Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« June 2010 | Main | August 2010 »

July 26, 2010

Can chip-and-pin technology address payment card fraud in the United States?

Last week's blog discussed how the United States has been slow to adopt the chip-and-pin payments card technology that many other countries are already using. We suggested that the continued reliance of the United States on the magnetic-stripe standard leaves consumers here more vulnerable to fraud. In fact, the Federal Reserve Bank of Kansas City recently published a paper that looked at global security standards within the payment card industry and found that "the difference between U.S. fraud rates and those in other countries is sufficiently large."

This week's blog looks a little closer at some of the numbers behind magnetic-stripe and chip-and-pin payment cards, including the cost of payment card fraud in the United States and what it would take to move to the EMV chip-and-pin technology. (Recall that EMV is an abbreviation for the originators of the standard: Europay, MasterCard, and VISA. EMV is now also owned by other card companies: the Japanese company JCB and American Express.)

Fraud losses on credit, debit, and prepaid cards in the United States totaled $6.89 billion in 2009, up 7 percent from 2008—a figure said to be on pace to reach $10 billion by 2015. According to PULSE 2010 Debit Issuer Study debit card fraud for signature-based debit card fraud increased 43 percent last year and personal identification number (PIN) debit card fraud loss rose by 24 percent.

How much of the Fraud is Occurring in the U.S.?

Exploiting the weakest link
The magnetic stripe stores data on a band of magnetic material on the back of a credit card. The stored data on a magnetic stripe can be read by swiping the card through a reader. The chip-and-pin card, on the other hand, most commonly exists as a smart card embedded with a microchip. The microchip can store a unique PIN, which ultimately replaces the cardholder's signature and can be used in contact or contactless mode. Chip-and-pin cards can therefore protect against card swipe fraud, cloning, and stolen data from lost or stolen cards—the most common kinds of fraud experienced by magnetic stripe cards.

Protecting payment cards: Security versus cost concerns
The implementation of chip technology will require a merchant to use new hardware and the consumer to use a new smart card with a microchip. Javelin Strategy & Research estimates the basic cost for the implementation of the EMV chip standard stands at $8.6 billion. Is this a figure the payments industry is ready and willing to dispense in this current economic climate? Today, we know of at least one U.S. financial institutions that have migrated to EMV. Will this cause others to migrate, or is it too early to tell?

Defining the next logical approach
Some experts predict that the globalization of the EMV standard will drive the initial issuance of chip-and-pin cards in the United States. Other experts do not foresee the United States' immediate migration to chip-and-pin cards. Yet the growth of U.S. chip payment cards may prove migration to EMV sooner than most believe.

Continuously guarding against debit and credit card fraud loss solidifies consumers' confidence in card payments and the financial system. EMV chip-and-pin and its methods for combating payments card fraud seems like a natural choice to replace the magnetic stripe card in the United States. With Europe, and other parts of the world, documented success rate in combating payments card fraud since their move to EMV chip and pin, it may turn out that EMV chip and pin's global interoperability may become the next security vehicle that can rein in magnetic stripe card fraud.

By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

July 26, 2010 in chip-and-pin, EMV, fraud | Permalink


A large number of vendors will accept signatures for card transactions without even looking at the card. They don't ask for identification to verify the card holder. The resulting fraudulent transaction usually becomes the liability of the bank. Obviously, the vendor isn't regulated and has little liability. It is past the time for chip-and-pin cards. Signatures (although convenient for the customers) should no longer be allowed. At least if the card number is compromised, the chances that the PIN number is also compromised, is slim. The EMV standard for tighter security doesn't seem to be progressing very quickly. For the protection of our customers and banks, we should be one of the front runners in a push for more security of our card transactions. Instead, we are at the mercy of the EMV standards which don't seem to be keeping up with the rest of the world.

Posted by: Michelle Johnson | September 14, 2010 at 11:49 AM

As an argument against adopting EMV, critics have pointed to EMV fraud weaknesses, such as susceptibility to man-in-the-middle-attacks. On the other hand, other countries that have adopted EMV and Chip-and-PIN have witnessed a reduction in counterfeit and skimming fraud. While EMV may not be foolproof, it is important to keep in mind that any single fraud deterrent solution needs to be part of an larger, overarching fraud strategy. Financial institutions still need build in layered security into their products and implement vigorous application screening controls when issuing cards to new clients. Also, financial institutions should integrate enterprise fraud management systems and real-time analytics to more accurately predict fraudulent transactions as they happen.

