The rise of virtual payment cards has given way to extraordinary transformations within the paytech landscape, yet expectedly, it has also introduced smarter attack systems and more ways for consumers to lose their money.
In this comprehensive insight for The Fintech Times, Gergo Varga, SEON‘s Senior Content Manager discusses the avenues issuers can pursue to protect both their consumers and their reputation in the face of more sophisticated card-not-present attacks.
Varga has been fighting online fraud since 2009 at various companies – even co-founding his own anti-fraud startup. He’s the author of the Fraud Prevention Guide for Dummies – SEON Special edition. He uses his industry knowledge to keep marketing sharp, communicating between the different departments to understand what’s happening on the frontlines of fraud detection.
Virtual cards are on the rise. According to Juniper Research, they are expected to grow by 363 per cent in the next five years to $6.8trillion in 2026 – more than 3.5-times the revenue of 2021’s already impressive $1.9trillion.
But let’s set the record straight: There is more than one type of card that is referred to as a “virtual card”. Some use this term for virtual debit cards issued by companies such as Revolut, Skrill and Wise and linked to existing funds. Others include prepaid bank cards by major issuers, or even gift cards managed online. And, as iCard points out, there are also virtual credit cards in the mix. Following the more widely accepted definition, I will use “virtual card” here to refer to any non-physical card, as they share several characteristics, benefits and shortcomings when it comes to security.
Virtual Cards: The Basics
In their simplest form, these are non-physical payment cards issued by banks or fintechs, delivering convenience in CNP (card not present) transactions, as well as NFC payments.
From there, whether it’s going to be a credit or debit card, or even a prepaid card, depends on the type of credit it is linked to. By virtue of being digital and online, these have allowed for additional innovation compared to their physical counterparts. What’s more, these cards can be multi-use or single-use, with the latter generally considered safer.
In reality, it is no longer only startups like Wise and Currenxie who have been issuing virtual card numbers. It wasn’t long until big players joined in, including Wells Fargo with its digital wallet and virtual card(s) combination option and major card issuers such as American Express and Mastercard. Plus, we are increasingly seeing startups partner up with established players in the sector, such as the collaboration between Extend and American Express.
We have also seen combination, “hybrid” cards from several issuers, which primarily exist as virtual cards but can provide the consumer with a physical card as well. As these are primarily virtual, they come with the same benefits and shortcomings as virtual cards.
Virtual Card Security: Fraudsters Will Adapt
As they are a fintech-adjacent innovation, the benefits of virtual cards have (rightfully) been touted and celebrated. For instance, they allow for faster onboarding and ease of use and better spending oversight for individuals and businesses alike.
But while their convenience is unquestionable for everyone involved, from consumers to a business issuing cards for its employees and to fintechs themselves, the safety aspect of virtual credit and debit cards is less clear-cut. The short version is: While they address some of the more persistent problems with traditional, legacy payment cards, they introduce a host of new considerations and shortcomings.
The vast majority of card fraud taking place is CNP fraud, at 79 per cent in the EU vs 15 per cent for POS payments and 6 per cent for ATM card fraud per Merchant Savvy. This amounts to almost €1.5/$1.7billion in 2018 alone. Worldwide, it’s set to reach $36.22billion in 2022.
Card not present fraud encompasses all fraudulent transactions conducted where the card’s physical presence is not required. Importantly, this does not only include online sales but also mobile app sales, telephone transactions, skimming and testing, as explained in a SEON breakdown of CNP fraud. Because the presence of a card is not required, criminals will steal or buy “fullz” online – comprised of the card number, CVV, expiry date, billing address and cardholder number, and proceed to use it in various schemes.
Innovation Can Mean New Pain Points
Certainly, some of the innovations introduced by virtual cards add ways to mitigate against such CNP fraud. For example, Visa provides the capability for dynamically generated, ever-changing CVV2 confirmation numbers, for more security. This is done via an app and changes the way the CVV number traditionally works: from something known to anyone who can see the back of the card, to an MFA factor for additional security.
Another feature that can contribute to fraud prevention is the fact that virtual cards can be set to automatically expire after a specific amount of money has been spent – similarly to how a gift card works, even if it’s a virtual debit or even a credit card.
However, at the same time, those conveniences that allow for real-life payments using virtual cards have drawn the attention of criminals. The innovation brought upon by NFC payment apps combined with gift cards is taken advantage of by fraudsters, opening up brand new avenues. With digital wallets, you can fill them up with stolen virtual cards and use them to purchase items in store. For all intents and purposes, the result functions as a physical card.
One cannot overstress that virtual cards can give consumers a sense of false complacency because of how they are marketed or regarded by the general public – with the above just one of several examples. Virtual card fraud is real and harms issuers, payment processors, merchants, the economy, as well as consumers themselves.
Takeovers Are Made More Dangerous
One new attack vector for fraudsters is account takeover (ATO). With a legacy card, you make sure you didn’t lose it – or cancel right away if you do. With a virtual card, in addition to making sure its details are not intercepted, copied or stolen, one has to safeguard the account used to generate the card and on which the card resides.
