This type of activity can go on undetected for months. Online skimming is one of the most recent forms of card fraud. Once a store is under the control of a criminal, malware is installed that funnels live payment data to an off-shore collection server then later sold on the dark web. Discovered just a year ago, this form of fraud is gaining tremendous speed and affecting companies across the nation. BI Intelligence shares some important guidelines and key takeaways involving computer security.
New data from Dutch developer William De Groot indicates a rise in online skimming, a new form of e-commerce-related card fraud, according to Finextra.
According to De Groot, it’s becoming more common for hackers exploit unpatched weaknesses in merchants’ software code, set up malware to steal data, and then sell that data on the dark web.
In November 2015, when this method was first uncovered, he scanned 255,000 stores and found that 3,501 had been impacted. By last month, that increased to 5,925 retailers, including brands like Audi and Converse, showing the rising impact this could have on merchants.
Rising skimming could add to the existing online fraud burden for merchants. As card-present purchasing becomes safer with the rise of EMV usage, fraudsters are turning to weaker digital channels. That’s leading to an increase in online fraud, and therefore online fraud expenses, which increased by 9-12% for merchants YoY in 2016.
Merchants continue to invest in multilayered fraud protection systems, but these systems prevent other types of fraud rather than patching the holes necessary to prevent online skimming, which means that this type of fraud could rise as stores work to find fixes. It will become increasingly important for payments providers to pressure merchants to resolve these fixes, according to De Groot. And that’s especially true because they come at a time that in-store point-of-sale (POS) software is being breached frequently, which could magnify fraud costs and losses across the board.
Fraud cost U.S. retailers approximately $32 billion in 2014, up from $23 billion just one year earlier. To solve the card fraud problem across in-store, online, and mobile payments, payment companies and merchants are implementing new payment protocols that could finally help mitigate fraud.
John Heggestuen, senior research analyst for BI Intelligence, Business Insider’s premium research service, has compiled a detailed report on payment security that looks at how the dynamics of fraud are shifting across in-store and online channels and explains the top new types of security that are gaining traction across each of these channels, including on Apple Pay.
Here are some of the key takeaways from the report:
- EMV cards are being rolled out with an embedded microchip for added security. The microchip carries out real-time risk assessments on a person’s card purchase activity based on the card user’s profile. The chip also generates dynamic cryptograms when the card is inserted into a payment terminal. Because these cryptograms change with every purchase, it makes it difficult for fraudsters to make counterfeit cards that can be used for in-store transactions.
- To bolster security throughout the payments chain encryption of payments data is being widely implemented. Encryption degrades valuable data by using an algorithm to translate card numbers into new values. This makes it difficult for fraudsters to harvest the payments data for use in future transactions.
- Point-to-point encryption is the most tightly defined form of payments encryption. In this scheme, sensitive payment data is encrypted from the point of capture at the payments terminal all the way through to the gateway or acquirer. This makes it much more difficult for fraudsters to harvest usable data from transactions in stores and online.
- Tokenization increases the security of transactions made online and in stores. Tokenization schemes assign a random value to payment data, making it effectively impossible for hackers to access the sensitive data from the token itself. Tokens are often “multiuse,” meaning merchants don’t have to force consumers to re-enter their payment details. Apple Pay uses an emerging form of tokenization.
- 3D Secure is an imperfect answer to user authentication online. One difficulty in fighting online fraud is that it is hard to tell whether the person using card data is actually the cardholder. 3D Secure adds a level of user authentication by requiring the customer to enter a passcode or biometric data in addition to payment data to complete a transaction online. Merchants who implement 3D Secure risk higher shopping-cart abandonment.
In full, the report:
- Assesses the fraud cost to US retailers and how that fraud is expected to shift in coming years
- Provides 5 high-level explanations of the top payment security protocols
- Includes 7 infographics illustrating what the transaction flow looks like when each type of security is implemented.
- Analyzes the strengths and weakness of each payment security protocol and the reasons why particular protocols are being put in place at different types of merchants.