AFP compiles the most alarming—and informative—fraud news relevant to corporates in Fraudwatch. This column is part of AFP’s Payments Fraud Resource Center and is intended to keep you aware of the latest threats to your organization. Follow @AFPFraudwatch on Twitter for all the latest updates.
Report: EU Card Fraud Declining but Still at High Levels
While card fraud is on the decline in Europe, organized crime groups still abscond with about 1.5 billion euros annually, according to a new report from Europol, the law enforcement agency of the European Union.
With the migration to EMV chip and PIN technology in Europe, domestic card-present fraud has declined since 2008. However, the EU is increasingly vulnerable to illegal transactions in other parts of the world where EMV is not the standard, particularly in the United States. In 2011, almost all fraudulent face-to-face transactions using EU cards occurred overseas. Europol notes that criminals benefit not only from a lack of global protection standards but also from legal constraints that limit international police cooperation. Additionally, the multitude of police units charged with combating different aspects of fraud—economic units, forgery of money units, cybercrime units, and specialized payment card fraud units—further complicate matters.
Europol recommends that the EU take urgent measures to promote the EMV standard as a global solution against counterfeiting payment cards. Since worldwide implementation will take time, Europol recommends geo-blocking—deactivating the mag-stripe in EU-issued cards so that users can only make purchases with the chip. That way, when Europeans travel overseas, they cannot make mag-stripe purchases unless they activate the card beforehand.
As is the case in most areas that have migrated to EMV, card-not-present fraud has increased in Europe. Approximately 60 percent of card fraud losses (about 900 million euros) over the period Europol analyzed were the result of this type of fraud. Most of the stolen credit card numbers used in the EU come from data breaches in the U.S., although breaches against EU merchants and card processing centers have seen an uptick since 2010.
Europol notes that the EU suffers from a lack of proper regulations for reporting breaches to police authorities. This is mainly due to a lack of faith in the investigative abilities of law enforcement agencies, as well as organizations’ desire to maintain reputations. The latter is so crucial to some companies that they willingly accept a certain level of fraud and make no effort to identify those responsible. Therefore, the increase in CNP fraud is not reflected in police statistics and is often not prioritized.
A lack of common global standards to protect CNP transactions has led the EU industry to make significant investments in the 3D secure protocol, which was designed by Visa to improve the security of online payments. But the solution is not worldwide and even in the EU, it cannot protect all transactions.
On January 1, Europol launched the European Cybercrime Centre (EC3) in Holland. EC3 aims to “become the focal point” in Europe’s fight against cybercrime, combining the efforts of EU Member States, non-EU countries, international partners and the private sector to respond faster to cyberattacks.
Industry Canada Revises Anti-Spam Regulations
Last week, Industry Canada published a revised version of its proposed regulations under Canada’s Anti-Spam Legislation (CASL).
The initial regulations, published for consultation in the Canada Gazette in 2011, were intended to clarify key terms and concepts in CASL. Industry Canada also sought to provide relief to businesses through exemptions where the broad application of the legislation could impede business activities. However, the comment period that followed yielded concerns from multiple organizations that the regulations did not provide the aforementioned clarity.
Following the consultation period, Industry Canada addressed several key issues in the revised regulations.
- Electronic messages between individuals with a family or personal relationship, or non-business relationship such as a membership in a club, are not applicable to the legislation.
- Limited exemptions are provided for electronic messages sent within a business or between businesses that have an established relationship.
- Consent to receive messages from an unknown third party is only valid if the individual receiving the message has the ability to unsubscribe.
- Telecommunications service providers supplying security services, updates and upgrades are granted limited exemptions.
- Third party referrals are exempt in situations where there is an existing relationship between one individual and the referring individual.
While some critics argue that the revised regulations create the potential for spammers to exploit loopholes, they do make it easier for some legitimate business practices to continue. Canadian Lawyer Magazine noted that the exemption for third party referrals is particularly important. “There was a serious concern people couldn’t follow up on referrals given to them by friends and family and that has been mitigated,” said Geoffrey Creighton, senior vice president, general counsel and secretary with IGM Financial Inc. “That’s an important one that was responsive to concerns raised by a whole lot of industries including the financial advice industry and small business professional of any sort.”
The proposed regulations are subject to a 30-day comment period ending February 4.