There are hundreds of examples of this, including Payoneer and Porte, taking the form of a mobile app or a web platform. No matter the specifics, if someone manages to hack into your account, they have access to those funds or spending potential. Depending on the user settings and platform configuration, the customer might not get notified about it, which means leaving a live card in criminals’ hands for longer.
For merchants, such attacks come with chargeback requests, which take resources to process, while they can be equally damaging for payment processors and card issuers – who have their reputation on the line, too, especially when they are startups
ATO attacks don’t stop at hacking into a customer’s Revolut, Wise or traditional bank account. Increasingly over the past decade, we have observed the trend to invite customers to store their card details on their e-shop and platform accounts, mobile wallets, web browsers, etc. Although explicit permission is required, this is opt-out in some locales and opt-in in others, meaning some consumers will not realise it is happening.
A fraudster hacking into someone’s Amazon account may not be able to view the complete number of a stored card, but they could still set up a reshipping scheme, using those cards to order merchandise they can resell – or even attempt to crack the missing details to use the card elsewhere. It seems that Amazon in particular is well aware of how attractive it is to criminals, with a white hat hacking event in June 2021 paying out $832,135 to specialists who found new vulnerabilities for the ecommerce giant to patch. Social media and online message boards are rife with consumer and merchant complaints about hacked Amazon accounts.
Besides, open banking through API calls, introduced to Europe in 2016 through the PSD2 Payment Services Directive and more recently, 2021, in the USA, adds to the safety concern. Through these APIs, access to banking data linked to virtual cards and other products is granted to third-party applications, each of which is one more account to be hacked. For example, Tally is an app that consolidates consumers’ payment cards. A criminal who successfully guesses or intercepts someone’s credentials and logs into this account will not just harm the consumer but every party involved in that transaction: merchant, processor, merchant’s bank, issuer, post-purchase payment provider…
Single-Use Virtual Payment Cards
Meanwhile, we have also seen the phenomenon of single-use virtual payment cards. Depending on the provider, this can either mean a card that is literally used once or a pre-loaded card that expires once the money runs out, and is non-reloadable – for example, the Virtual Single option by ePayService. This measure seeks to ensure that even if a card’s fullz do get stolen, the criminal won’t be able to take advantage of them.
Yet, there are two main attack paths here. The first is the aforementioned account takeover attack. Since it is a fintech app generating these single-use cards from a consumer’s account, access to this account will give the criminal more to take advantage of than the theft of one physical card.
Secondly, however, this type of setup facilitates brute force BIN attacks, where a criminal will use software to generate a large number of potential virtual card numbers. They will then test these at various online stores to find some that work, in order to use them in earnest in their schemes. They can choose to attack a specific card issuer in particular, so any fintech whose applications generate single-use virtual payment cards (as well as easily generate multi-use ones) can fall victim – resulting in loss of revenue, resources, consumer trust and reputation.
Preventing Virtual Card Fraud
Just like with traditional cards, the impact of virtual card fraud is felt by several stakeholders, rather than just the consumer and, as a result, measures will both benefit everyone and should be taken by everyone in the transaction chain. It should be noted that the most common means of stealing account credentials is phishing, which is also the most common type of cybercrime reported in the US, topping the list of incidents reported to IC3 in 2020 with 241,342 cases. Second came non-payment/non-delivery, at less than half the cases.
Beyond educating consumers and employees on online safety, fintechs involved in virtual card issuing, processing and payments have a variety of tools at their disposal when coming face to face with potential cybercriminals.
Once it is understood that virtual cards do not remove risk altogether, each organisation can look at its specific needs and assess those tools that are most useful, as well as their configuration. For example:
- Advanced fingerprinting: Gathers a wealth of data points about a user attempting an action (e.g. requesting a new card or logging into an account), related to their configuration and device, ultimately allowing us to find hidden connections between users.
- Behaviour analysis and velocity rules: Examines a user’s behaviour and also compares it to their previous sessions. For example, a cursor moving in a completely straight line over multiple screens is probably programmed rather than the result of someone moving a computer mouse – which can hint at a fraudster’s tool.
- Reverse email and phone lookup: Sources OSINT (open-source intelligence) data linked to the user-provided given email address and phone number to assess whether they are who they claim to be.
- Data enrichment and risk rating: Consolidates the above information to evaluate how suspicious a user might be, at which point the system can trigger extra authentication steps or even block them.
- Machine learning: Historical incidents are studied by machine learning algorithms to calculate the ideal configuration of the above tools for each organisation’s needs.
Often, vendors will consolidate some or all of the above into a comprehensive solution, while some have pre-set industry rules that allow for faster implementation – for example, payment processors or lenders. These are frequently updated to address the ever-changing fraud landscape.
Go Forth and Innovate – But Stay Vigilant
So, where do we stand with virtual cards? There’s no question that the convenience and increased security many of them have introduced are much appreciated, as is the departure from cumbersome traditional products that don’t work for everyone.
But it is also imperative to stress that despite this innovation, security risks have not been eliminated, and some new ones have been introduced. Anyone involved with virtual cards, from those who issue them, to those who process them and even those who use them, ought to keep this in mind, and take appropriate precautions.