Research: Consumers, Merchants, Issuers Dropping Ball on Fraud 

May 23, 2012

The third and final day of the CNP Expo began with a general session examining primary fraud research from Pleasanton, Calif.-based payments consultancy Javelin Strategy & Research. The results of Javelin’s research, which looked at how consumers react to—and in some cases encourage—CNP fraud, was presented to CNP Expo attendees by Vic Wheatman, Javelin’s director of security risk and fraud.

Wheatman began with a synopsis of how the information security environment has evolved since corporations began using computers to manage their data 40 years ago from relatively secure closed systems to cloud computing, which presents a host of security issues for merchants, issuers and consumers.

Much of the risk consumers are exposed to, Wheatman said to the assembled crowd in Orlando, is the result of their own actions and has been exacerbated by the current environment, in general, and the assimilation of social networks in particular.

“Our research shows that people are willing to, and often do, post their birthdays—usually month and date, but many times year—email address, sibling profiles, phone numbers, screen name for IMs, pet names or mother’s name,” he said. “It’s a rich resource for the bad guys to guess passwords.”

The Javelin research found that social media users who accessed their profiles in the past seven days had a slightly higher overall fraud rate (6 percent vs. 5 percent), but among those with public profiles, fraud incidents jumped to 7.5 percent and among users who accept friend requests from strangers it goes up again to nearly 9 percent.

“The behavior of public-profile users points to a reason for the significantly higher fraud rate among those people who willingly give out a lot of information,” Wheatman said.

Another way consumers are leaving themselves open to attack is by not installing anti-virus software on their home computers. While the percentage has gone down from around 60 percent three years ago, nearly 45 percent of consumers still do not have an anti-virus program at home.

“Enterprises have to put anti-virus software on every level of their network,” Wheatman said. “It surprised me that a nice proportion of consumers weren’t doing that. It’s hard to believe people would go out on the Internet essentially naked. There’s an opportunity for issuers to educate consumers on the fraud-fighting benefits of anti-virus software.”

Wheatman, however, did not just point the finger at consumers. Merchants are still not doing simple things that could reduce CNP fraud. He noted that the top credit card issuers are all offering 3D Secure technology (e.g. Verified by Visa and MasterCard SecureCode). Not many merchants have implemented this technology, however.

“It’s unfortunate,” he said. “Maybe merchants shy away because it slows down the user experience, but the attempt is there to move this forward.”

Wheatman didn’t spare issuers either. He took many banks to task for failing to offer email or text transaction alerts (less than 20 percent of issuers currently offer a transaction alert service for CNP transactions, according to the research).

Encouragingly, Wheatman was able to point to research that shows, while they’re not doing a perfect job of it, consumers are becoming more interested in taking a proactive approach to their own security.

Since 2008, the share of consumers who believe they and their issuing bank equally share responsibility for protecting their financial information has grown from 51 percent to 55 percent and the proportion of consumers who feel that responsibility is entirely their responsibility has grown from 2 percent to 9 percent.