EMV: The Anniversary Of One Deadline, The Eve of Another

  /     /     /  
Publicated : 22/11/2024   Category : security


EMV: The Anniversary Of One Deadline, The Eve of Another


How merchants and criminals responded since the EMV liability shift for point-of-sale devices one year ago. And what changes can we expect after the liability shift for ATMs, which is just days away?



The US on Saturday celebrates the one-year anniversary of the EMV liability shift on point-of-sale systems and will ring in a brand-new liability shift: for Mastercard EMV cards on ATM machines.
If a merchant is unable to process EMV purchases, liability for chargeback losses shifts from the EMV payment card issuer to the merchant. Visas deadline for EMV on ATMs is next October. 
Thanks to EMV on POSes in the US, counterfeiting is down, and account-opening fraud is way, way up. 
How much of that fraud -- which Experian counts as a subset of e-commerce fraud, which is slightly up overall -- is attributable to greater EMV adoption? Thats a matter of debate.
Some of the increase in card-not-present fraud is indeed a result of adaptable attackers shifting their tactics -- as one door closes, a window opens -- but some of the increase in e-commerce fraud could just be because of an increase in e-commerce.  
Besides, merchants have a long way to go before theyre fully EMV-capable.    
On the 1-year anniversary, how are merchants doing with the migration of EMV technology on the POS?
According to a report by The Strawhecker Group (TSG) released last week, only 44% of card-accepting merchants have EMV terminals. Whats worse, only 29% of card-accepting merchants can actually accept EMV chip-based transactions.
Youre seeing a lot of pieces of paper over the chip readers, says Jared Drieling, business intelligence manager of TSG. Paper, or maybe tape or stickers, he says.  
Why the tape? Because each POS system -- not just each terminal but the back-end systems --must go through a testing and certification process before the EMV terminal can be activated. First, says Drieling, procrastinating merchants found themselves waiting in a long queue just to buy the terminals from backstocked suppliers, and now they find themselves in a long queue to get their certification processed. 
Contributing to the trouble was the timing of the deadline. October 1, says David Britton, vice president of fraud and identity industry solutions at Experian, is the absolutely worst time to do anything from a change perspective, because retailers are not going to do anything to disrupt their holiday season. Therefore, any merchants that hadnt migrated before the deadline, werent likely to do so until January.
2016 kicked off with a surge in demand for terminals and a rush of certification requests. Thats how backlogs started to build up.
The saturation of EMV also varies by industry and organization. Fast-food restaurants, for example, are behind on migration, because they cannot accept the extra seconds EMV transactions add to wait times, and more importantly fast-food joints dont see a lot of fraudulent activity, says Drieling.
If youre a fraudster, he says, youre probably going to the Rolex store or some other high-end store where you can buy something that can be resold; not a Big Mac. Meanwhile, jewelry and electronics stores, regardless of size, and shops in high-fraud states are ahead of the curve, he says.
Plus, although the EMV POS liability shift of Oct. 1, 2015 is often referred to in grand sweeping terms, it didnt actually apply to all POSes. Self-service gas pumps were given until Oct. 1, 2017 -- an additional two years -- before the shift kicks in.
Despite it all, though, Drieling says merchants have made significant progress.
Does EMV work? 
EMV is actually a good thing because it does do a very remarkable job of preventing counterfeiting, says Britton. As long as we remember that was the intent of it.
Mastercard reported
that its fraud data from April shows that year over year, not only are the costs of counterfeit fraud going down for those merchants whove adopted EMV, but costs of counterfeit fraud are going up for merchants that have
not
 adopted EMV.
According to the Mastercard figures, US retailers with EMV rollouts that are completed or near completion saw counterfeit fraud costs decrease by 54% while large merchants that had not migrated or just began migration saw increases of 77%. 
EMV doesnt eliminate card-present fraud entirely, though, for several reasons.
How are criminals doing with migrating their crime?
Although there was a shift in criminals tactics, EMV implementation cant be blamed for the plethora of stolen identity data available on the black market, or for inadequate authentication/verification during account creation processes, or for increasing e-commerce traffic, or for other poor security on e-commerce sites. 
For these problems, there are a variety of solutions.
The unfortunate piece is that the countermeasures are taking a sledgehammer to the problem, Britton says. Although the e-commerce fraud attack rate has increased, its still only around 3% percent, he notes.
Yet while some companies may have inadequate security, others have staff devoted to looking at a third of the traffic, and losing or denying a variety of customers during the verification process. So youre incurring 30% friction to solve a three percent problem, he says. Britton stresses that e-commerce sites need to find the appropriate countermeasures for the appropriate time.
Although the costs of new account fraud are on the card issuers, e-commerce fraud is a cost issue for the merchants, who are already dealing with EMV at the POS. 
Shouldnt we have known this was going to happen?
Other countries saw shifts in their criminal activity after their EMV rollouts (many of which occurred many years before the USs). Figures from 
Financial Fraud UK
 show that there was a striking increase in card-not-present fraud (including e-commerce fraud) after the United Kingdoms liability shift in 2005, peaking in 2008.
Its worth noting, though, that the e-commerce numbers steadily decreased for several years between 2008 to 2011. After 2011, though, when the UK had already had six years to recover from its EMV liability shift, CNP fraud, began to rise again -- e-commerce fraud in particular grew by over 87 percent. 
Its also worth noting that, according to the latest figures from 
Financial Fraud Action UK
, one-third of the fraud losses from UK-issued cards occur abroad, and one-third of those losses occur in the United States. 
The State of EMV on the ATM, on the eve of the liability shift
Security researchers have already poked holes in EMV technology on the ATM. At Black Hat USA last month, Rapid7 senior security consultant Weston Hecker released his 
La Cara real-time EMV ATM exploit tool,
 along with a reimagination of the next-gen carding network.
Research from the ATM Industry Association found ATM upgrades might cost as much as $2,000 to $3,000 per machine. National ATM Council, said they believe only 40% to 50% of ATMs will be EMV ready by October 2016 and that 42,000 independently owned ATMs may shut down as a result of the liability shift.
Considering the 
rash of attacks on non-EMV ATMs
 recently, maybe thats not the worst thing.
 

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
EMV: The Anniversary Of One Deadline, The Eve of Another