Connect with us

Hi, what are you looking for?



Online Fraud in the U.S. Grew Dramatically Post-EMV

EMV Payment Card

EMV Payment Card

The introduction of EMV (Europay, MasterCard, Visa) cards, also known as chip-and-PIN cards, into the U.S. has had the expected effect: with card present fraud more difficult, fraudsters have moved to on-line card-not-present fraud. Domestic online fraud became 79% riskier in 2016 than it had been in 2015, according to figures come from the Forter/MRC Fraud Attack Index (PDF).

Forter, which provides a fraud detection system for merchants, teamed with the Merchant Risk Council (which currently has almost 450 member companies in more than 20 countries) to develop a Fraud Attack Index. This is defined as the ‘dollars at risk per $100 of sales’. The ‘dollars at risk’ combines detected and prevented fraud with actual fraud.

The relative simplicity of cloning non-EMV cards made domestic (ie, US) off-line card-present fraud attractive. This is no longer easy. The introduction of more secure EMV cards has driven fraudsters from card-present to card-not-present fraud — EMV was never going to eliminate fraud, it was merely going to change its nature. This is shown in the fraud attack index for 2016, rising from $2.7 in Q4 2015 to $4.98 in Q4 2016.

Related: EMV Payment Cards – Salvation or Failure?

“Domestic order fraud,” explains Forter’s CEO Michael Reitblat, “has increased following the adoption of EMV (microchip cards) in the US. The fraudsters who used to steal and copy or counterfeit cards in the US now find that much harder, since card present transactions are increasingly protected by EMV — and so have moved online instead.” He adds that this has been further fueled by an increase in ‘friendly fraud’ or ‘liar-buyer’ fraud (where a person might buy an item and then report it undelivered in order to obtain a refund). “That’s always been a trend,” he said, “but it’s increasingly moving from an occasional thing to a serious, serial problem for many retailers.”

The greater part of international fraud against US merchants has always been on-line; and is always a higher risk than domestic fraud. In absolute terms, it decreased by 13% compared to 2015 but is still 62.4% riskier than domestic fraud, despite the domestic switch from off-line to on-line fraud within the US. Forter puts the international decrease to a growth in genuine international orders rather than a decrease in fraud.

For online fraud, the criminals need to obtain the victims’ payment credentials. Forter notes a shift in account takeover (ATO) against merchant sites to ATO against online payment accounts. “A growing recent trend in the realm of account takeover (ATO),” says the report, “is the use of hacked online payment accounts such as PayPal, ApplePay, AndroidPay etc. In these attacks the fraudster breaks into the victim’s account and uses the details there, including payment details, to make purchases and take actions as if they were the victim.”

ATO on merchant websites is down 16% on the previous year; ATO on online payment accounts is up 131%.

Advertisement. Scroll to continue reading.

Forter puts this shift down to improvements in merchants’ cyber security combined with the ‘unprecedented data breaches of the last few years.’ These “included account and password information and this, combined with the fact that many consumers continue to reuse passwords across multiple accounts, has made this form of attack easier to carry out.”

“It’s an example of the speed at which fraudsters adapt to moves made to stop their attempts,” explained Reitblat. “Merchants realized that ATO was a problem, and started guarding against it — so fraudsters shifted, using similar tactics against online payment accounts, which is far harder for merchants to spot, and which in any event gives them greater scope for theft.” 

The big target in this shift to online fraud has been clothing — apparel. Attacks against apparel rose 69.9% over 2016. “This is partly due to fraudsters who are moving online post-EMV continuing to operate in an industry with which they are comfortable,” explains Reitblat. With card-present fraud, it is easy to walk into a shop, conduct the fraudulent transaction, and walk out with the clothes.

However, he added that it is also “partly because fraudsters who have been focusing on luxury goods for years (due to the high ROI they represent) are trying a new tactic. Rather than go for the low end of luxury goods (which retailers are now aware that they need to protect and scrutinize, as well as the high-end ones), they’re getting equivalent products from apparel sites which are often less careful since they have not traditionally been major targets in the same ways that luxury sites have been.”

Related: New ATM Hacking Method Uses Stolen EMV Card Data

Related: Fraudsters Stole $680,000 Via MitM Attack on EMV Cards

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...