Digital payment transactions made fraudulently and without the use of a physical credit card are called “card not present fraud” or CNP fraud. Bad actors use stolen credit card details, such as name, expiry date and CVV numbers, to execute card-not-present fraud.
Since no physical card is involved in a card not present transaction fraud, it becomes particularly challenging to spot and prevent it, causing significant losses for businesses. However, considering the growing popularity of ecommerce, merchants cannot afford to stop offering the facility of card not present transactions. Therefore, it becomes critical that businesses adopt robust identity verification methods to prevent card not present fraud, without disrupting the online experience for genuine customers.
Card not present fraud statistics
Driven by the prolific growth in ecommerce and m-commerce, card not present transaction fraud continues to cause losses worth billions of dollars, nearly $10 billion every year¹, to businesses globally. The introduction of EMV chips helped minimize card present fraud—but caused bad actors to take the digital route, which is one of the prime reasons why card-not-present fraud has spiked in recent years.
Card not present fraud statistics show that on an average, CNP fraud contributes 75% in value of all card frauds in a number of countries. It is estimated that card-not-present fraud will cost retailers around $130 billion by 2023.²
How do bad actors steal credit card information?
Card not present fraud is especially dangerous due to the fact that CNP transactions only need credit card details and not the use of the actual physical card. Card not present transactions can be executed without the card owner’s knowledge, while they still are in possession of their physical credit cards.
To execute CNP fraud, bad actors use stolen credit card details. They use several methods to obtain these details. Some of the common techniques that bad actors use to access credit card details include: hacking, skimming, phishing, planting malware, stealing card details from a physical store, and even buying stolen card details from the dark web, among others.
Types of CNP fraud
The most popular form of card-not-present fraud is by using compromised credit card details through phone or digital platforms. In addition, there are several other methods that bad actors deploy to complete fraudulent CNP transactions.
While some of these methods involve fake account creation, others involve card-based payment methods. Here’s a look at the alternate methods used to execute CNP fraud:
- Account takeovers: Bad actors use stolen credentials to gain illegitimate access into genuine user accounts, and make unauthorized payments, siphon off funds, and launder money.
- Synthetic identity: One of the most complex fraud types, synthetic identity fraud is when bad actors combine stolen user information with fictitious information to stitch together user identities that do not exist! Using these synthetic identities, cyber criminals are able to not only spend a user’s money but also engage in criminal activities.
- Gift card fraud: Using stolen credit card information, bad actors can purchase gift cards that can be easily bought and monetized, without getting tracked.
- Friendly fraud: Also called card chargeback fraud, here customers dispute legitimate transactions to request refund, resulting in costly chargebacks for businesses.
- Loyalty points fraud: Bad actors can redeem the loyalty points accrued from card payments.
- Shipping fraud: Works both ways. Consumers may engage in CNP fraud to receive items at different addresses and resell them. Alternatively, sellers may receive the payment but not supply the items.
- Online digital streaming fraud: Consumers share their passwords with others for the same account.
Impact of CNP fraud
Card-not-present fraud has a far-reaching impact on businesses and consumers. When a customer reports a fraudulent transaction and claims refund, businesses lose revenue as well as the product or service sold. To minimize the losses, businesses may resort to increasing the price of their products or services and in worst cases, may even have to cut down on the workforce. Businesses not only incur losses such as card transaction fees, chargeback fees, and mitigation costs but also suffer reputational damages.
It is estimated that merchants spend nearly $240 for every $100 charged back³, a figure likely to rise further with the exponential growth in eCommerce. Businesses with repeated chargebacks may be labeled risky and in worst cases, may not be able to process any transactions.
Card-not-present fraud can cause severe damage to the brand equity of a business. In today’s era of social media platforms and vocal customers, every adverse comment can affect future business prospects and customer loyalty.
Compromised consumers, whose stolen credit card details are exploited for CNP fraud, often face rejection of their cards at checkout, as they are flagged as fraudulent. This prevents them from using their cards for any transactions and tags them as risky users. Further, such customers become vulnerable to repeat fraud.
