Credit-Card Fraud Keeps Rising, Despite New Security Chips

The Wall Street Journal – February 2017
By:  Annamaria Andriotis and Peter Rudegeair

More consumers became victims of identity fraud last year than at any point in more than a decade despite new security protections implemented by the credit-card industry, a report released Wednesday said.

Some 15.4 million U.S. consumers were victims of identity fraud in 2016, resulting in $16 billion in total losses, according to the report by consulting firm Javelin Strategy & Research and identity-theft-protection firm LifeLock Inc. The number of victims rose 18% from 2015 and was the highest since Javelin, a unit of Greenwich Associates LLC, started tracking the phenomenon in 2003.

The increase in identity fraud, the bulk of which comes from card activity, was driven in part by a 15% rise in cases of fraudulent online purchases, the study noted. That activity led to “existing-card” fraud, which involves criminals counterfeiting debit and credit cards already held by customers, reaching a new peak.

Big increases also occurred in rarer frauds that have been steadily rising in recent years and that are harder for consumers and lenders to detect. The incidence of new-account fraud, for example, in which new accounts are opened in consumers’ names without their knowledge or knowledge by the lender, rose 40% to 1.8 million, while the number of cases of consumers having a bank account, credit card or other account taken over improperly increased by over one-fifth to 1.4 million.

The increases happened despite the rollout of tougher security measures around debit and credit cards over the past couple of years. Most major card issuers in the U.S. have replaced consumers’ magnetic stripe cards with chip cards, and merchants have increasingly shifted to more secure payment terminals, which combined are supposed to make it harder for consumers’ card information to be stolen.

But the findings of the report suggest that swindlers are finding ways around the new measures. “Fraud is kind of like squeezing Jell-O,” said Stephen Coggeshall, chief analytics and science officer at LifeLock. “Stop it one place, and it migrates to somewhere else.”

With online shopping, there is no way to use the chips on cards. Most of those merchants still rely on the basic card numbers, expiration dates and security codes on the cards. That is largely why “card-not-present” fraud, in which criminals use card information to make transactions online without needing to present the actual card, affected 3.4% of consumers, up from 2.4% in 2015, according to the study.

Card networks, including Visa Inc., say chip cards have helped bring down the counterfeit fraud rate, in which card data are stolen from merchants and used to create fake cards. Visa also said last month that its fraud rate at online merchants was down 1% in September from a year earlier.

In response to the persistence of online card fraud, credit-card networks, banks and technology firms are investing in more secure methods of sharing payment details online, such as “tokenization,” in which a unique code is generated for each transaction to be approved instead of cardholders’ account numbers.

MasterCard Inc. Chief Financial Officer Martina Hund-Mejean said on an earnings call Tuesday that the company is increasing spending in 2017 largely to boost customer and merchant usage of its digital wallet that uses tokenization, known as Masterpass.

Separately, the study showed that nearly half of the instances of card fraud involved chip-enabled card accounts that have been used online or at stores that don’t yet have chip-enabled terminals. Some 64% of storefront merchants still only accept cards’ magnetic stripe, according to the study.

While other forms of identity fraud are less common than existing-card fraud, swindlers are exploiting them in part because they take longer to detect. With new-account fraud, total losses reached $3.6 billion, up 24% from 2015, even though less than 1% of consumers were affected.

Some 30% of all new-account fraud victims last year had a general-purpose credit card opened in their name, up from 21% in 2015, which often resulted in card issuers giving out chip-enabled cards to swindlers, said Al Pascual, research director and head of fraud and security at Javelin.

Separately, total losses associated with a swindler taking over a consumer’s account rose nearly two-thirds to $2.3 billion.

Still, chip usage has helped bring down the amount of losses on existing card fraud to $961 on average per incident in 2016, down 2% from a year prior and down 30% from 2013.