As new countries such as those in the Nordics embrace contactless payments, people are asking about the impact on fraud. We discussed this last month at the DT Fraud Conference 2017, where Peter Bayley from Visa and I debated some of the issues arising.
The good news is that contactless doesn’t appear to increase fraud. But it could.
The first thing to note here is that the type of fraud consumers worry about is hugely unlikely. This is “proximity intercept,” where a card’s signal is grabbed by a fraudster’s device. The fear of this is played on by the manufacturers of physical RFID wallets, and sometimes even by the media. It sounds plausible but has not proven to be a big problem.
The more likely potential threat of contactless is actually more complicated, and involves “disowned” transactions where the consumer fails to recall a transaction; in extreme circumstances this can lead to the kind of fraud most of us don’t want to think about – first-party fraud.
Where the Consumer is the Criminal
First-party fraud is one of the most prevalent, growing and insidious forms of fraud in a mature EMV (chip issuance) market. This is essentially where the individual who undertakes the fraud has either performed or facilitated the fraud in their own or a completely synthetic (fictitious) identity. In short, there is no consumer victim. Estimates suggest that first-party fraud — which is often hidden in a bank’s credit and collections losses because of the difficulty in identifying it — dwarfs third-party fraud, including CNP, lost and stolen and counterfeit put together.
Identity and payment security defences are usually vested in a multi-factor requirement – in a card context this would typically mean a card authentication method or CAM (something you have) such as a satisfactory chip read, and a cardholder verification method or CVM (something you know) which would typically mean a PIN (unless you are from the US!). In a contactless payment context – which consists almost exclusively of low-value transactions – there is of course only a CAM not a CVM. So this has a lower level of security commensurate with the lower risk values.
Obviously there are good, convenience reasons for the prevalence of contactless, especially where speed of transaction is all important. Contactless payment is used at the ticket barriers on the London Underground, for example, where it would be impractical to require a CVM.
Add first-party fraud to contactless payments and you get some interesting market dynamics.
Challenging Contactless Transactions
Because contactless typically involves a customer not receiving a receipt, there is a higher chance of a consumer not recognising transactions. This is exacerbated by consumers believing that there are technology challenges with contactless; for example the problems with “card clash” or failed payment because two or more contactless cards are in close proximity, which is referenced every day in Underground announcements.
The combination of perceived risk of misallocated payment from contactless cards and the absence of receipt could give rise to genuine consumers querying transaction legitimacy. This could be preyed upon by first-party fraudsters who perceive a lower level of security as a means of facilitating a successful dispute.
Consider the person who has a few too many drinks at the local tavern and finds the next morning that they have a series of contactless transactions against their account. Without receipts and with a hazy recollection of events a customer may say “It wasn’t me.” If these kinds of challenges are successful, criminals could see a way of using that to their advantage.
Of course, there are other elements of the security landscape that help ensure contactless is not an open exposure. These include limits on the number of contactless transactions that can be fulfilled before a CVM is needed, plus a strong EMV chip audit trail which would mean that sequential transactions could only arise if a customer lost their card or had somehow facilitated the card being accessed and used.
Contactless may not be driving levels of chargeback, and reported fraud on contactless cards is extremely low even in maturing markets. But as the channel proliferates, it is an area that fraud management professionals should keep an eye on, especially if ill-informed first-party fraudsters see the chance to capitalise.