Why EMV is Changing Healthcare Account Fraud...and How to Respond
Published on May 30th, 2018
It’s no secret the internet has enabled a huge increase in fraud.
With so many organizations collecting so much personal data, the exponential increase in fraud over the past two decades was inevitable.
Equally inevitable was the response by major financial institutions, who have a strong vested interest in keeping fraud to a minimum. Banks, lenders, and credit providers have all implemented measures to identify fraudulent transactions and prevent account takeover.
Perhaps the most obvious of these measures (at least for the end user) is the Europay, Mastercard, and Visa (EMV) payment card standard, which requires a “chip and PIN” authentication for transactions in place of the traditional “swipe and sign.”
EMV cards, while still fairly new to US consumers, have been the standard in Europe for years, primarily because they are much harder and more expensive to clone. According to Mastercard, Card Present (CP) fraud in the US has fallen by 36% since 2016, largely as a result of increased EMV uptake.
But there’s a problem. During the same period, Card Not Present (CNP) fraud in the US increased by 33%. Since it’s now harder and more expensive to clone cards, criminals are simply using stolen cardholder data to conduct fraudulent transactions online instead.
And this shift isn’t unique to the US. Other developed countries have seen the same trend – As EMV adoption increases, criminals simply shift their focus from CP to CNP. In fact, in many developed countries, CNP fraud accounts for more than 70% of all card fraud and continues to rise.
Unfortunately, this change in tactics is the standard response of fraudsters in the face of changing security measures. Instead of being deterred entirely, they simply look for another way to game the system.
And to understand how all of this affects the healthcare industry, it’s important to grasp just how much of a problem fraud really poses.
The cost of connectivity
The direct costs of payment fraud are huge. In 2017 they hit $28 billion, and by 2021 they’re set to exceed $38.5 billion.
And that seems like a lot… until you think about it in the context of cybercrime as a whole. Over the next five years, the total economic impact of insecurity is projected to exceed $3 trillion.
In reality, then, payment fraud is just a small subsection of digital crime. And when you cast your gaze beyond payment cards specifically, you start to identify some troubling trends.
The vast majority of organizations now have an online presence, and many actively collect and store consumer data. As you’d expect, this hasn’t gone unnoticed by criminals, who now devote a huge amount of time and energy to attempting to steal that data for financial gain.
To give you an idea of the scale of the problem:
- 9.7 billion electronic records have been stolen in the past five years
- 506 million login credentials were harvested globally in 2017
- Last year, there were 1,579 reported breaches in the US alone, with nearly 179 million records exposed
And we’re not talking about unimportant data. Highly sensitive consumer records, including payment card details, have been stolen from major institutions such as JP Morgan, Equifax, and eBay.
Typically, criminals use social engineering tactics such as phishing to trick well-meaning employees into breaking normal security protocols. In recent years, contact centers have become a popular target for social engineering attacks, as they are perceived as soft targets for manipulation.
But, in reality, the tactics are secondary to the problem itself. The fact is that millions of consumer records are being stolen every year and used to conduct fraudulent transactions, steal identities, and effect account takeovers.
And, it’s at this point that we turn our attention back to the healthcare industry itself.
How fraud affects healthcare funding
Healthcare has been hit hard by cyber attacks in recent years. In fact, according to security firm Cylance, in 2017 more than half of all cyber attacks targeted the healthcare industry.
Why? There are plenty of reasons, but here are a few top contenders:
- Healthcare environments are often highly complex and difficult to secure
- Healthcare organizations have historically budgeted too little for cyber defense
- Due to their sensitive content, healthcare records are extremely valuable
But it’s not just healthcare organizations themselves that are at risk. HSAs and FSAs are highly attractive targets for fraudsters, primarily because many account owners treat them as savings accounts and rarely check their balance or withdraw funds.
And in line with the post-EMV move away from CP fraud, there is no need for criminals to clone the cards associated with HSAs and FSAs. Instead, the accounts are typically compromised using stolen consumer records, and the funds transferred away online. In some cases, funds from HSAs and FSAs have even been transferred to prepaid cards opened in the account holder’s name, enabling criminals to use the funds without ever raising any red flags.
So what’s the headline here? After all, fraud is hardly a new phenomenon, even if the specific tactics surrounding it are evolving.
Well, for those of us with an interest in consumer-directed healthcare, the message is simple: When consumers take an active role in the management of their healthcare funding, they also become a prime target for fraudsters.
And, unfortunately, there are plenty of ways for fraudsters to trick individual account holders into compromising their accounts, and even more ways to profit from doing so – everything from card fraud (both CP and CNP) to account takeover.
Being proactive in defense
At first glance, it’s tempting to think the security of individual medical accounts is primarily an account holder issue. And certainly there are measures account holders can take to minimize their chances of being compromised.
They can, for instance, request (and check) monthly account statements and set alerts for unusual activity, such as denied transactions, password changes, and a balance that falls below a predetermined level. From an account security perspective, account holders can also take basic precautions, such as setting strong passwords, changing their passwords regularly, and not logging into their accounts while connected to unsecured WiFi networks.
