Guest Analysis: The Payments Security Revolution
By Sunil Madhu
As the founder and CEO of Socure — a leader in digital identity verification — I follow the payments industry very closely. As a serial entrepreneur who has spent an obscene amount of time in the Security and Risk markets and as a life-long consumer making payments, I also look at the payments industry from a somewhat unique perspective. In speaking with analysts covering the industry however, I’m surprised to learn that many are confused about the landscape. So I feel compelled to write this article to clear up confusion.
Change is the only constant in life
One thing is clear and everybody agrees — the entire Payments space is rapidly evolving. From well established large financial institutions trying to make payments faster, frictionless and consistent across channels to incumbent startups transforming the underlying rails for payments to the Internet of Things (IoT) that’s changing what we think of as payments vehicles, there’s a lot happening in the industry. Another thing is also clear — ensuring that these technologies that are transformative are also secure and that the right trade off between usability, privacy and security is struck is still a key goal in the industry.
Here, I’m going to summarize what’s happening in the Payments ecosystem from the security perspective and where I predict things are going to land over the next 10+ years in the industry. There’s a lot to cover and rather than writing a multi-part series on the topic, I’ve opted to condense the information into one article. For ontological objectivity, I’m going to start by covering some foundational concepts.
What is a Payment?
A payment is a monetary transaction for the transfer of goods or services rendered. Payments can be made using a variety of means — by barter of goods or services, using bearer instruments such as cash or cheques, using credit/debit/pre-paid cards, using digital wallets, using virtual currency, using the internet of payment things and using micro-credit on demand for the value exchanged. While there are clearly many ways to pay, the options one can use to pay are limited to what the counterparty in the transaction will accept as a form of payment.
The parties involved in a payment
At a minimum, a payment has a sender and a counter-party recipient. In the case of credit/debit/pre-paid card transactions, there is the card issuer, the card network and the card acceptance provider (known as a Merchant Acquirer, Independent Sales Organization or Member Service Provider), in addition to the sender and counter-party involved in the transaction. In the case of cheques or equivalent bearer instrument transactions, there is the issuer and recipient account provider (usually Banks), the Automated Clearing House network or in the case of international transactions, the SWIFT network. In the cryptocurrency world, there is the sender and a counter-party recipient and a private or public shared blockchain database. As you might have guessed, a payment using any of these instruments can be made in the real world in person, or via the digital ether electronically.
Security principles in electronic payments
Excluding cash payments and securing cash, electronic payment security entails that the following rules are met at a minimum:
(a) The sender making the payment must be real and not fraudulent (compliant with Anti-Money Laundering regulations).
(b) The recipient of the payment must be real and not fraudulent (compliant with Anti-Money Laundering regulations).
(c) The payment transaction must originate from the authenticated and authorized owner of the account(s) used to make the payment (or someone legally authorized to execute payments from the account on behalf of the account owner).
(d) The rails over which the payment flows must be secured to avoid tampering of the transaction in-flight.
(e) Information deemed sensitive in a payment transaction (e.g. customer account information, credit card number etc.) must be stored securely and in a manner that would make replay attacks unsuccessful; ideally using strong encryption, or using tokenization schemes such as this one from EMV Co.
Silver Shotgun vs. Silver Bullet approach
There is no panacea to address all security concerns uniformly for all types of payment transactions. Rather, the security measures employed in payments processes are correlated to the exposure to risk of loss in any given transaction and a thorough consideration of the inconvenience caused in the payment user experience that might lead to cart abandonment. A $5 payment may be designated low risk, while a $5000 cross-border payment may be designated high risk. In-person payment transactions vs. electronic payment transactions have different risk profiles. The payment “channel” or type of payment also has different risk profiles; e.g. a multi-factor authenticated mobile payment may be designated low risk vs. an anonymous checkout payment at a merchant website that may be designated as high risk. The industry applies some norms. For credit card payments made in person (“card present” transactions) using a card with an embedded EMV Co. chip and PIN/signature verification, the industry assigns low risk and therefore low liability concerns for the counter-party accepting the payment, should fraud occur.
For electronic payment transactions made online (“card not present” transactions), the industry assigns high risk and therefore higher liability concerns. The limitations of the issued card (e.g. whether it has an EMV Chip or not) and the acceptance technology (e.g. whether it supports cards with EMV Chips or not) also factor into the risk evaluation at payment time. While we are told that EMV chip-enabled cards are more robust to attacks, they are far from perfect. Rather than look for a silver bullet to address all security issues that we know of, a better approach is to formulate a silver shotgun by stacking various security measures together, using combinations of these measures and step-up authentication depending on the transaction’s risk context. That way all consumers do not need to be inconvenienced in the same manner or to the same degree.
