EU card fraud nets organised crime EUR1.5bn a year - Europol

Thanks in large part to the adoption of EMV technology, card fraud has been on the decline in the European Union but it still pulls in around EUR1.5 billion a year for criminal gangs, says Europol.

The figure comes from a report published to coincide with the opening of a new European cybercrime centre under Europol's jurisdiction, which will be the EU's focal point in fighting online crime carried out by organised gangs.

The report shows that despite rising numbers of credit and debit cards - now standing at more than 726 million - in the EU, domestic card-present fraud has been gradually falling since 2008 thanks to widespread adoption of Chip and PIN.

However progress is being undermined by a sharp increase in the level of illegal transactions overseas as crooks target cash machines and payment terminals in EMV-less places such as the Dominican Republic, Colombia, Russia, Brazil, Mexico, and, crucially, the US.

Consequently, in 2011, almost all fraudulent face-to-face transactions with EU cards took place overseas. The problem of illegal transactions in the US has been reported to Europol by all 27 EU member states.

The ultimate answer to this problem would be the implementation of the EMV standard on a global level, including making US merchants compliant, says Europol, adding that "specific discussions on that are currently ongoing, however it is difficult to predict if, and when, the final stage of compliance might be reached".

In the meantime, the report backs 'geoblocking' - deactivating the mag-stripe and making cards chip-only. Having become the first country to introduce this, Belgium has seen skimming losses fall to nearly zero, says Europol.

The organisation admits though that geoblocking has its drawbacks, with users required to get their cards activated every time they visit a non-EMV compliant country.

Meanwhile, card-not-present fraud is on an upward trend, accounting for around EUR900 million of the EUR1.5 billion. Credit card information and bank account credentials are some of the most actively traded 'goods' on the Internet's underground economy and this stolen data is used to create cloned cards which are used to make online purchases with EU suppliers, says Europol.

Most of the credit card numbers misused in the EU come from data breaches in the US and while investments by EU industry in the 3D secure protocol have helped, not all transactions are protected with it on an EU or worldwide level.

To help it tackle the increasingly global nature of fraud, Europol is asking for new rules to enable it to work with non-EU police forces and a special mandate to dismantle criminal rings around the world. Common European legal systems for the security of online retail payments, as well as the mandatory reporting of financial data breaches, should also be considered, it recommends.

Channels

Retail banking Security Payments

Keywords

Cards Mobile & online banking Automated teller machines and network services Eftpos Research/analysis

Comments: (1)

Pat Carroll - ValidSoft - London 10 January, 2013, 13:05

Be the first to give this comment the thumbs up

0 likes

It is interesting to see the card fraud statistics released by Europol this week, but even more interesting, and alarming, to read their recommendations. By their own calculations, card fraud on EU issued cards is running at around 1.5 billion euros a year. Of this, 600 million euro is attributed to card-present (CP) fraud, the vast majority of which is perpetrated outside of the EU in non EMV-compliant countries.

None of this will come as a shock to anyone involved in card issuing or card-fraud prevention. What should come as a shock, however, is Europol’s recommended solution, namely that all EU issuing banks should geo-block EU issued EMV cards, meaning they will not work in non EMV countries without the mag stripe being explicitly reactivated.

As blunt instruments go, they don’t come much blunter. What is not being taken into account within this report is the fact that EU issuing banks already lose large amounts of interchange fee revenue, incur substantial processing overheads and routinely upset their travelling customers through aggressive cross-border decline policies. Those using practices such as “travel flags” still incur administrative costs, still annoy their customers (I have personally spent over 40 minutes in a phone queue), are no guarantee that the card will not be blocked and can also be exploited by the fraudsters themselves. There is a cost to banks and their customers today from excessive cross-border declines which does not feature in the aforementioned 600m euro.

The solution is surely less cross-border declines, not more. This does not mean, however, ignoring the fraud problem. The technology exists today to tackle this problem from both perspectives; fraud prevention and false-positive (decline) reduction. Importantly, the technology does not require the EU banking industry to break the fundamental tenant of universal acceptance or to incur ever more overheads which will, eventually, be passed onto the consumer.

Rather than banks spending more at the back end on investigations and card re-activations, we should be looking to reduce both cross-border fraud and excessive declines at source.