Following publication of the CIFAS findings about the extent of ID fraud
in the UK, Martin Warwick - fraud expert at FICO, the number-one fraud
solution provider for card purchases worldwide – comments on what
businesses can consider to try and prevent this rise in ID fraud from
spiralling out of control:
Mr Warwick says: “The European card industry has long praised chip and PIN technology as the antidote to historically spiralling card fraud losses in areas such as counterfeit and lost and stolen and now (finally) the US has followed suit with its own chip card issuance and acceptance plans. Yet, the overall levels of European card fraud (in absolute terms), are back on the rise. This seems like a contradiction, but we cannot ignore how criminals are now going back to basics and profiting from identity theft. It is evident that the robust European chip and PIN defence has simply prompted fraud attacks to evolve and mutate rather than be eliminated. Just like a snow plough on a snow-laden road, whilst the path immediately ahead is cleared, the displacement merely results in a greater build-up in adjacent areas. So, financial service providers need to stay alert and have the highest level of fraud protection for their customers.
"Any successful attempt at fraud protection typically results in criminals changing their modus operandi to find a different weak spot and fraud levels start to climb again. Fraud is like a balloon; if you squeeze it in one place, it bulges somewhere else - and it seems that this spike in ID theft is the next wave of fraud. Indeed, because France has used chip & PIN for so long, crooks in France have been polishing their skills at ID theft for the past six or seven years. The country lost €312.7 million to ID fraud in 2014, accounting for over 60% of the fraud losses last year, including account takeover fraud where verification through bank customer call centres comes under challenge and application fraud using someone else’s personal data. This growth is quite staggering, as losses due to ID theft have grown from just €7.6 million in 2006. Also, in Norway, ID theft is twice the size it was in 2006. Now that identity fraud has been shown to be the dominant fraud threat in the UK for the first quarter of 2015, with 34,151 confirmed instances reported, it seems that criminals across Northern Europe are completing the cycle of fraud and getting what they can, which makes them a greater threat to issuers in other countries.
"These latest figures from CIFAS show that everyone is vulnerable to fraudsters, and we cannot be too careful. With credit cards accounting for 41% of all identity frauds (14,103 confirmed cases), everything must be done to keep card details and other customer data secure. Identity Theft has become an opportunity for criminals to exploit in this ‘digital age of banking’. As more and more people embrace the ease of banking and shopping digitally, using the ever-expanding collection of tablets, phablets, smartphones and laptops, it becomes difficult to identify the person making the payment or purchase and there becomes an ever-increasing risk that criminals will exploit this opportunity. Authentication or identification in the ‘face to face’ transaction has become very strong with Chip & PIN, so the challenges now are how to make the internet transaction as strong as face to face.
"Card Not Present fraud accounts for 70% of UK Plastic Card Losses, and online transactions make up a large portion of that fraud. Thus, identity protection is at the heart of how we stop this type of fraud. Some services, for example cross-channel services, have better authentication than others. For example, online banking can have a two-factor authentication with cryptograms for access to the banking facility and then signing transactions where a payment can only be paid to that specific account, but others may just use a static password or basic ID&V, which is quite weak in comparison. The stronger we can make the authentication or identification of a customer then the less valuable their data becomes. Mass compromise has become a regular occurrence, but if the method to identify a customer uses cryptography or biometrics then the data is, again, less valuable to criminals. However, there is no point in having a very strong authentication such as fingerprint recognition if the original registration process has weak elements which means that criminals can register on the customer’s behalf and then authenticate the transaction using their own fraudulent fingerprint. If we have strong identification at registration stage, then following authentication for transaction becomes strong as well. It sounds simple but it will take a lot of effort across the industry to get all of this in place.”
(Source - FICO Comment)