How Fraud Technology Has Changed Criminal Activity
By Martin Warwick, FICO
The past five years have been a time of enormous upheaval for Europe’s banking industry, and this is particularly true in the area of credit fraud. Technology has brought about real change in the card fraud landscape, altering the types of attacks, the volume of crime and the countries targeted.
To show these changes, FICO just released an interactive fraud map at www.fico.com/fraud europe. Based in part on data from Euro monitor International, this map shows changes in fraud type and amount, by country, from 2006-2011. Here are some of the biggest changes observed.
Fraud Levels Stay High in Europe as Criminals Seek New Opportunities
Fraud across Europe increased after 2006, peaking in 2008. However, 2011 levels are still high, at €121 million more than in 2006. A notable exception is the UK, which accounted for 45% of the total in 2006 and now accounts for 29% (a reduction of €177 million). This shows that criminals have shifted their focus to new opportunities within Europe as anti-fraud measures in the UK become stricter. Some countries have seen greater migration than others but none have been left untouched.
Another major area of attack is the card not present (CNP) environment, where criminals make use of Internet channels that carry less risk than being present in a shop when making a fraudulent purchase. Response to the CNP threat has been slow because most amounts lost by financial institutions are recoverable under Visa and Mastercard’s scheme regulations. Therefore, with no business case for addressing the threat – unlike counterfeit fraud losses, which go straight onto the bank’s P&L accounts – we now see that criminals are taking advantage of this channel while lenders have little incentive to fix the problem. The introduction of the 3D Secure protocol for online transactions has begun to shift CNP liability to the issuer in an attempt to close this gap.
Fraud Mix Evolving as Countries Crack Down on Traditional Threats
Following the UK’s introduction of Chip & PIN in 2006, many card fraudsters migrated to other regions, particularly France and Germany, with the latter seeing a 123% increase in fraud levels, for example.
The type of fraud attack typically attempted has changed significantly as the rollout of EMV Chip standards start to take effect on ‘face to face’ point of sale transactions. Fraudsters have moved away from counterfeit skimming in Europe and migrated to cross-border attacks where non-EMV ATMs still exist in plentiful supply. These numbers are confirmed by FICO’s own analysis on 55 million active credit cards represented in the FICO® Falcon® Fraud Consortium for Europe, which showed that counterfeit fraud fell 60% between March 2009 and March 2011.
Card not present (CNP) fraud accounts for two thirds of total fraud and is likely to be a symptom of the industry not having had a well-enough defined fraud detection and prevention strategy in place at the time when the counterfeit solution was developed.
It is also interesting to note the difference in customer liability rules across the region, as this can play a major role in fraud control. The UK’s consumer credit law protects consumers against fraud by stating that the bank is the loser and the cardholder only has to report that a transaction on their card is not their own. However, Turkey has no such laws, driving a different attitude to fraud from the customer. The customer is seen to have a duty of care and so is more proactive in reporting fraud immediately to avoid liability being placed on them. Customers working with the banks make for an improved detection and prevention capability, as illustrated by Turkey’s low fraud rates.
European Fraud Threat May be Greater Than It First Appears
The card industry often measures fraud threat levels in terms of ‘basis points’. A basis points level of 5 or less reflects a relatively low threat level from card fraud across the country. Between 5 and 10 basis points indicates a country may be seeing fairly active card fraud, with some issuers and card producers perhaps suffering more than others. Above 10 basis points indicates a significant fraud threat, requiring immediate attention from executive management at card issuers and lenders in the region.
However, basis points should not be considered in isolation. A country with relatively low basis points at a given time may still be vulnerable if fraud levels are increasing overall.
Two examples will illustrate this point. The UK, with around 5 basis points of fraud losses, has seen a massive change in its fraud losses over the last couple of years as a ‘tough on fraud stance’ has been fully embedded across all the banks. The UK had its lowest losses last year for a decade, and comparing 2011 to 2006 sees a downward trend of 30% while European fraud levels have increased by 10%. Every fraud type is down, with some significant reductions in areas such as counterfeit fraud, which peaked in 2008 when skimming and cross-border fraud took its toll on UK banks. However, policy and strategy were ramped up as banks made full use of the detection systems they had in place and migrated fraud attacks away from their products.
By contrast, Germany has a lower basis point level, at 2.7, but has actually seen fraud rocket by 143% in the same period. In 2006, it represented just 4% of the total fraud for the countries listed, but by 2011 that had increased to 10%. Criminals have identified a great opportunity to target a country which has a large number of plastic cards. Card not present (CNP) fraud makes up 60% of Germany’s fraud and this has grown by over 300% since 2006. Card fraud losses did drop between 2010 and 2011, as leading issuers fought back by adopting best-in-class fraud detection to combat the larger threat from cross-border skimming.
The make-up of a country’s card landscape should also be taken into account. For example, Germany’s credit card market was close to 100 basis points in 2011, but the domestic debit card market, which is much larger and suffers proportionately less fraud, balanced this out to give a healthier overall picture.
These considerations show that fraud threats can be like an iceberg, seeming reasonably minor at first glance. However, it can be quite different when you dive below and see the dangerous outcrops that are hidden under the surface.
Data provided by Euromonitor International. Source: FICO Evolution of Card Fraud in Europe, www.fico.com/fraudeurope. © 2012 Fair Isaac Corporation.
Martin Warwick is a principal consultant at FICO for Europe, the Middle East and Africa. To explore the interactive European fraud map, go to www.fico.com/fraudeurope.