Earlier this year we discussed a story that fraudsters with scanners can walk down the street and steal card data from contactless cards. This week a variation on this story has reared its head. This time it is claimed that thieves are using point of sale contactless scanners – the type you’d tap to pay for your purchases- to steal from unsuspecting people. Judging by the comments on social media people are starting to worry and even considering getting rid of their contactless cards. So, before we give up this highly convenient and queue-busting way of making payments, what should we consider in relation to both of these issues?
Thieves stealing using contactless card terminals to take payments
From a technological point of view this is possible, GPRS enabled equipment means that point of sale scanners are portable, they can even be apps on mobile phones. However in order to accept payment a thief would need to have a relationship with a Merchant Acquirer. Merchant Acquirers issue the terminals and monitor transactions and reports of theft. Before taking on clients, who will need to be businesses or sole traders, Merchant Acquirers perform checks. Should they issue a terminal and account to someone who goes on to become a thief the Merchant Acquirer will quickly realise theft is occurring as they receive fraudulent transaction reports and have to pay recharges. At this point they can stop taking payments, disable the device and are likely to have information to help find the perpetrator. There is also the question of liability: if such fraudulent transactions do occur then the liability sits not with the cardholder, who is protected, but with the merchant acquirer.
Fraudsters harvesting data from contactless cards
This method of harvesting details is limited to collecting the card number and expiry date – it does not capture the 3 digit security code (known as CVV2) held on the signature strip, nor does it capture address details, PIN numbers or anything else. Secondly this is a very ‘cottage industry’ approach to stealing data, it requires crooks to actually go out and do something. I’m sorry to say the serious fraudster is more likely to be buying details in bulk from the dark web, where such information ends up for sale following a criminal data breach.
Fraudsters can use the details collected from contactless cards to commit what is known as card not present fraud because they can’t use them in stores due to the widespread adoption of Chip and PIN. Card not present fraud is a growing problem, though in most cases the details won’t have been gathered in this way. When this fraud is committed the loss very rarely lands at the door of the individual card holder.
So who is the victim of card not present fraud?
While buyers are naturally worried about the capture of their card details, in reality loss from card not present fraud is a bigger issue for the card issuer or the merchant providing the goods and services.
The card issuers have protected themselves by introducing security steps into the process, this includes requiring merchants to ask for the CVV code (the 3 digits on the signature strip) and for online purchases also asking merchants to deploy the 3D Secure solution – 3D Secure requires individuals to set up passwords on their card accounts, at point of payment the card issuer will ask the buyer to enter characters from their password. When merchants have taken these steps then the liability sits with the card issuer.
The story from the merchant’s perspective is more complicated. The protection methods offered by the card issuers may help to weed out fraudsters but there is a serious downside – friction! Adding these steps into the buying process makes purchasing from the merchant more difficult and time-consuming; this in turn leads to basket abandonment – the shoppers simply give up and go elsewhere for their purchase.
What can merchants do to protect themselves from this fraud without repelling their customers?
As a starting point merchants should ensure that they are PCI DSS compliant. If they are not compliant it’s likely that they will be perceived as an easy target by fraudsters and so be at greater risk.
Merchants using 3D Secure have experienced the loss of custom from people who don’t remember their 3D secure passwords, or don’t want to go through the additional step of providing a password. Where this is causing a problem merchants could look at other methods to verify their good customers before processing a transaction; these might include:
- Checking identity – by verifying the information given by your customer, for example their name and address, you will gain a better understanding of who they are. Fraudsters are unlikely to give you their genuine information, checking will make this evident and so protect you. These checks can be performed in real time and on data that your customers already need to provide, therefore this type of check doesn’t add extra time or steps to the customer journey.
- Checking payment details – while 3D Secure will link your customer to their card details it does this by asking them for password information, this adds friction to their journey with you. Solutions are available that can cross reference your customers card details in real time at point of capture – without your customer having to do anything.
- Checking for suspicious behaviour – by scrutinising customer behaviour it is possible to spot the patterns that suggest fraud. This could include the use of a mobile device across multiple transactions or an anomaly such as the device used being in a different time zone to that of the address provided.
There are also other ways to commit card not present fraud, not directly related to stolen card details, such as mail order fraud, takeover of consumer accounts at merchants and man-in-the-middle, browser attacks.
The recent press regarding the risks of fraud as a result of the scanning of contactless cards is a relatively minor issue when compared to the overall card not present fraud risk. While this type of fraud needs to be taken seriously, steps can be taken to protect all concerned. Employing some of the measures outlined will protect the organisations concerned as well as provide their customers with a great experience of buying from them.