Has growth in Australian online payments fraud finally plateaued?

Online credit card crooks have joined Australia’s struggling retail sector in the go-slow economy, with once stellar growth in online payments fraud finally going backwards for the first time since meaningful statistics were kept.

Card fraud victim and RBA Governor Philip Lowe.

After at least six years of double digit increases in online fraud perpetrated against Australian credit and scheme debit cardholders, statistics from payments industry steward AusPayNet reckon the annual amount fleeced to 31st December 2018 coming in at $487.5 million, a near recessionary lift of just 2.4 percent.

The number is well down on the 13.9 percent increase in 2017 to $476 million that prompted repeated warnings from the Reserve Bank of Australia (RBA) that the often fractious payments industry needed to do more and work together to put a lid on the escalating rorts.

And it appears that somewhere, somehow, something finally went right on the online fraud mitigation front, but its very unclear what it was or the effect it had.

Dubbed card-not-present (CNP) fraud, the thievery uses stolen payment card credentials to make purchases of easily liquidated products – think consumer electronics or designer goodies and bling – or other tradeable instruments, like gift cards, coin, etc.

In terms of fraud losses, CNP is the standout winner, accounting for 85 percent of all card fraud in Australia, a figure that unsurprisingly did not budge.

AusPayNet CEO, Andy White, said the latest data was “encouraging” because it showed falls in the fraud rate generally and a levelling-off in CNP fraud specifically.

"Reducing the space for CNP fraudsters to operate is an industry priority and the new framework is a major step in further stimulating the uptake of CNP fraud counter-measures across the e-commerce community."

After much cajoling and threats from the RBA, banks, retailers, card schemes and other “e-commerce participants” finally signed-up to a CNP Fraud Mitigation Framework run by AusPayNet that came into effect in July.

To put the icing on the cake, RBA Governor Philip Lowe told the AusPayNet payments summit in December 2018 that even he had been carded, an observation that left bank and credit card delegates wincing.

The new rules require mandatory quarterly reporting from 15 July this year and contain thresholds that banks and merchants must remain under or potentially be penalised to the tune of millions.

“Breaches of these thresholds will trigger obligations for merchants or issuers to take action. Repeated breaches over a period of time could ultimately result in financial penalties for issuers or merchants’ acquirers,” AusPayNet said in an industry advisory when the framework was launched.

However the new rules are unlikely to have had an impact on the latest fraud figures because they did not come into effect until six months after the statistical period ended.

So what happened to make online fraud pause for breath?

A couple of bank sources have suggested the combination of the adoption of Apple Pay and a more general shift to purchasing via mobile in Australia may have had some impact because mobile transactions are generally more secure than browser-based ones.

At the same time, Amex, Visa and Mastercard have all been pushing virtualisation for merchants hard, especially to stop them hoarding credit card numbers

Another suggestion was that after a few successive years of major card data breaches at retailers, issuers had now rolled over a lot of their card number inventory while crooks had sought to cash out their holdings before they expired.

That’s not illogical, given that Britain experienced a spike in fraud in the run-up to mandatory smartcard issuance as crooks ran down stocks of mag-stripe clones.

Our favourite theory though goes to a government source who speculated there could be a “Trump” effect – namely that Russian and North Korean industrial carders had been told to dial back the cadence of their hits.

Reuters reported this week that North Korea had generated US$2 billion through cyber attacks on banks and coin exchanges, according to a confidential UN report.

Or, the latest figures could be a fortuitous blip.

Banks, and the merchants that have to suck up online fraud losses passed through to them by issuers, will be hoping that that it isn’t.