Fraud detection is so slow at credit unions that thieves are often willing to pay more for stolen card numbers and other data involving credit union issuers, according to Canh Tran, co-founder and CEO of Chicago-based fraud analytics firm Rippleshot.
In fact, credit unions and even community banks are bigger targets than megabanks such as Citibank, Bank of America and Capital One, Tran noted, and the looming EMV conversion could make things worse before making them better.
“Citibank and Bank of America have 60 to 100 people in their fraud reduction department,” he explained. “Eventually, using their own analytics and a lot more resources, they'll be able to identify that fraudulent card sooner. The thieves know that, so they'd rather buy the cards from the credit union and the community bank because they know that card will not be detected for quite a while, somore fraud will be perpetrated on those cards.”
EMV’s rallying cry has long been that it can prevent this sort of crime and thereby disrupt markets for stolen data, but Tran said the opposite will happen, at least in the short-term.
Part of his reasoning is that EMV conversion is voluntary and is taking a long time.
“The big difference between the United States and all the countries in Europe, and Canada, is that in Europe and Canada, it was a government mandate to do so,” he explained.
Tran thinks 90% to 98% of merchants and at least half of issuers in the U.S. won’t be ready for EMV by October. The use of chip-and-signature instead of chip-and-PIN, plus the fact that gas stations won’t be compliant until 2017 also leave open opportunities for fraud, he said.
Tran said that after France implemented EMV in 2006, total fraud increased by 67% in three years. In Canada, card-present fraud fell by more than half but card-not-present fraud more than doubled between 2008 and 2013. And in the U.K., card-present fraud dropped by 50% after chip-and-PIN arrived, but big increases in card-not-present fraud actually drove the overall rate up in the years following conversion there.
All of this is why Tran predicts card fraud will spike after EMV takes hold in the United States.
“Eventually, it will decrease and go online, but we actually predict that within the next three years it's going to increase,” he said.
The EMV card will eventually be cracked anyway, he said, as thieves progress and innovate.
In turn, the mission now is less about prevention and more about faster detection. It takes eight to nine months on average to discover a data breach today, Tran said, and that’s created a market opportunity for firms like his that can sniff out fraud faster.
Tran said traditional fraud monitoring involves profiling card users’ purchases and flagging unusual activity. But new techniques such as contagion analysis, which look for anomalies on the merchant side – analyzing disputed charges at a department store in Florida, a bookstore in Las Vegas and an electronics store in Seattle, for example – can determine whether the cards involved were all used at the same place at one point in time.
“For the big retailers that have a lot of credit card transactions, typically we're able to detect within two to four weeks of a data breach,” he said.
That dramatically shortens the time criminals have to exploit stolen cards, he added, and in turn reduces the monetary damages. And because credit unions are targets, other people’s mistakes can have much bigger ramifications.
“A lot of it is employee, either malfeasance or negligence, so you have to update your passwords,” he said. “Maybe a bartender at a restaurant is skimming the cards; somebody is paying invoices for a doctor’s billing office and so they're skimming the cards on their own. Or a point-of-sale terminal, people didn't bother to reset the 1111 password, so all the point-of-sale terminals are compromised.”
Bad Wi-Fi connections and even imported point-of-sale terminals that come with malware already on them are risks, too, he said.
Source: CreditUnionTimes