The Payment Lifecycle
A payment can be initiated by a new user opening up a new account, or by an existing user using an existing account. This distinction is important as the attack surface is vastly different for each scenario. In the former case, since we are dealing with a new user establishing a new account, there is no prior account history to rely on. Therefore, one cannot simply trust the new user’s supplied information or the devices they are using, or their payment behaviour or payment mechanisms. Worse yet, in e-commerce transactions, the new user may opt to perform the payment as a guest, checking out anonymously without opening an account if permitted to do so by the merchant, and a lot of merchants are lax on the need for account establishment for the avoidance of friction. So this is a hard problem to solve for.
In the latter case, since we are dealing with an existing user and existing account, there is established prior account history to rely on — such as the devices used by the consumer frequently to access the website or mobile-app, or their past click-flow behavior on the website or mobile-app as the customer makes a purchase, or past payment behaviors. Today, mobile devices and internet of things technology also allows us to track various forms of biometrics actively and passively for historical comparison, to detect unauthorized use of an existing customer account. But one thing is for certain — if there is no identity assurance or poor identity assurance to begin with, and a “bad guy” is able to establish an account or obtain authentication credentials, the outcomes are going to be poor, with a high likelihood of fraud losses.
When a new user opens up a new account, and performs a payment transaction, the use of a very good identity verification system in the customer on-boarding and payment flow will satisfy items (a) and (b) in the Security Principles section above. Traditional identity verification solutions relied on verifying Personally Identifiable Information (PII) by comparing customer-supplied PII to a database of offline public non-self reported data collected by Credit Bureaus and Data Brokers over the past few decades. That data has been breached many, many times over the last decade alone that it costs about $5 to buy data to commit fraud. In fact, Fraud as a Service is now a business model on the Internet so you don’t have to commit fraud yourself; you can economically pay someone else to do it for you in places like carder forums. Note that each $1 of fraud loss to a business equates to about $2.50 of cost to that business in the US.
Then there’s the more acute issue of data coverage of people and changing demographics. There is a growing gap in data coverage for Millennials, for the unbanked, and for people in a 180 countries worldwide that have no easy access to credit, who are outside the credit system or in a country with no credit system and may be migrating. These people are referred to in the industry as “thin-file”. Millions of people who lost their homes in the housing market crisis in the US now find themselves in the non-credit worthy bucket due to the assumptions made in the FICO score. Thanks to the use of Artificial Intelligence and big-data analytics applied at Internet scale on online, social and offline data, solutions like ours (shameless plug) are able to outperform the traditional approaches to identity verification in real-time.
Well performing identity verification solutions deliver value in increasing acceptance of the thin-file population with reduced friction, while keeping the evolving face of fraud at bay, not to forget saving costs by replacing legacy approaches and avoiding manual review work. A legacy approach used in an identity verification flow is to ask the consumer some “out of wallet” questions based on public and private information and checking if their answers match a system of record, in a process called Knowledge Based Authentication(KBA). This not only increases friction — people’s memories are frail — but is ineffective for solutions operating on public data because bad guys can socially engineer or troll the internet for the answers to pass the test.
A better approach is to either eliminate KBA entirely or to reduce its use (and customer friction) by employing state of the art identity verification solutions and Multi-Factor Authentication(MFA) solutions in tandem. For instance, if there is some doubt about the authenticity of a caller identity because the identity verification system returned a risk indicator, a call-center could initiate a push notification to the consumer mobile app out of band to the call with the customer, challenging the customer to authenticate over some step-up authentication scheme like entering a one-time PIN number or to engage in fingerprint/voice/facial biometric verification based on the risk context. In this robust way, the identity verification solution acts as the decision point to step-up authentication for identity assurance for a subset of the user population.
Ok, so you’ve now secured your new user on-boarding and account establishment flows. This naturally brings us to the next part of the lifecycle — which is the securing the payment transaction itself. For anonymous guest account transactions, one might be lucky to get a name, an email address and phone number in addition to the payment instrument details and a delivery address. In addition, one might get information about the device being used, the geolocation of the device, and click-flow behavior patterns such as “…the user arrived and then simply filled up the shopping cart with 5 big-screen LED TVs before hitting the checkout button…”. Using cohort analysis for devices, geo-location and behavior patterns of anonymous people generally visiting the website or mobile app, it is possible to accurately guess if an anonymous transaction is risky. In the above example, people buying those many TVs tend to spend time first perusing inventory and reading reviews etc. before purchasing and it’s not very often that people, say, in Iowa buy those many TVs in one shot (no offence to Iowa), which might represent a risky anomaly.
In contrast, for authenticated transactions, one would have access to the identity of the user and the account as well as past behavior information for the consumer who performed the transaction. Applying a combination of identity verification outcomes, device, geolocation, payment and other historical behaviors of the customer that have been captured and stored with their consent, analytics systems will be able to effectively predict the transaction risk that an account might have been taken over for fraud. In the near future, I expect that we will see a convergence of transaction verification solutions and MFA solutions. Based on the risk context for a given transaction, a customer may be subject to a variety of increasingly complex authentication factors that are difficult for a bad guy to spoof. This addresses items (c) and (d) in the Security Principles section above.
