ETA Expert Insights: Trends in Online Fraud and Cybersecurity
By Jacinthia Lawson, vice chair, Payment Sales & Strategy Committee; member, Risk Fraud & Security Committee; Senior Vice President, Old Line Bank.
The payments industry is constantly battling against the specter of fraud, whether from credit card skimmers, anonymous hackers, or good old-fashioned grifters. And with criminals leveraging new technology to launch increasingly sophisticated attacks on US payment systems, our industry must maintain constant vigilance. Here are some of the most pressing developments in payments fraud, as well as the risk management strategies that can help combat them.
1. Fraud is moving online
The growth of eCommerce is creating new opportunities and targets for criminals. eCommerce is increasing, both in absolute terms and as a share of overall retail. eCommerce sales exceeded $450 billion in 2017, reflect a more than two-fold increase since 2010. As the US economy picked up steam in the wake of the Great Recession, eCommerce grew from 4.4% of total retail sales in 2010 to 9.1% in 2017. As people conduct more and more business online, the opportunities for malicious interception of their personal data increases.
Since the US payments industry upgraded to the EMV standard in 2015, counterfeiting cards has become far less profitable. On a standard (non-EMV card), data (like the Personal Account Number (PAN), expiration date, and cardholder name) is recorded on a magnetic stripe. When the card was swiped through a terminal, the terminal would read the information on the stripe, much like a video player would read the tape on a video cassette. And the magnetic stripe on a credit or debit card is roughly as easy to copy as a videotape. With EMV cards, the card data is stored in a smart “chip” that is much harder to intercept, let alone copy. Additionally, the chip will generate a one-time cryptographic code for each transaction. This means that any information that is intercepted cannot be used for a second transaction. Successfully counterfeiting an EMV card is almost impossible – and not worth the effort for most criminals.
As a result, fraud has shifted online to Card Not Present (CNP) transactions. Because these transactions do not involve a physical card, the opportunity for malicious intervention is larger. Projections from Aite Group indicate that as the US transitioned to safer chip cards, online or CNP fraud increased.
2. Synthetic fraud is becoming easier
As businesses shift more of their records to online storage, they are increasingly at risk of data breach and data theft. Since 2005, there have been over 8,000 data breaches reported in a database maintained by the Privacy Rights Clearinghouse. These data breaches have resulted in the exposure of more than 11 billion personal records.
Criminals with access to stolen data can use that information to access consumer accounts and gain even more information, particularly sensitive financial information. Account takeover (ATO) fraud can be lucrative in its own right, but it also allows criminals to synthesize legitimate identities in order to open entirely new financial accounts and lines of credit. Javelin Research reports that 1.5 million consumers have had their Personally Identifying Information (PII) stolen to create fraudulent new accounts. New account fraud can have devastating effects on a consumer’s credit history, especially if the fraud goes undetected. It can also make it more difficult for the consumer to open new accounts in the future.
3. Online fraud is a matter of velocity and scale
Bots – automated programs that operate as agents for a user or simulate some kind of human activity, like web browsing – are not new to the Internet. But it is easier and cheaper than ever to build bots that scrape the web for PII and try out millions of combinations of usernames and passwords on merchant websites until they find one that works. Bots are used to collect data, test it out inconspicuously on low-dollar transactions, and then monetize the data by running transactions at high volume. But the scale at which these attacks are carried out is much faster than what a human could accomplish, manually browsing the Internet.
This can be an advantage for fraud management, because it means that both the scale and the speed of login attempts or transaction attempts can help detect suspicious bot activity. Of course, any number of features can be used here, including location, time zone, and even the unique attributes of the device you are using (known as “device fingerprinting”) – how many plugins does it have installed, what kind of software is it running, and so on. Finally, users’ own behavior can be an authenticating factor. Keystroke dynamics – speed, pace, most frequently used keys – can identify users with great accuracy and can be embedded into the transaction itself (as opposed to requiring the user to take an additional action, like scanning their iris or their fingerprint).
Of course, more sophisticated criminals can pace their attacks so as not to arouse suspicion or log too many hits on sites’ servers. They can also spoof IP addresses and GPS location to make themselves look legitimate. However, these types of criminals tend to go after bigger targets, such as large retailers that are likelier to have enhanced security protections and fraud detection. For the average merchant, even rudimentary analytics can achieve substantial results.
Key takeaway: Security need not sacrifice consumer convenience
When it comes to risk management, we often talk about balancing security with ease of use. Each new security measure deployed adds more friction to the transaction. But many advanced security tactics can be implemented in the background. Transaction monitoring tracks the creation and use of unique accounts and cards to identify suspicious activity. Device fingerprinting creates a profile of the devices that a given consumer uses to make legitimate transactions, and then compares future transaction attempts against that profile. Behavioral analytics creates a baseline for “normal user activity” – which can include their device fingerprint – and uses that to determine what suspicious activity looks like. In each of these cases, fraud monitoring need not interfere with the accountholder’s normal usage. But if some behavior raises a red flag, and the data indicates that there is high risk associated with that activity, then the system can ask the user for additional authentication.
The key here is that the majority of use cases will be frictionless for the end user. Data can help streamline the process of deciding when to introduce more barriers. But even when contextual data does warrant increased security measures, they can minimize the burden on the user while simultaneously making it harder for fraudsters to pass the check. For instance, scanning for a fingerprint requires less effort on the part of the user than entering a password, but is far more secure than a password. Voice recognition in the context of a customer service call, or keystroke dynamics in the context of an online transaction, add layers of authentication without too much extra friction.
This is essentially how 3-Domain Secure (3DS) works. 3DS is a standard developed by EMVCo to secure online transactions. The 3DS framework enables up to 10 times as much information to be included with each authorization message from the acquirer to the issuer. The message can include information about the user’s device, their time zone and location, previous purchases, and more. This information is used to assign the transaction a risk score. If the transaction is considered to be high-risk, the user is asked to provide more information (typically by entering a one-time code sent to a different device from the one they are using to make the purchase). About 5% of transactions are expected to be high-risk. In the other 95% of cases, the transaction proceeds as normal.
When it comes to cybersecurity, data is currency. Criminals are using it to profit off the payments industry. But our industry is putting data back to work for the consumer.