But, here’s the problem. While some account holders will take sensible precautions and listen to advice on how to secure their medical accounts, others won’t. They’ll choose poor quality passwords, fail to update them regularly, and generally behave in an insecure manner. That’s why, as industry participants, we must take a proactive approach to fraud prevention.
With this in mind, here are some of the steps you can take to minimize the threat posed by healthcare fraud:
1) Establish strong fraud management processes and policies
This is ground zero. As a minimum, in order to minimize fraud, you must:
- Have firm written policies for fraud and risk management
- Train your employees regularly and thoroughly on fraud prevention
- Analyze past fraudulent behavior and engineer processes to prevent repetition
- Establish processes for responding to suspicious and/or fraudulent activity
2) Invest in strong analytics
Ultimately, your ability to identify and prevent fraudulent activity is limited by the quality (i.e., breadth, age, etc.) of the underlying data and by your ability to draw conclusions from it.
Modern analytics-driven fraud prevention strategies, such as those used by the online gambling industry, use technological innovations such as machine learning to score activity based on the likelihood of its legitimacy. While this approach will naturally miss some fraudulent activity, it will identify the vast majority of fraudulent activity while allowing legitimate activity to continue. In other words, powerful analytics can be used to minimize fraud while simultaneously maximizing user experience.
From our perspective, this trade-off is important. Consumers can quickly become frustrated if their activity is erroneously identified as fraudulent, or if they are persistently required to jump through additional hoops in order to use their accounts, but they also want to be sure that real fraudulent activity will be picked up. To this end, an investment in strong fraud analytics is essential.
3) Improve authentication
First off, it’s important to understand that your customers’ data is out there, and there’s nothing you can do about that. When organizations like Equifax and JP Morgan are being breached, there’s essentially nothing you can do to prevent criminals from accessing enough account holder information to attempt to take over some of their accounts.
What you can do, however, is tailor your authentication processes to make life harder for criminals. And, to do that, you must understand how account takeover usually works. Here’s what it comes down to:
- Most services allow the use of an email address in place of a unique username
- Many people use the same password for all of their online accounts
As a result, if a criminal is able to steal an individual’s login credentials for one account (e.g., Facebook, Instagram, or PayPal) they can likely access a whole bunch of other accounts as well. Even when passwords aren’t reused, criminals can often collect enough information about their victims through past data breaches and social media to take advantage of weak “forgotten password” protocols.
To derail this process, here are a few steps you can take:
- Require your customers to set unique usernames, rather than allowing the use of an email address
- Educate customers on how to create secure passwords, and require them to update their password regularly
- Invest in stronger authentication protocols, such as behavioral biometrics, continuous authentication, or even simple two-factor authentication tools
4) Control employee access
Earlier in this article we noted that contact centers have become a popular target for fraudsters.
And why is that? Because of the human element – it’s much easier to trick well meaning humans into circumventing normal security protocol than it is to bypass technological controls.
For precisely this reason, it’s essential that you train employees and setup their accounts with security in mind. For starters, ensure employees only have access to information and functions that are essential to their job role. After all, if they don’t have access to a piece of information, they can’t give it out.
At the same time, invest in sensible security protocols for employees, just as you would for your customers. For instance:
- Assign employees unique usernames that aren’t easy to guess
- Utilize multi-factor authentication/biometrics during login
- Monitor for unusual behavior to identify compromised accounts
- Continuously monitor user access levels, and shut down accounts promptly when users leave
5) Educate and protect account holders
Ultimately, no matter what you do, your customers’ behavior will affect the likelihood and volume of fraudulent activity. If you’re serious about minimizing fraud, you must do everything possible to educate customers on the importance of account security, and how their behavior can influence it.
At the same time, though, you have to understand that customers will make mistakes, and they will behave insecurely. For this reason, you must also protect them from themselves.
This is where account rules come in.
Setting transactional and annual limits for each account helps to minimize the impact of fraud when it does occur. Similarly, limiting card use to eligible merchant category codes (MCCs) and excluding high-risk codes (i.e., those not related to healthcare merchants) will help prevent fraudulent activity in the event of account compromise.
The evolution of fraud (and fraud prevention)
If the change in criminal tactics in response to EMV teaches us anything, it’s this: No matter what we do to minimize fraud, criminals will find ways to defraud the system.
It’s in their nature.
Criminals have learned that there’s a great deal of money to be made through fraud. And in the digital age, compromising individual accounts such as HSAs and FSAs is often simple and highly effective.
And here’s something else to remember: Individual criminals are not your only concern.
A great deal of fraud is conducted by powerful, dynamic criminal organizations, which expend a great deal of time and energy determining how best to circumvent anti-fraud programs. If you’re to stand any chance of minimizing fraud (both now and in the future) your fraud prevention program must be constantly evolving and improving.
Fortunately, as fraud tactics evolve, so too do your options for proactive defense. Modern analytics-driven fraud prevention technology is incredibly effective and can help ensure user experience remains strong even as fraud is reduced. At the same time, account-based security measures such as multi-factor authentication and behavioral biometrics can help protect customers from account compromise, and even from their own poor security behaviors.
Overall then, the message is clear.
Fraud is, and will continue to be, a major concern for our industry. But if we take it seriously, and allocate the resources necessary to manage it effectively, we can largely prevent it from negatively affecting our customers’ account security and user experience.