It’s time for EMV in the U.S.A.
Where
magnetic stripe cards are used, the risk of fraud is higher. Stakeholders in the
U.S. payments industry have seen some major data breaches in the last few years,
with huge losses of consumer credit and debit card information. There is
evidence this may be the result of fraud and international cybercriminals,
migrating to the U.S because other areas in the world are aggressively switching
from magnetic stripe cards to Chip&PIN cards.
Europe, Japan and numerous other countries and regions around the world, including those close to the US - Canada, Mexico and Latin America - are migrating to EMV smart bank cards. This means that the US is becoming increasingly isolated in its continued use of mag-stripe cards – which in turn means that criminals are able to focus their activities there. This is called “exporting the fraud” - a consequence long predicted by the global banking community.
Now, there is strong evidence this is happening. According to APACS, the UK payments association, by 2007 the success of chip and PIN in the UK had reduced losses on transactions “on high street” (at domestic retail POS terminals) by 67% from £218.8 million in 2004 to £73.0 million. Mail-non-receipt fraud also fell, dropping 34%, and lost and stolen card fraud showed an overall decrease from 2006 of 18%
But they also reported a significant trend that supports the “exportation of fraud” prediction. While counterfeited card fraud decreased domestically by 32%, overall it increased by 46% to £144.3 million “due to fraudsters copying UK cards and using these bogus cards in countries which do not yet have chip and PIN.” This trend continued in 2008, and APACS reported that exported fraud has nearly doubled in two years. (http://www.apacs.org.uk/resources_publications/card_fraud_facts_and_figures.html)
There is also strong evidence that international credit card thieves are now targeting the US. Last summer, 11 individuals were indicted for breaking into computer systems and stealing more than 130 million credit and debit card numbers from US retailers and department stores like 7-eleven OfficeMax, Boston Market, Barnes & Noble and Sports Authority. According to the US Department of Justice, this was the biggest case of identity theft in history, yet most of the criminals involved were international hackers and credit card thieves.
It is not the first time the US has faced crimeware. In January 2009, there was another breach. This time Heartland Payment Systems, an organization that processes credit and debit cards, was targeted. While the nationalities of the criminals and the losses are not yet known, more than 100 million card transactions are processed through the network each month.
Financial crime malware
Another major factor to consider is the rapid growth in phishing attacks and financial crime malware - password stealers, keyboard loggers, downloaders, banking Trojans and the like. All of these are designed to steal financial account logins, credit card accounts and other personal identity information to help make their fraud efforts more effective.
According to the Anti-Phishing Working Group, the number of sites infecting PCs with password-stealing crimeware reached an all-time high of 31,173 in December 2008, an increase of 827% from the start of the year. They also reported that a financial crime malware survey in Q3-08 of 4,141,000, corporate and end user PCs revealed 181,000, or 4%, were infected with password stealers, keyboard loggers, downloaders or banking Trojans.
Phishing continues to be a significant threat. In the peak month of October 2008, there were 34,758 unique phishing reports from 27,739 unique phishing Web sites. Of these, 84% targeted payment services and financial brands and 61% contained some form of the bank or credit card company name in URL. (Source: Anti-Phishing Working Group Second Half 2008 Report.) The information gathered from these attacks could be rendered useless to the thieves in the US.
Experts agree: Time for a serious look at EMV
Given the significant threat posed by data breaches and financial malware, it
is time for US stakeholders to take a more serious look at EMV.
Many influential US voices are now advocating this step.
Donald G. Campbell, Vice Chairman of TJX, told the Boston Globe last summer that the breach within his organization would not have been successful if the US payment systems had implemented a chip-based card infrastructure, because the stolen numbers would have been useless for skimming fraud attempts. He also said, «Criminals, I believe, are focusing on the countries that haven’t added that higher level of security.”
Avivah Litan, a Vice President and distinguished analyst at Gartner Research, recommended the following to card issuers after the Heartland breach in a public statement on their Web site: "Follow the example of other regions migrating to stronger cardholder authentication methods, which render stolen data useless in transactions that require these methods. Canada and much of Europe and South America, for example, have moved or are moving to cards that require a card-resident chip or user-entered PIN to complete a transaction."
In March 2009, at the Visa Global Security Summit in Washington, Ellen Richey, chief enterprise risk officer for Visa USA, said, "I am often asked why the US doesn’t adopt chip. The answer is that it’s not a matter of adopting or not, but a matter of when and how. In the US, we’re beginning to see adoption of chip technologies first through contactless payments. Let me be clear: from Visa’s perspective, chip technologies - both contact and contactless - can add an important security layer. They also offer additional benefits for cardholders and retailers, like convenience and speed. So we can and do fully support chip technology."