The physicality of face-to-face commerce has put a huge dent in fraud. Or at least some types of fraud.
EMV chips have made it hard to clone cards. Chip, PIN and signature combinations have also been instrumental in keeping fraudsters at bay.
Entersekt Co-founder and Chief Strategy Officer Dewald Nolte and KeyBank Senior Vice President and Merchant Acquiring Risk Leader Kevin Lambrix told Karen Webster that the bad actors are targeting the path of least resistance in plying their schemes and stealing money from unwitting consumers and merchants.
The path of least resistance lies in eCommerce.
That’s because the lines of defense have yet to be fully drawn, even though technology has improved in leaps and bounds to can make transactions safer.
As Nolte stated, only 1% to 3% of transactions in the United States are submitted through 3DS, the protocol designed to authenticate users. The merchants have been resistant to embracing 3DS, having had a rough go of the first iteration of the protocol, which had a clunky user interface and technical integration issues. Nowadays, some merchants won’t even submit transactions through 3DS protection.
“Immediately you see — as a guy who’s in the ‘fraud business’ — they say, ‘That can be quite easy for me because I can take stolen card data and I can use it online,’” Nolte said.
Simply put, many merchants are not going to take the steps needed to challenge online transactions, to find out that the individuals seeking to make transactions are who they say they are.
It’s estimated that roughly 70% of all card-related fraud happens in a card-not-present scenario. And CNP fraud is projected to reach $49 billion, globally, by 2030.
Lambrix said that the rising tide of CNP fraud will come as more businesses enter the fray of digital commerce — and many of them are and will be focused on growing sales, while lacking the experience and expertise needed to battle the fraudsters, who have proven adept at figuring out ways to “get around” most fraud defenses.
“It’s a never-ending battle,” he said, adding that “the fraudsters can hit you very hard, very fast.”
The merchant antipathy toward 3DS is unfounded, said Nolte, who noted that the protocol now allows for some of the modern payments use cases and a streamlined sharing of data between merchants and issuers to ensure that all avenues of attack are closed off to fraudsters.
The consumer who might be vulnerable to social engineering (aka one avenue of attack) is less susceptible if the bank intervenes and asks for authentication through SMS or a one-time password (OTP). But the fraudsters have figured out how to leverage that channel, too, intercepting the SMS and reading back the code.
“Two channels of attack beats one,” said Nolte.
The data that passes between merchants and issuers via 3DS offers the best way to shore up defenses, he said.
Other tech-driven solutions are coming to market, the panelists told Webster, ranging from virtual account numbers to delegated authentication to tokenization. Tokenized credentials, and vaults, still have a way to go before they become truly frictionless, said Nolte.
“One of the big challenges is that when you’re paying, you are going to have to authenticate yourself to that vault,” he said. “…I have to authenticate myself to get into the merchant account, and then when I check out, I have to authenticate myself again.”
The stage is set, said Lambrix and Nolte, to see more traction in using biometrics to complement, and even replace, some of the defenses against CNP fraud. Biometrics have been around for a while, but the experience is still fragmented, with some merchants demanding fingerprints, others allowing for facial recognition, and some still adding passwords into the mix. Nolte said recent initiatives, such as with the FIDO Alliance, seek to standardize authentication and help reduce that fragmentation.
“You’re starting to see a consistent experience for card-present and card-not-present transactions, which is where we will see a lot more efficiency being driven,” Nolte said. “And you don’t have to retrain the consumer” by turning different devices into biometric authenticators.
Looking ahead, stemming the tide of CNP fraud requires a multi-pronged approach. Nolte said there’s market education that needs to be broadened, and merchants and banks need to be kept up to date on the latest and best tools that are out there. From a regulatory perspective, broad security frameworks need to be in place, governing how to protect consumers transacting online.
Individual companies, added Lambrix, need to gauge their risk strategies even as they focus on driving revenues.
“You can measure success in terms of the metrics that you use to manage the underlying risk, and you can also use metrics in terms of customer satisfaction to make sure they are comfortable with the payment process they’ve just gone through,” Lambrix said. “If we leverage the new tools available, that will bring success.”