EMV: The Anniversary Of One Deadline, The Eve of Another

How merchants and criminals responded since the EMV liability shift for point-of-sale devices one year ago. And what changes can we expect after the liability shift for ATMs, which is just days away?

Although there was a shift in criminals' tactics, EMV implementation can't be blamed for the plethora of stolen identity data available on the black market, or for inadequate authentication/verification during account creation processes, or for increasing e-commerce traffic, or for other poor security on e-commerce sites. 

For these problems, there are a variety of solutions.

"The unfortunate piece is that the countermeasures are taking a sledgehammer to the problem," Britton says. Although the e-commerce fraud attack rate has increased, it's still only around 3% percent, he notes.

Yet while some companies may have inadequate security, others have staff devoted to looking at a third of the traffic, and losing or denying a variety of customers during the verification process. "So you're incurring 30% friction to solve a three percent problem," he says. Britton stresses that e-commerce sites need to find the appropriate countermeasures for the appropriate time.

Although the costs of new account fraud are on the card issuers, e-commerce fraud is a cost issue for the merchants, who are already dealing with EMV at the POS. 

Shouldn't we have known this was going to happen?

Other countries saw shifts in their criminal activity after their EMV rollouts (many of which occurred many years before the US's). Figures from Financial Fraud UK show that there was a striking increase in card-not-present fraud (including e-commerce fraud) after the United Kingdom's liability shift in 2005, peaking in 2008.

It's worth noting, though, that the e-commerce numbers steadily decreased for several years between 2008 to 2011. After 2011, though, when the UK had already had six years to recover from its EMV liability shift, CNP fraud, began to rise again -- e-commerce fraud in particular grew by over 87 percent. 

It's also worth noting that, according to the latest figures from Financial Fraud Action UK, one-third of the fraud losses from UK-issued cards occur abroad, and one-third of those losses occur in the United States. 

The State of EMV on the ATM, on the eve of the liability shift

Security researchers have already poked holes in EMV technology on the ATM. At Black Hat USA last month, Rapid7 senior security consultant Weston Hecker released his "La Cara" real-time EMV ATM exploit tool, along with a reimagination of the next-gen carding network.

Research from the ATM Industry Association found ATM upgrades might cost as much as $2,000 to $3,000 per machine. National ATM Council, said they believe only 40% to 50% of ATMs will be EMV ready by October 2016 and that 42,000 independently owned ATMs may shut down as a result of the liability shift.

Considering the rash of attacks on non-EMV ATMs recently, maybe that's not the worst thing.


Editors' Choice
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading