The Great EMV Migration remains a work in progress.

Oct. 1 heralded the first anniversary of the official shift from traditional “swipe-and-signature” credit and debit cards to chip-enabled EMV cards, a move designed in part to better protect consumers from the growing threat of transaction fraud. There’s good news: 88% of cards issued by MasterCard now incorporate EMV chips. But there’s also bad news — namely that only about a third of U.S. merchants have installed EMV-enabled card readers.

But despite limited implementation of EMV-ready point-of-sale terminals, chip-and-pin technology is indeed cutting off fraudsters at the pass. With EMV effectively blocking card cloning and other commonplace criminal tactics, MasterCard notes that counterfeit card fraud costs are down 54% among EMV-enabled merchants.

That doesn’t mean that fraudsters are abandoning their lives of crime, however — instead, they’re simply turning their focus from brick-and-mortar to digital. Online fraud attacks surged 137% between the second quarter of 2015 and the first quarter of 2016 according to data issued earlier this month by fraud detection and protection solutions provider Forter: In fact, fraud attacks spiked 27% from the fourth quarter of 2015 and Q1 2016, the period immediately following the EMV transition.

“Fraudsters are moving to the path of least resistance,” Forter Chief Marketing Officer Bill Zielke told Retail Dive. “There’s so much effort placed on the EMV rollout in stores. [Fraudsters] see the online space, where those same security requirements are not present, as a riper segment to go after. It’s about what’s easiest for the fraudster. If they can prey on that [online retail] segment, that’s going to be a better use of their time.”

Fraud factors

EMV stymies brick-and-mortar card fraud by instituting new layers of transaction security and authentication. Each time a chip-enabled card is used in store at a chip-activated terminal, the chip generates a unique, one-time code to approve the transaction.

“If you peel it all away, [EMV is] an integrated circuit chip in a plastic card. It allows a terminal to say, ‘This did come from an issuing bank. It wasn’t created by someone else,’” Ned Canning, e-commerce product manager at payment processing and technology provider Vantiv, told Retail Dive this summer. “A [magnetic]-stripe card is basically a static piece of data… Once the issuer creates it and puts it out there, that’s what’s being used as authentication. Anyone who can extract that data or can even get that data from another source — like a data breach like you’ll see at some big retailers — can encode that data onto a new piece of plastic. Provided the issuing bank doesn’t know that a new card has been created, that card can then be used, because the terminal is reading that static identification criteria and saying, ‘This is a valid card.’”

But EMV’s security innovations are limited to transactions where the physical card is present, meaning chips are essentially useless in a digital commerce context. Fraudsters are exploiting that loophole to their advantage: Online retailers experienced 34 fraud attacks for every 1,000 web transactions during the first quarter of 2016, a 126% increase compared to the second quarter of 2015, according to Forter’s latest Global Fraud Attack Index, conducted in partnership with online media channel PYMNTS. The attack rate for luxury goods more than doubled during the same period, Forter notes, and attacks on digital goods merchants almost tripled.

Online fraud attacks aren’t just increasing in volume, however. They’re also growing more sophisticated. So-called “botnets” — collections of computers taken over by fraudsters, unbeknownst to their owners — accounted for a whopping 79% of all fraud attacks in Q1, an increase from 34% a year ago. “That [growth] was surprising, because it demonstrates that there’s a lot more professional fraudsters out there trying to wreak havoc than you would anticipate,” Zielke said.

Fraudsters also are capitalizing on the continued momentum of mobile commerce, Forter notes. While Forrester estimates that mobile commerce (both phones and tablets) across the U.S. will eclipse $252 billion by 2020, the research firm cautions that “mobile offers fraudsters more options than any other channel." Mobile devices remain less advanced computing environments than PCs, making them easier to exploit. Mobile also faces limited industrywide security collaboration and offers enormous opportunities for identity theft.

Yet another wrinkle in the evolving fraud landscape: Cyber breaches suffered by retailers from Target to Home Depot to Eddie Bauer have generated a treasure trove of stolen data that’s easily and cheaply accessible via the web.

The cumulative costs are staggering: Forter states that $7.30 out of every $100 of online retail sales are at risk, surging $3.10 (73%) out of every $100 from Q3 2015 and up $2.50 (52%) out of every $100 from Q4 2015. And the problem isn’t contained to fraud losses: Retailers fearing fraud also are turning away legitimate customers and sales, Zielke notes. For example, he and his wife recently moved, and when she went online to purchase furniture for their new home, the retailer identified a disconnect between their old billing address and new shipping address, flagging the transaction for potential fraud. When the issue still wasn’t resolved two days later, Zielke’s wife simply gave up and moved on to a rival furniture site.  

“Retailers are trying to do the right thing by guarding against fraud, but in fact, they’re injuring good customers,” Zielke said. “Their intentions are genuine. They’re trying to protect themselves. But they’re harming good sales in the process. Our hypothesis is that there are more good sales lost that way than there are losses from fraud.”

How merchants can fight back

Zielke blames the rise of online fraud on antiquated retailer security protocols, including manual transaction reviews. “Retailers are continuing to go down the same path they’ve been going down, using the same tools and technologies in the online space,” Zielke said. “There’s a lot of legacy systems that have been in place for 10 or 12-plus years, and using those to scale in this economy is very, very difficult. Forrester Research is calling for fraud to increase by 55% by 2018, and they’re suggesting that these legacy systems will in fact fail. The tide’s rising, and at the same time, retailers are continuing to tread water the old way. Retailers have got to put up additional safeguards in their own systems and mechanisms to protect themselves.”

Zielke stresses the importance of behavioral analytics: Forter’s fraud prevention system is based on machine learning, taking into account thousands of data points to analyze transactions in real time. Its competitors offer their own fraud protection and detection solutions, including device fingerprints (a method of uniquely identifying computers, tablets and smartphones based on attributes like browser version or screen dimensions) and chargeback management.

“A technology shift needs to occur,” Zielke said. “A lot of these legacy systems use rules-based systems that score transactions based on risk, and require transactions to be reviewed manually. Those systems have to be updated and replaced with systems that are real-time in nature, that can synthesize data and issue real-time decisions. It’s more accurate, it’s faster in terms of decision time — which is important for the customer experience standpoint — and it’s more efficient and cost-effective for retailers, in terms of managing and reducing fraud as well as for the operations that are required behind it.”

Time is of the essence. Zielke expects e-commerce fraud to continue to spike in the months to come, especially during the all-important holiday shopping season.

“If I’m a retailer, I should be asking, ‘What do I need to do, and how quickly do I need to take action?’” he said. “To me, it’s putting updated, overhauled fraud prevention into your roadmap for the next 12 to 18 months. Having a real-time system in place that can synthesize and analyze information and then issue a real-time decision can speed up the process and eliminate a lot of customer friction.”