Also, to address the debate as to whether or not the U.S. should adopt EMV, the good news is that we are ready for it. The smart card technology infrastructure that supports EMV or Chip and PIN is already available today and will even be able to evolve with next-generation chip-based card innovations.

Thanks, Jim!

Posted by: Jim Schlegel | August 4, 2010 at 01:44 PM

EMV in the U.S. business case:

U.S. EMV Migration Cost = $8.6 billion (once off);
U.S. Card Fraud = $6.89 billion (per annum);

ROI = 1.25 years!
Cost savings over next 5 years = $34 billion!

Even assuming a 100% error in the migration estimates, its still an ROI less than the average 3 years a card is valid.

I'm not an Economist, but this looks like a pretty good investment to me. I say go, go, go! :)

Posted by: Wynand Vermeulen | August 4, 2010 at 06:24 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 19, 2010

Soccer balls and payment cards: A push for global standards

I am generally not a soccer fan but over the past few weeks I found myself curiously engaged in that nationalistic spectacle called the World Cup. Despite my general disinterest in low-scoring games and Oscar-quality performances by slightly injured players, I got caught up in the intensity of play and extraordinary skill levels displayed by these world class athletes. Then one day a debate erupted regarding standards. Apparently, soccer balls are not standardized and the one being used seemed hard and "skitterish." How bizarre!

Of course, my thoughts immediately turned to a more consequential global-standards issue taking place in the payments card world—the debate about the United States' reliance on the magnetic-stripe card standard as opposed to the chip-and-pin standard being adopted throughout the world, including in neighboring Canada.

Chip-and-pin technology has been deployed in Europe over the last decade as a means of reducing fraud by using the enhanced capabilities of a computer chip embedded in the plastic card to store and manage customer authentication data. Its success has been widely documented in recent fraud studies. This standard has been implemented using a specification called EMV, an acronym of Eurocard, MasterCard, and VISA, the original founders of the standard. In fact, EMV is now a corporation whose ownership has been expanded to include JCB (a Japanese card company) and American Express. So, what's the big deal? We survived the soccer ball dispute, so can't we survive the fact that the United States is not on board with the emerging global payments card standard? The answer may be a resounding "No!"

Various reports from payments research firms such as AITE have suggested that as many as 10 million U.S. travelers experienced difficulties with incompatible card technologies when traveling abroad during the past year. I learned some time ago that the least expensive and most secure way to acquire cash overseas is from an ATM machine. I now foresee a time when I will have to ask a European hotel concierge for the location of an American ATM (one capable of reading mag stripes), only to find out the nearest one is two miles away.

So why doesn't the United States adopt the emerging global standard? While there are many technological and political issues in play, the bottom line is that the overall cost of deployment to the U.S. payments system as a whole, and to merchants specifically, is a staggering number made even more daunting by the current state of the economy and available investment dollars. The Smartcard Alliance estimates that as many as six million merchant terminal devices may need to be replaced or upgraded to embrace chip-and-pin technology, with the bulk of the cost falling on the shoulders of merchants. Consequently, we are left to assume that we are likely to have to travel a long and winding road to migrate to the emerging global standard.

This observation is not in itself calamitous since past roads to worldwide standards are littered with the relics of failure (remember the push to implement the metric system?), but the stakes here are considerably higher in two important ways. First, we may become the only substantial economic power dependent on a payments standard that is less secure than that of the rest of the world. That means that criminals, intent on profiting from card fraud, will continue to migrate to the United States in growing numbers. The second issue is that chip-and-pin technology is a critical element in progressing toward an even more secure and visionary goal—the deployment of mobile phone-based payments capabilities using a chip embedded in the phone. Industry conference agendas are crowded with sessions describing the way a smartphone can be waved near or tapped against a merchant terminal device using radio wave-based near-field communications (NFC) technology to capture the customer's payment credentials. Chips embedded in the phone, coupled with applications loaded on the phone from card-issuing banks, will create the effect of a "mobile wallet" that promises to be more convenient and, yes, more secure than what we use today.

So what should we do about this mess of the United States being out of step with respect to payments card technology? I would suggest that this issue could eventually reach the public policy level. Perhaps it is time for policymakers to consider whether migrating to an increasingly adopted world standard is in our best national interest. After all, we just mandated a move to digital television. While this change facilitated my ability to watch the World Cup in high definition, it cannot possibly be of the same importance as this brewing card issue. If we want to mitigate the possibility of the United States being a center of card fraud and enable our consumers and business folks to travel abroad more easily, it may be time to charge someone in government with developing a well-thought-out, participatory, multi-year plan to move this country to the emerging global payments card standard.

By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum

July 19, 2010 in consumer fraud, mobile payments, risk, telecom | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Soccer balls and payment cards: A push for global standards:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 12, 2010

The confluence of payments, social networks, and malware: Elements of a perfect storm?

Thanks to a rapid increase in functionality and convenience, consumers are becoming more comfortable conducting e-commerce and participating in social networking with mobile phones instead of computers. At the same time, though, social networks are providing cybercriminals with a ready population of potential victims for emerging malware attacks. Similarly, cell phone applications that serve to extend the customer network reach may actually create vulnerabilities to malware attacks. How can the industry manage the security vulnerabilities in social networks as they migrate to the mobile channel?

More consumers using mobile devices to access social networks
A recent report from digital media firm comScore says social network activity is one of the fastest growing access categories on mobile devices. The report states that the number of mobile channel network users more than tripled over the past year, increasing 240 percent to 14.5 million users by April 2010. The report also says that accessing bank accounts is one of the fastest growing mobile phone functionalities, both by mobile application and Internet browser. As of April 2010, consumers used bank access applications 113 percent more than the prior year.


Social networks represent a growing target for phishing and malware
Social networks are beginning to compete with financial institutions and e-commerce sites as a favorite target for phishing attempts, according to a Microsoft Security Intelligence Report published in November 2009. This chart reflects a dramatic increase in phishing impressions in May and June of 2009 for social networking sites. (The report defines "impression" as a single attempt to visit a phishing page and being blocked by a filter.) Phishing schemes are frequently used to lure consumers into exposing personal data and introducing links to sites with malware downloads.


Gaming services—such as Farmville and Mafia Wars—available on these sites provide an additional entry point for phishing, spamming, and other schemes. Users are lured to fraudulent Web pages, where they can earn game points by completing surveys and quizzes. A specific example of a malware attack was the 2009 Koobface Worm. Koobface infiltrated numerous social networking sites including Facebook, Myspace, and Twitter by embedding a malicious link in messages that appeared to be from trusted parties. When users clicked the link, they were redirected to a page that appeared legitimate but actually included a download for malware. Once the malware installed itself on a user's computer, it gained access to the user’s personal data, facilitating identity theft payment fraud.

Malware coming to mobile phones
According to a report from security firm Mxlogic, social network malware is targeting mobile phones through subscriptions to these same gaming services, such as Farmville and Mafia Wars. It reports that when users sign up for the subscriptions, they inadvertently consent to receiving text spam that has the potential to infect a phone. Smartphone manufacturers act as gatekeepers to ensure that application developers design apps that meet their proprietary criteria and standards for leveraging their operating platforms, but with thousands of applications on the market today, mobile phones are increasingly vulnerable to data exposure. Application store operators have been proactive in policing applications for security and authenticity. For example, in December 2009, Google withdrew dozens of unauthorized mobile banking applications known as "09Droid" from its system for violating its trademark policy.

Since criminals follow the money, so to speak, it is reasonable to expect that malware authors will be interested in mobile payments and banking applications going forward. The rapid pace of phone application innovation and deployment will challenge efforts to detect and mitigate new malware schemes and other forms of cybercrime. For the consumer, the best line of defense to guard against viruses and malware attacks in any electronic environment is caution, by avoiding links in unfamiliar messages and social network games and choosing downloaded smartphone applications judiciously, if possible.

