Security Experts:

Connect with us

Hi, what are you looking for?



Online Fraud in the U.S. Grew Dramatically Post-EMV

EMV Payment Card

EMV Payment Card

The introduction of EMV (Europay, MasterCard, Visa) cards, also known as chip-and-PIN cards, into the U.S. has had the expected effect: with card present fraud more difficult, fraudsters have moved to on-line card-not-present fraud. Domestic online fraud became 79% riskier in 2016 than it had been in 2015, according to figures come from the Forter/MRC Fraud Attack Index (PDF).

Forter, which provides a fraud detection system for merchants, teamed with the Merchant Risk Council (which currently has almost 450 member companies in more than 20 countries) to develop a Fraud Attack Index. This is defined as the ‘dollars at risk per $100 of sales’. The ‘dollars at risk’ combines detected and prevented fraud with actual fraud.

The relative simplicity of cloning non-EMV cards made domestic (ie, US) off-line card-present fraud attractive. This is no longer easy. The introduction of more secure EMV cards has driven fraudsters from card-present to card-not-present fraud — EMV was never going to eliminate fraud, it was merely going to change its nature. This is shown in the fraud attack index for 2016, rising from $2.7 in Q4 2015 to $4.98 in Q4 2016.

Related: EMV Payment Cards – Salvation or Failure?

“Domestic order fraud,” explains Forter’s CEO Michael Reitblat, “has increased following the adoption of EMV (microchip cards) in the US. The fraudsters who used to steal and copy or counterfeit cards in the US now find that much harder, since card present transactions are increasingly protected by EMV — and so have moved online instead.” He adds that this has been further fueled by an increase in ‘friendly fraud’ or ‘liar-buyer’ fraud (where a person might buy an item and then report it undelivered in order to obtain a refund). “That’s always been a trend,” he said, “but it’s increasingly moving from an occasional thing to a serious, serial problem for many retailers.”

The greater part of international fraud against US merchants has always been on-line; and is always a higher risk than domestic fraud. In absolute terms, it decreased by 13% compared to 2015 but is still 62.4% riskier than domestic fraud, despite the domestic switch from off-line to on-line fraud within the US. Forter puts the international decrease to a growth in genuine international orders rather than a decrease in fraud.

For online fraud, the criminals need to obtain the victims’ payment credentials. Forter notes a shift in account takeover (ATO) against merchant sites to ATO against online payment accounts. “A growing recent trend in the realm of account takeover (ATO),” says the report, “is the use of hacked online payment accounts such as PayPal, ApplePay, AndroidPay etc. In these attacks the fraudster breaks into the victim’s account and uses the details there, including payment details, to make purchases and take actions as if they were the victim.”

ATO on merchant websites is down 16% on the previous year; ATO on online payment accounts is up 131%.

Forter puts this shift down to improvements in merchants’ cyber security combined with the ‘unprecedented data breaches of the last few years.’ These “included account and password information and this, combined with the fact that many consumers continue to reuse passwords across multiple accounts, has made this form of attack easier to carry out.”

“It’s an example of the speed at which fraudsters adapt to moves made to stop their attempts,” explained Reitblat. “Merchants realized that ATO was a problem, and started guarding against it — so fraudsters shifted, using similar tactics against online payment accounts, which is far harder for merchants to spot, and which in any event gives them greater scope for theft.” 

The big target in this shift to online fraud has been clothing — apparel. Attacks against apparel rose 69.9% over 2016. “This is partly due to fraudsters who are moving online post-EMV continuing to operate in an industry with which they are comfortable,” explains Reitblat. With card-present fraud, it is easy to walk into a shop, conduct the fraudulent transaction, and walk out with the clothes.

However, he added that it is also “partly because fraudsters who have been focusing on luxury goods for years (due to the high ROI they represent) are trying a new tactic. Rather than go for the low end of luxury goods (which retailers are now aware that they need to protect and scrutinize, as well as the high-end ones), they’re getting equivalent products from apparel sites which are often less careful since they have not traditionally been major targets in the same ways that luxury sites have been.”

Related: New ATM Hacking Method Uses Stolen EMV Card Data

Related: Fraudsters Stole $680,000 Via MitM Attack on EMV Cards

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...