and effort that criminals go through to compromise these systems will rapidly become not worthwhile, and therefore merchants will become less attractive targets for these criminal elements.

ATMs that still require PINs will become more attractive, at least in the short term, but I expect as the fraud migrates to these the banks will push non-card methods for cash withdrawl to reduce PIN use there as well (for example, my mobile banking app allows me to generate a one-time code to get cash out of an ATM without using my card, and I do this with increasing frequency – indeed I was recently without an ATM card for many months when my bank sent my card to my old address, and I just did not need it enough to call the bank to deliver another). In fact, my own experience is that cash use will continue to drop as mobile/contactless usage increases anyway, and increasing ATM fraud may accelerate this trend.
Therefore even the ATMs will become less attractive as a system to compromise.

Which is all well and good, but what about the poor criminals? Who thinks of them?! They’ve got all of these hacking and system compromise skills, but will soon find their potential targets disappearing, or at least becoming less cost effective. One thing’s for sure, they won’t be going out to get real jobs. So where does the fraud migrate to? Online card not present? Sure, but if we can authenticate ourselves to our phones, which have our payment details, which we also use to do our online shopping (up to 88% of people use their phones for online shopping already – see page 3 of https://www.chasepaymentech.co.uk/documents/millennial-retailer-statistics.pdf ) … do we really think that card not present fraud is not also looking a little green around the gills?

Given the economics and logistics of deploying physical terminals and ATMs, I expect that it’s likely that card not present fraud will actually be solved through OEM Pay in-App payments before card present fraud finally takes it’s last breath and dies.
But if card present fraud is gone, and card not present fraud has gone even before that, where is the fraud? Do the criminals have to get real jobs after all?

Let’s step back and think about why criminals attack payment systems in the first place. Are they collectors of card data for aesthetic reasons? Do they appreciate the fine rise of the embossing on a card? The way the light plays on the card brand holograms? The subtle chamfer of the corners of a card? The playful mathematical majesty of the Luhn formula? No. Not exactly. They want money. Payment card data has always been a relatively direct way to get that money, and if you have computer hacking skills it’s just a keyboard away. Or at least it is for the moment, until EMV and mobile change the way payments work. Then, as a criminal, you’re just left with computer hacking skills and a burning desire for money.

Say hello to ransomware.

Take a read of this:
http://arstechnica.com/security/2016/04/ok-panic-newly-evolved-ransomware-is-bad-news-for-everyone/
Go on, I’ll wait for you …..

OK, now put on your criminal hat. I keep mine in my desk draw. You’re not totally stupid – the EMV fraud trends I discussed above show you can think ahead and see when a market is being closed to you. But you really, really do like money. Ransomware is the easy step to make from payments, once payment fraud is too much like hard work. Ransomware is easier, in fact. You don’t need to find a 0-day against the latest POS system, you just need some home user who has not removed their Windows Quicktime install <aside> get rid of your Windows Quicktime NOW! </aside> to click on a link. Ransomware terrifies me in a way that payment fraud never did, because it can directly affect me – my payment cards have been compromised 3 times, but I’ve never had to deal with any of the cost of that fraud. If ransomware gets on my PC and I am facing the prospect of losing valuable, personal data it will affect me in a very direct way indeed.

Payment fraud is dead. Ransomware is the new king.
(Disclaimer; this is not true today. It will be true before 2020 unless we do something about it)

Disclaimer

These are the personal opinions of UL’s employees and its guests and should not be misunderstood as representing the opinion of UL's clients, suppliers or other relations.