The Card Fraud Arms Race
Card Issuers and Scammers have been competing to outwit one another for decades. Now, new tools like Gen AI are supercharging the race to people's wallets.
The criminals are having a field day. And [card fraud] will grow. Once losses hit a percentage the credit card companies can’t live with, then they will change things. The conflict in marketing is: ‘How much loss can we absorb before we change?’
$34 billion: That’s the estimated amount of card fraud committed globally in 2024. This number is expected to continue growing as fraudsters take advantage of new and innovative technologies. For a time, NLP and other machine learning algorithms were improving fast enough to keep fraud at bay. The rise of new, readily available AI tools and increasingly elaborate social engineering have “blown the system apart,” to quote one industry expert. This is just the next evolution in a long history of fraudsters and card operators vying to stay one step ahead of the other.
Card fraud is an arms race between scammers and card operators. A new technique emerges seemingly out of nowhere and begins to spread throughout a system. Once a fraud technique creates enough damage, card operators (banks, their issuing and acquiring platforms, and card networks) respond in a series of actions to mitigate the technique’s effect. After some time, the system evolves and the fraud techniques mutate — thus beginning the cycle all over again.
This post will explore the arms race by examining four innovations — physical cards, magnetic strips, EMV chips, and eCommerce — how fraudsters took advantage of weaknesses, and how card operators responded.
Innovation: Physical Cards
Scammers: Counterfeiting
The first credit cards were issued on paper. Nothing more than a name, number, and logo. This had the benefit of presenting information in a standardized format — easing merchant processing and thus acceptance. However, the cards had an obvious flaw: they were easy to counterfeit. Fraudsters were accustomed to check fraud, so paper cards required only a few modifications to their existing schemes. With little more than a portable printing press, fraudsters funded lavish lifestyles, for a time at least.
Issuer Response: Add difficult to replicate design elements
The most obvious design element was to shift from paper to plastic and even metal. But that was quickly countered by fraudsters obtaining card blanks and embossing machines of their own. The major drawbacks of these new innovations were cost — this will be a recurring theme — as plastic manufacturing required specialized equipment. A merchant, however, still had no way to know whether the card being used was valid, no matter how good it looked.
Acquirer Response: Real-time card verification
For the merchants and acquirers, the challenge was determining the validity of the physical card. Initially, this was solved by the cashier flipping through a large book of cancelled card numbers — a practiced carried over from checks. This, however, was cumbersome and nowhere near real-time as books were published monthly (at best). Later on, merchants could phone the issuer directly to validate the card — though most only did this for large transactions or unfamiliar customers.1
Tech savvy acquirers and merchants could use National Data Corp to verify physical cards by calling into a data center where the card would be looked up in a mainframe. This process was minutes faster than the manual checks, taking about a minute; but was agonizingly slow compared to the minimum verification time of 5 seconds imposed by modern networks like Visa and Mastercard. Even when things advanced to allow for the card data to be keyed into the telephone, the process was still cumbersome and error prone.
Further Reading:
Innovation: Magnetic Strips
Scammers: Card Skimming & Cloning
Developed by IBM and American Express in 1969, the magnetic strip on a card stores the card information in a similar way to how cassette tapes encode information. The technology to read, copy, and encode the card information was expensive, large, and not readily available to scammers. These same factors had the negative side effect of merchants not adopting the technology needed to read magnetic stripes for more than a decade. With the introduction of the Verifone ZON product line in the 1980s, the costs fell and magnetic stripes became the default in most transactions by the 1990s.
However, this proliferation of technology meant fraudsters could begin copying cards en masse. The most common methods were to steal card information directly or by installing card skimmers on ATMs or POS terminals. The stolen or “skimmed” data was then copied onto a new or existing card, allowing fraudsters to quickly rack up tens of thousands in fraudulent charges using cards that were valid. Per Agent Miller, “It just takes someone with a little bit of computer knowledge and you can re-encode anything you want”.
Issuer Reaction: Encrypt the data on the magnetic tape
To combat skimming, issuers began putting complex codes in the magnetic strip of cards instead of just the information embossed on the front of the card. It was a huge move for cardholder protection and cut down on some of the fraud, but it meant reissuing millions of cards — thankfully not all at once. The new cards also required that merchants adopt new, sophisticated terminals to process transactions.