The modus operandi for card not present fraud
CNP fraud can be broadly categorized as being executed by bad actors or authorized users. In the first method, bad actors use stolen credit card details to complete fraudulent transactions. This is the traditional ecommerce fraud and is the most wide-spread.
However, in recent times, there has been a spurt in non-traditional CNP fraud, where genuine customers engage in fraudulently claiming chargebacks. It is also called friendly fraud, as here genuine or authorized users dispute the transaction to claim refund as well as avail of the product or service.
Both these methods of card-not-present result in losses and chargebacks to merchants.
Card not present fraud trends
Card not present fraud is closely following the growth in ecommerce. It is, therefore, expected that by 2024, CNP fraud may well account for 90% of overall card fraud losses in the US. The payment industry is likely to lose more than $49billion in fraud and $180 billion in chargebacks by 2030.⁴
Further, more and more transactions are now taking place through phones and digital channels, which means bad actors have ample opportunities to execute card not present fraud. And, that is not the end. Bad actors are increasingly using account takeover, fake new account creation, and synthetic identities for CNP fraud.
Interestingly, CNP fraud trends now also include a growing tendency of good consumers engaging in card-not-present fraud by purchasing items online and returning them after using them till the stipulated return period.
The above factors are indicative of the tough times ahead for the payments industry. To arrest the rising damages, both financial and reputational, businesses must step up their user authentication mechanisms. They can consider deploying robust credit card fraud detection software, such as Arkose Labs to prevent card not present fraud and ensure their users’ account security.
Ways to detect card-not-present fraud
Card not present fraud is a growing threat and businesses must take proactive steps to identify and stop CNP fraud attempts before they become too large. There are certain methods that can help businesses identify card-not-present fraud, thereby enabling them to take timely preventive action.
Some of the indicators of a card not present fraud include:
- Billing address and shipping address do not match
- Billing address does not match with that provided by the card issuer.
- Invalid CVV
Techniques to prevent card not present fraud
Identifying CNP fraud will yield no results unless businesses have robust fraud prevention mechanisms that enable them to take corrective actions. It is essential that businesses deploy security measures that align with their overall security posture to protect themselves and their customers from card-not-present fraud.
Some of the commonly used techniques that can help prevent card not present fraud include: 3D Secure, two-factor authentication (2FA), tokenization, device intelligence, artificial intelligence, machine learning, network insights, and working with a reliable security vendor.
Long-term protection from CNP fraud attempts with Arkose Labs
Arkose Labs follows an unconventional approach to help businesses prevent card not present fraud that are either bot-driven or executed by human fraud farms, all while preserving good user experience.
Combining the latest technologies – artificial intelligence, machine learning, behavioral biometrics, email intelligence, device fingerprinting, and so forth – with hundreds of digital parameters, Arkose Labs accurately identifies bad actors and flags them for further investigation. However, instead of blocking any user, the CAPTCHA-based challenges of Arkose MatchKey provides them with an opportunity to authenticate themselves by solving 3D challenges that are rendered in real-time and according to the risk score assigned.
Good users may pass unchallenged and those that face an enforcement challenge can solve them fairly easily. Automated scripts, bots, and click farms are intercepted and presented with challenges that increase in volume and complexity. Arkose Matchkey challenges are not only resilient to automated solvers but also make it extremely difficult for human attackers to create automatic solvers to clear the challenges at scale. This is because each Arkose Matchkey challenge has thousands of variants that would need disproportionate amounts of efforts and technical resources to create solvers, which would still not succeed.
The delay in clearing the challenges prevents attackers from achieving scale and rising investments make the attack financially unattractive. Attackers are left with no choice but to abandon the CNP fraud attempt and move on to unprotected targets.
Arkose Labs is a true partner that provides 24x7 support and shares insights, data, and raw signals that helps security teams to spot and ward off any CNP fraud attempt, instantaneously.