Compendium of Authentication solutions
While the picture above is incomplete in terms of new “passive” biometric solutions that have entered into the market with privacy risk entailments (such as measuring the way we type, hold our device, press on the screen, move the mouse, how our heart rate fluctuates, what our DNA traits are etc.), what is clear is that we are not lost for choice in the number of ways we can inconvenience or freak out a consumer making a payment. While you can Google for what each of these authentication solutions do for yourself, one thing is certain — none of these authentication solutions applied on their own is 100% effective in securing the payment and they must be used in combinations determined by the risk context of the transaction, and within a MFA framework as a best practice. These authentication solutions can thought of as proxy credentials to authenticate a human to a machine. If an identity is not assured to begin with, binding the risky identity to any type of authentication credential — even biometrics — is not a good idea (Apple Pay fraud is a good example). Also true is the idea that if you let a bad guy in, you can expect the transaction outcomes to be bad as well.
It is a fact that fraudsters prefer to use the path of least resistance as the attack vector, and establishing a fraudulent account is easier than trying to break into an existing account to misuse it without deviating from historical behavior that might set off alarm bells. Therefore binding a trusted identity to devices and biometrics is key to implementing a robust MFA framework. The Fast Identity Online alliance is an attempt to standardize strong multi-factor authentication across solution providers in the industry in an interoperable way.
Where does Payment Tokenization fit in?
What Tokenization is not: it is not a new security mechanism that eliminates the need for identity verification and MFA. Payment and Identity tokenization schemes like the ones proposed by EMV Co. are simply mechanisms to decouple the sensitive identity and transaction data elements from a payment, turning them into non-reusable reference pointers. The main argument for tokenization is that it prevents lazy companies from storing the raw data from payment transaction in their databases unencrypted, so that in the event of a data breach, the stolen tokens are useless to the attacker. In the long term, tokenization has the benefit of limiting the magnified effects of data breaches. Therefore tokenization is a best practice to apply on top of the identity verification and MFA frameworks and that addresses item (e) in the Security Principles section above. Tokens also have the added advantage of interoperability and federation when they conform to industry standard specifications.
The future of Payment security innovation
So where is this all leading? If you consider that the introduction of universal credit cards by Diners club in 1950 was to enable a pointer to a consumer’s credit account and debit card introduction in the early 80’s accomplished the same thing for bank accounts, it is reasonable to assume that now in 2016 we don’t necessarily need anything other than a token that binds identity to our Internet connected devices and to our authentication credentials to act as a proxy pointer to access those same accounts. It’s conceivable that like Tom Cruise in the movie Minority Report, we can be identified using a sum of the digital exhaust we exude as we walk into a retail location, pick up what we want to buy and then leave without ever reaching for our phone or wallet to pay since the identity can be tied back to a credit or debit account on demand. Since this digital exhaust spans the real world and the Internet, these signals open up the possibility to uniformly bridge the payment and security experience across retail and digital channels. In fact companies like Paypal, Klarna, Affirm and others tout the ability to make purchases online using micro-credit on demand for the value of your shopping cart, without reaching out for your wallet to make a payment today.
With EMV Co.’s 3D Secure “Part Deux”, tokenization can be applied to both retail card-present payments and online card not-present payments in a consistent manner so that data breaches in the future are unlikely to give fraudsters ammo. With the advances in sensors and secure elements embedded in mobile devices and the internet of things, active and passive biometric technologies are bound to improve in speed, accuracy and security rapidly. Elimination of the need to enroll before applying biometric authentication will speed up mass consumer adoption.
Drawing the line into the next 10+ years, it is conceivable that we will start to think about payments differently. When we drive into a drive-through, our car will be our payment vehicle (pun intended) instead of our physical or digital wallets. Like the futurist Ray Kurzweil theorizes, it is conceivable that man and machine will converge and new types of “national identifier” authentication devices will be embedded into us at birth, making us part of the Internet of Things to come. And it is also conceivable that our refrigerators will be used to commit fraud in the very near future.
About the Author
Sunil Madhu is the founder and CEO of Socure, the leader in real-time digital identity verification solutions, based in New York City. Sunil is a serial entrepreneur, with several successful exits through IPO and acquisition in the Identity & Access Management domain. A security architect by profession, he has spent over 20 years innovating identity and access management solutions, addressing hard problems in network and application authentication and authorization. At Socure, Sunil leads an experienced team that is pushing the envelope of real-time identity verification, by employing state-of-the-art machine learning and big-data analytics on offline, online and social media data. Sunil holds a MS degree in MIS from Glasgow Caledonian University and a BS degree with Honors in Computer Science with a focus on AI from Strathclyde University in the UK.
The views expressed in the posts and comments of this blog do not necessarily reflect those of ETA.