Acquirer Reaction: Require verification (signature or ID match)
Acquirers responded by requiring merchants to perform additional security checks during the checkout process. Aside from the PIN, which was mandated by the issuing bank, merchants started matching the receipt signature to the one listed on the card — which is why your card still says “not valid until signed”2 — or an official ID. This was a long-standing practice prior to magnetic stripes, but came to be enforced by acquirers on merchants prior to POS terminals becoming the norm.
Further Reading:
Innovation: EMV Chip
Scammers: Opt Out
The EMV chip was a revolution that took nearly 30 years to be fully realized. The chip — jointly developed by Europay (now part of Mastercard), Mastercard, and Visa — began development in 1984 and took advantage of microcircuits embedded in the card to validate the card. These chips were expensive to manufacture but much more secure. To combat this added security, scammers took advantage of a merchant’s desire to complete a sale.
The scammer would insert a card with a defunct or modified chip which would cause an authorization error and the transaction to fail. The unwitting merchant would think it was a bug with the phone lines or machine, at which point the scammer would be asked to run the counterfeit card using the magnetic stripe.
Issuer Reaction: Deny swipe transactions, Require PIN
Seriously. Once the chip was introduced and made the standard in Europe in the 1990s, magnetic stripe authorization rates fell from 99% to 30% and even as low as 10% for some transaction types. This was a very loud signal to European cardholders and merchants that EMV was the way forward. Of course, the US took another two decades to fully make the switch.3
A relatively simple solution was to require that PINs be used on transactions: thus the nickname of “chip and PIN card.” This made transactions more secure as a fraudster would now need to obtain not just the card information but also the cardholder’s secret PIN. Assuming the fraudster hadn’t watched the transaction, hacked the terminal, or installed a PIN skimmer, the PIN code was a low effort way to increase security at the cost of checkout speed. The downside, of course, was adding friction to the transaction — something Europeans didn’t seem to mind with Switzerland even going as far as defaulting to 6-digit PINs.
Acquirer Reaction: Shift the liability
Acquirers just said, “Fine. If the merchant won’t enforce the EMV, then merchants can eat the chargeback costs.” Acquiring banks shifted the liability for card fraud more and more on the merchant, decreasing the ceiling on acquirer covered transactions and raising fees on merchants with high fraud rates. This disincentive was a direct foil to the scammer trying to take advantage of a merchant’s desire for revenue. It worked in Europe, but took until the 2010s for EMV Chip to become the standard in the US.4
Further Reading:
The History of EMV, an interview with Philip Andreae “forefather” of EMV
I’m actively choosing to skip over tap-to-pay card technology because it’s built on the EMV chip and near-field communication (NFC) and RFID technology. NFC is used by ApplePay as well. NFC has complex encoding and is difficult, at least now, to duplicate. There was a period where everyone was told to buy metal lined wallets to prevent scammers from stealing your card data using an RFID reader hidden in their bag or coat pocket. Card issuers utilized encryption and dynamic codes to prevent this before it ever became a real-world issue.
External Change: eCommerce
Scammers: Social Engineering and Database Hacking
eCommerce is underpinned by CNP (card not present) transactions — entering your data into an online portal in a manner reminiscent of the earliest days of card processing. Modern eCommerce transactions are an evolution of calling the number on those 2:00 AM blue screen ads and sharing your card details over the phone.
eCommerce CNP transactions expose your card data to a web form or portal, a network, and occasionally the merchant’s servers. For most people, the portal looks standard across all websites and allows merchants to quickly capture card info. Fraudsters know this and will build websites and experiences that look legitimate and get you to expose your card information. In addition, fraudsters could now directly target merchants for card data, because merchants aren’t banks. Merchants (Target, Walgreens, Macy’s) don’t have the same levels of sophisticated encryption and security that is required for financial institutions to maintain. Thus, a fraudster simply needs to hack a merchant’s records to gain access to thousands, sometimes millions, of cards on file.
