At the end of May, Quartz reported 47 percent of all global credit card fraud occurs in the U.S. However, American cards make up just 24 percent of the world’s credit card population.
With our rate of fraud nearly doubling our population percentage, that’s obviously concerning. Here’s a look into how and why America’s become a target in the digital age.
From the Land of the Free to the Land of the Fraud
For the most part, obsolete cards are to blame.
Although cards with EMV (Europay, MasterCard and Visa) chips are slowly being adopted in the U.S. thanks in part to the October 1 liability shift, the majority of credit cards still rely on magnetic strips. Those strips represent a major security flaw: While EMV cards randomly generate a unique code specific to each transaction, a magnetic strip does not and can be easily replicated or captured. This difference caused a 70 percent drop in counterfeit fraud over the past decade since the U.K. started using EMV.
A big contributor to exploiting obsolete cards is the state of America’s POS (Point Of Sale) terminals, where the cards are swiped. Verizon’s latest Data Breach Investigation Report noted that over the course of 2014, 28.5 percent of data breaches were POS intrusions. Bonus fact: 3.3 percent came from lost or stolen cards and another 3.1 percent came from card skimmers, so really, about a third of 2014’s data breaching came from low-tech cards.
Some sectors were much more vulnerable than others. In the accommodation industry, comprised of establishments providing lodging and/or meals, snacks, and beverages for immediate consumption, POS weaknesses resulted in 91 percent of all data breaches. The entertainment and retail industries were other areas with a high percentage of POS compromises, clocking in at 73 percent and 70 percent, respectively.
POS terminals are attacked by installing malware after hacking into a company’s network. Two notable examples, the Target breach in December 2013 and the Home Depot hack in September 2014, were executed by hackers using the same type of malware to steal information from a terminal’s RAM. That information is usually encrypted, but there are two instances during a transaction in which it isn’t, and thus ripe for theft. When data is on the terminal before transmission or needed to process the purchase, the malware in an infected machine can see it.
Will the October EMV Liability Shift Help?
Unfortunately the coming EMV transition isn’t going to be a catch-all. The entire project is a pretty monumental effort. Every card needs replacing, as does every terminal. In addition to the massive scale, it’s a massive expense: First Data reported in 2011 a total conversion would cost about $8 billion – $6.75 billion for new POS terminals, $1.4 million to replace cards, and $500 million for ATM upgrades.
The Census Bureau estimated in 2014 there are 232 million adult consumers, with a 2014 analysis by the Federal Reserve Bank of Boston finding 72.1 percent of consumers have at least one credit card. If you’re having trouble following, that gives us about 167 million Americans with at least one card. If we apply that number to a 2014 Gallup survey that said the average cardholder has 3.7 credit cards, that gives us 617.9 million credit cards in the U.S. with the majority of those cards needing to be converted.
Despite liability in the event of card fraud shifting to the least compliant party, usually the merchant in cases like these, a survey conducted by the Strawhecker Group revealed in March that only about 34 percent of American merchants will be EMV-ready by October. Yet even if every card is converted to EMV and still has a magnetic strip to maintain compatibility with older devices, they’ll still be vulnerable, just less so.
While EMV adoption will certainly reduce fraud and protect consumers, it’s going to take some time.
Photo sources: welivesecurity.com, livehacking.com, securityaffairs.co.
Editorial Note: Opinions expressed here are the author's alone, not those of any bank, credit card issuer, airline or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.