By Cindy Merritt, assistant director of the Retail Payments Risk Forum

July 12, 2010 in fraud, identity theft, malware, mobile banking, mobile payments, risk, social networks | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 6, 2010

Identity thieves still using low-tech tactics to get into your wallet

If you make it easy for people to steal from you, they will.
-Frank W. Abagnale

Identity theft continues to be a major problem in the United States and, in most instances, does not involve a complex operation. Although the risks with online financial transactions receive a lot of focus, recent surveys have shown that identity thieves perpetrate their crimes using more traditional methods of access like stealing wallets or purses. In addition, too many victims are unfortunately serving as unwitting accomplices by giving personal information to the criminals over the phone.

According to Javelin's 2009 Identity Fraud Survey Report, the number of U.S. identity fraud victims increased 22 percent in 2008 to 9.9 million adults. Among the reasons cited for this upsurge in incidents are the economic downturn, the secondary market for financial information, and the availability of fraud toolkits online.

Although how-to guides on defrauding consumers are readily available on the Internet, identity thieves are taking a decidedly low-tech approach. Javelin also reported that of the 35 percent of identity theft victims surveyed who knew how their information was accessed, only 11 percent had their information stolen by an online hacker. In fact, 43 percent of identity theft was perpetrated via a lost or stolen wallet, checkbook, or credit card.

Convicted fraudster able to steal identities from behind bars
A recent FBI case involving a massive, two-year identity theft and bribery scheme provides an example of how fairly unsophisticated tactics are used to perpetrate fraud. The already-convicted fraudster who orchestrated the crime received a 309-year prison sentence, which is reportedly the fourth-longest in the history of white collar crime in the United States.

According to the FBI press release, the crime started in a Louisiana prison, where the perpetrator was serving time for a previous fraud conviction. A joint FBI-Department of Justice (DOJ) investigation revealed that he used the personal and financial information (such as dates of birth, Social Security numbers, and bank account numbers) of 61 individuals, churches, financial institutions, and businesses to attempt to steal more than $20 million. How was a prisoner able to get this information? Good question. Apparently, as the saying goes, he did it with the help of his friends (or co-conspirators) and a few phone calls.

One typical ruse involved the perpetrator calling a bank and pretending to be an elderly stroke victim who had been hospitalized. He would claim that he did not have his checkbook and needed access to his account. Most banks did not fall for it, but some did. He also called individual victims directly sometimes, saying he was a state trooper who needed to verify personal details after an identity theft arrest.

The perpetrator had several accomplices in the operation, including a corrections officer that he bribed with $10,000 to use his cell phone when prison officials put him on lockdown. Through the collaborative efforts of federal, local, and state law enforcement agencies, the perpetrator and at least eight coconspirators were charged in the investigation.

Common sense precautions key to avoid becoming a victim
The FBI case is a compelling reminder for people to be "crime smart" by not sharing personal information over the phone unless they can verify the identity of the caller. However, phone sense is just one of many ways that businesses and individuals must be vigilant in protecting themselves against becoming victims of identity theft. The DOJ has used the acronym "SCAM" to encapsulate four steps to reduce or minimize this risk. First, be stingy about giving personal information to others unless there is a reason to trust them. Second, check financial information regularly to monitor for unauthorized transactions. Third, ask periodically for a copy of your credit report to determine whether someone has wrongfully opened accounts in your name. Fourth, maintain careful records of banking and financial accounts in case you need to dispute a transaction.

It is possible to follow these steps and still become an identity theft victim. However, an added benefit of taking these proactive measures is that victims are typically faster at detecting fraud against themselves than are entities such as law enforcement, lenders, and creditors. In fact, Javelin's 2009 identity theft report found that the detection time of fraud through police or law enforcement was 264 days compared to eight days when the victims were monitoring their accounts electronically (that is, via the Internet or ATM). Ultimately, customers who actively monitor their accounts not only reduce the risk of fraud but also minimize their losses if they are victimized.

By Jennifer Grier, senior payments risk analyst in the Atlanta Fed's Retail Payment Risk Forum

July 6, 2010 in fraud, identity theft | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Identity thieves still using low-tech tactics to get into your wallet:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad