Latest offerings by category
| SMART TRADEOFF? EMV reduces most fraud, except card-not-present |
|
|
By John Ginovsky
A number of analysts have documented that when EMV takes hold in a given area, it is very effective in reducing most forms of card fraud-counterfeit, lost/stolen, card ID theft. However, it's similarly documented that card-not-present fraud actually increases.
It's something that financial institutions, merchants, and consumers need to be aware of, even as the major card companies proceed along their roadmaps toward EMV adoption in this country
First Data, for example, in its white paper " EMV in the U.S.: Putting It into Perspective for Merchants and Financial Institutions," (see link below) cites statistics from Financial Fraud Action U.K. about EMV experience in the United Kingdom. It showed that counterfeit card fraud losses dropped from £107 million in 2000 to £48 million in 2010. Similarly, lost/stolen card fraud dropped from £102 million in 2000 to £44 million in 2010.
Card-not-present losses, however, increased from £73 million in 2000 to £227 million in 2010.
"The data clearly shows that lost/stolen or counterfeit cards accounted for a much smaller percentage of overall fraud at the end of the decade while CNP fraud became the source of almost two-thirds of all fraud losses," the report observes.
Tech Topics talked with a couple of experts in this area to get their views on this issue.
"It's an interesting challenge," says Ben Knieff, director of product marketing at NICE Actimize. "When you think about security you tend to think about it kind of like a balloon. If you squeeze the balloon in one place, it bulges out in another. EMV is a good example.
"EMV has proven itself very well in pretty much everywhere but the United States. It has a dramatic impact in decreasing lost/stolen card fraud, as well as counterfeit card fraud. It's proven to be an extremely powerful way of doing that.
"So we squeeze that part of the balloon and it expanded on the CNP side. That means we cut some losses on this one area, now let's focus our attention on how we can apply better controls and stronger ways in the card-not-present area."
Rob Havelt, director of penetration testing at Trustwave's SpiderLabs, says: "Honestly, it's just preparedness. One of the things you need to do, say, [adopt] EMV and the [associated] technology. It's supposed to be magical and will solve everybody's problems. History is full of those solutions.
"One of the things you have to figure out is, where there is a way to steal data, somebody will figure out a way to steal data. You can't ever look at a technology being completely safe."
The best defense these analysts and others say, lay in the application of layered security.
"What you really need to focus on is layered security," says Havelt. "You need controls in place and assume any control in place may be bypassed, but then you have another control in place behind that."
There's more, however. "It's a complex thing," he adds. "They [financial institutions] might be doing everything right, right now. But if you think about it, the bank is in the position where they have to think about every potential way that an attacker can get in, cover every base an attacker needs to find just one hole.
"They might have controls that are really good, or good enough, for right now. But tomorrow, next week, a month from now, or next year, they might not be, depending on if the attackers find a new technology or a new hole...The most effective thing a bank can do is have continual preparedness, having a good incident response for various attack scenarios, and proactively attacking themselves [to test the responses]," Havelt says.
http://www.firstdata.com/downloads/thought-leadership/EMV_US.pdf
[This article was posted on November 28, 2012, on the website of ABA Banking Journal, www.ababj.com.] Set as favorite Bookmark
Email This
Trackback(0)
Comments (0)
 Write comment
|
||||
TrackBack URI for this entry
Subscribe to this comment's feed
 |
TechTopics Plus |