Issuer Reaction: Add more frictions — MFA and Tokenization
Combating social engineering is hard, so aside from the regular PSAs and company trainings, the onus really falls on the issuers and the acquirers to deliver innovative ways to detect and prevent fraud. The most innovative approaches today leverage technology to make things slower. Yes, slower. Borrowing from the past, Card companies are leveraging advanced authentication methods to ensure the validity of payments. Multi-factor authentication (MFA) — a push notification to a phone, entering a CVV5, or providing a custom pin — has been shown to reduce the risk of of account compromise by 99.22% and by 98.56% in cases of leaked credentials.6
Issuers are increasingly leveraging AI and predictive models to assign a risk score to each transaction. This score is then used to determine whether MFA is required or if the transaction is rejected altogether. This is best explained by Jareau from Batch Processing:
Another tool is machine learning (ML) as applied to fraud detection. At Balanced, we started with a simple rules-based, which we used as the basis for a simple machine learning model to detect fraud. We also built a clever mesh network, which would associate various aspects like IP address, card fingerprint, email address, etc. If one of those aspects were found to be fraudulent, the other aspects would either be banned as well or considered at higher risk of fraud. Today, we are in the heyday of machine learning and artificial intelligence. Standalone companies like Unit21 and Sift provide risk scoring to payment facilitators and gateways. Large payment processors like Adyen, Stripe, and Checkout all provided built-in risk management solutions.
Another “friction” has less to do with the payment experience for the card holder and more to do with what’s going on under the hood.7 Tokenization, the process of replacing account details with a unique identifier or “token”, is considered one of the best fraud protection tools currently in the industry. This makes it so that data stored on the device or with the merchant can’t be copied and used somewhere else as it’s functionally useless without the proper encryption keys. To a cardholder or merchant, nothing much changes during the checkout experience. This is exactly how fraud controls should be: boring and unnoticed.
Further Reading:
Looking Ahead
Ultimately, it’s easier to prevent fraud than to catch it after the fact. That’s why so much of the time, money, and technology are focused on preventing scammers from initiating a transaction. It costs between $100 and $150 per event for a bank to handle a card fraud case. Below this amount, most banks just write-off the fraud as a loss then block and reissue the card. It’s a horrible experience for the card holder and forces them to rely on other payment methods in the meantime — letting another issuer take the place at the “top of wallet.”
Issuers, then, have to strike a delicate balance between having enough fraud controls in place and not having the controls be cumbersome. For most, MFA like a PIN or FaceID, is the best balance of security and ease of use. Other measures are too complex or pricey to implement except for a handful of very large issuers or merchants so they wouldn’t get used. Compounding that is the fact that most card fraud is fast grab stuff. Fraudsters avoid using the same stolen card or information for too long. Any longer than necessary and whatever they’ve done to bypass security and anti-fraud measures will start to flag.
This has been where things like the machine learning and AI models explained by Jareau come into play. The proliferation of these models has allowed issuers, acquirers and fintechs to spin up predictive models that look at everything from IP address, to mouse wiggles, to how long you’ve stayed on a certain page to determine whether the activity is fraudulent. These tools have put the dream of using big data to eliminate fraud in payments within reach. All that’s left now is to see what move hackers do next.
To help with this post, I reached out to my best friend and Certified Fraud Examiner, Jakob Robinson. Jakob specializes in using big data to investigate fraud, antitrust, anti-corruption, and export compliance. He provided some great resources and insights on modern fraud techniques — thank you, pal!
A quick note here, while cards could be used anywhere, they were not accepted everywhere like they are today. Low-margin businesses and local shops would refuse to process the card — so cards were generally reserved for high-value purchases, department stores, and fancy restaurants.
Most issuing banks have dropped the signature requirement as other, more secure methods were developed to verify card transactions. A less appreciated aspect is cost — signature pads require multiple messages and more backend processing.
If anyone has data on card swipe authorization rates by year in the US, I’d love to see it.
Even now, you can still run a card as a swipe transaction, it just costs the merchant much, much more. Some payment terminals only offer chip or tap-to-pay, though this is somewhat rare to see in the US.
An interesting take on this is the Ellipse Verification Code. The cards have a screen built into them which will change the CVV, the three to four numbers on the back of your card, each time you transact with your card. For online payments, this dynamic CVV provides an additional layer of security and makes CNP fraud from hacking virtually useless unless the hacker also has the physical card. Full disclosure, I’ve spoken with members of the Ellipse team and relied on conversations with them to prepare this post.
Meyer, Lucas Augusto, et al. "How effective is multifactor authentication at deterring cyberattacks?." arXiv preprint arXiv:2305.00945 (2023).
I’d be remiss if I didn’t also mention 3D Secure (3DS) as an additional online safeguard that protects merchants and issuers from fraudulent CNP transactions. 3DS is a protocol that uses additional verification (PIN, passphrase, random code) during online checkout. It hampers completion rates for online merchants and has a lower acceptance rate than other methods, but it’s also has very low fraud rates, making the cost worth it in some cases.