volume 9 • fall 2016
at criminals’ disposal. While a good portion of the fraudsters use stolen card numbers, account takeover using compromised credentials
is a leading cause of fraud for many CNP merchants.
As the U.S. migration to EMV progresses, the combination
of continued strong growth in e-commerce, ready availability
of consumer data and credentials on the Dark Web (where cyber- criminals trade information online), and disappearing counterfeit fraud opportunity will create a perfect storm that will result in a sharp rise in CNP fraud (Figure 3).
Keeping up with the Bad Guys
As the U.S. works its way into the ranks of chip-capable countries, issuers and merchants need to be prepared for signi cant shifts in the fraud landscape. Unfortu- nately, the bad guys aren’t going to close up shop and  nd real jobs—they’ll simply shift their focus to di erent attack vectors. Here are a few recommendations:
for issuers:
• If the bulk of your active card- holder population will not be upgraded by the end of 2016,  nd a way to accelerate your plans. The data show that criminals already are focusing their counterfeit card attacks on banks that have not yet upgraded to EMV. Meanwhile, banks that have been more proactive in their chip-card conversion are seeing rapidly declining net counterfeit fraud
losses. This trend will only be exacerbated as the chip-on- chip transaction percentages increase and criminals focus their counterfeit attacks on unprotected BINs.
• Invest in solutions that can help to mitigate the rising tide of account takeover, application fraud and CNP fraud. All of these forms of fraud are al- ready on the rise, thanks to the vast amount of data at crimi- nals’ disposal. FIs need to in- vest in layers of technology that can help detect this fraud while preserving the user experience.
• Watch out for the ATM. This is another attack vector that
has been a big pain point in Europe and is a rising concern in the U.S. ATMs lag the POS in upgrading to chip due to the cost and complexity,
and criminals quickly respond. Even once ATMs are upgraded, Europe has seen criminals revert to more rudimentary attacks such as ATM cash trapping, in which a physical claw is inserted into the ATM machine to prevent the cash from being issued, trapping it inside the machine until the victim leaves.
for merchants:
• Bolster your CNP fraud con- trols. CNP fraud already is on the rise, and the problem will get worse before it gets better. Merchants must invest in layers of technologies that will help
detect fraud while maintaining a simple user experience.
• Prioritize reterminalization.
If you haven’t reterminalized yet, chances are that the pain associated with this already is manifesting in your monthly statement from your acquirer. With certi cation queues still long, merchants that haven’t started planning their EMV migrations need to be prepared for a signi cant uptick in counterfeit fraud chargebacks.
EMV is now a reality in the U.S. market, and while it brings sig- ni cant bene ts in the form of counterfeit fraud reduction, that doesn’t mean card fraud will just disappear. Issuers and merchants need to be proactive in their prep- aration for the fraud shift. Criminals will quickly  nd those who haven’t, and will focus their attacks on the weakest link in the chain.
Julie Conroy is research director
of Aite Group’s retail banking and payments practice, focusing on fraud, data security and anti-money laundering issues. She has more than a decade of hands-on product management experi- ence working with  nancial institutions, payments processors and risk manage- ment companies. This article is an excerpt of a larger report. She may be reached
at jconroy@aitegroup.com.
endnotes
1. Breach Level Index, accessed on Feb. 26, 2016, http://breachlevelindex.com.
2. to obtain the full Aite Group research report, please visit www.iovation.com.
paybefore.com 67