It’s tempting to see credit and debit card fraud as an old-world problem nobody is interested in these days but every now and then a pattern jumps out of the morass of statistics that deserves our attention.
A prime example is the volume of debit card fraud (i.e not including credit card fraud) being heaped on UK card-holders from the US, both against people visiting the US and, unbelievably, people who have never been there in their lives.
According to a large sample of fraud looked at by US analytics organisation FICO, the US accounted for almost half of all fraudulent cross-border transactions on UK debit cards during 2014 despite being a distant third on the list of total transactions. FICO didn’t break down US fraud by type in much detail, but the vast majority of these fraudulent transactions were card-not-present frauds carried out from the Internet or by phone.
Cross-border fraud is a big deal, accounting for a third of all theft from the 52 million UK cards FICO sampled. Consumers have become blase about fraud losses on their cards but this is still a startling statistic if it holds across the UK card economy as a whole because it means that the US is being used to commit up to one in six debit card frauds.
This trend is still not being talked about. Debit card fraud is just another event issuers keep away from customers for fear it might undermine their faith in a set of security protocols that are clearly full of holes.
Why the US has become so popular among fraudsters is no mystery. As any visitor to the US knows, using a card in the US is a scandalously insecure business. Signatures remain the norm (even in Target by the way) and anyone who finds a lost card can use it to buy anything they want unless the issuer’s fraud software happens to kick in. Card not present transactions are still the more popular method, perhaps because store checkouts have cameras and few criminals want to hand evidence to investigators.
Yes, EMV technology and chip & PIN is coming in the US but it’s still a rarity and its absence affects even people who don't use debit cards anymore more exitoc than the corner shop near any UK high street.
"We are seeing a lot of fraud in the US as criminals try to exploit the lack of EMV protection before it is implemented in the US, and before the liability shift at the point of sale takes effect later this year. Having EMV will make the mag stripe data less appealing to criminals," said FICO’s Martin Warwick, striking a note of optimism.
The lesson is that criminality is global, something that has been obvious for some time. If security tightens in one region, the criminals move to weaker geographies to carry out the same fraud. The only answer is for security systems to be imposed in a global way and for the US to stop treating its consumers’ preferences as the only issue worth worrying about.
The fact that debit cards are targeted so successfully is also interesting because these frauds are committed on accounts that are in credit. The victims will notice the fraud because even if reimbursed later they will have been without money they thought they had for a period of time. By comparison, credit cards are a crime few notice because it comes off someone else’s tab, not the account holder’s.
Although overall cross-border fraud is way down on 2008 levels - it dropped from £230 million that year to £80 million by 2011 - FICO’s numbers suggest that anti-fraud technology applied to debit cards (as opposed to credit cards) isn’t as good as it’s cracked up to be. That’s the inference we should draw from the fact that someone sitting in Manchester who has never visited the US can find hundreds of pounds siphoned from their card account by someone buying roof tiles in Cincinnati.
How did that happen? If the criminals get hold of your card details (in some cases using insiders inside the financial firms themselves), it is effortless in fact. Check your statement.