By 2019, the global e-commerce market is predicted to be worth US $2.4 Trillion. In short, e-commerce is growing at an unforeseen rate. Unfortunately, it also means that online payment fraud, a notorious companion, will tag along for the ride. In their latest research report, Fraud Trends 2016, WorldPay highlights the key issues at the fore of global risk and fraud prevention, such as perceptions regarding mobile fraud, the use of social media in risk mitigation, and the inability of companies to effectively leverage data.
Perceptions on Mobile Fraud
As anticipated by the payments industry, the EMV liability shift has forced fraudsters to maneuver to CNP (card not present) environments, such as mobile commerce. When it comes to mobile transactions, there are many vulnerabilities that go unnoticed to us as users. For example, although biometric scanning and other authentication methods like 3D Secure exist, most smartphone users avoid or even forego them. Instead, for convenience, many decide upon a susceptible PIN that is easily exploited by unauthorized users, like 1234 or 0000. Also, data from applications and wireless transmissions is not always encrypted, enabling attackers to intercept personal information to eventually gain access to payment credentials.
Over the years, mobile fraud has evolved into more advanced forms, such as malware inserted into applications using malicious code, which can either be written into an entirely fraudulent application, or implemented in a legitimate app by secretly adding lines of code. After installation, these apps will function normally, but beneath the surface they are operating deviously to collect personal data, change security settings, establish remote control, and even read from unencrypted card readers attached to the smartphone (or tablet).
Out of the 200 respondents to Worldpay’s questionnaire, 59% affirmed that they fully understood the increased risk associated with transactions made on a mobile device. However, 69% treat mobile transactions no different from others. Why, you ask? One respondent answered: “mobile is different, as it takes off we may see that things are different on the fraud/risk front. We’re not sure how we would deal with that”.
Risk, Trust, and Social Media
Since account authentication persists as an issue in the payments space, risk professionals have turned to an innovative method for identifying fraud - leveraging the ubiquitous nature of social media to review and vet the legitimacy of transactions/ users. Social media data has quickly become a valuable authentication method, with almost 60% of respondents already using it in their review processes, and 52% ready to make better use of it.
However, the current review process is cumbersome, manual, costly, time-consuming, and as some would argue, subjective. For most respondents, the principal rationale for analyzing social media data is as a form of KYC (know your customer), fraud prevention, or evidence for chargeback defense. To achieve this, human reviewers assess flagged accounts based on factors such as quantity of photos, conversations, and posts. Although the process provides valuable insights for risk decisioning, the majority of respondents agreed that an automated solution would be strongly welcomed in the marketplace. As one participant explained, “we use social to verify that a purchaser exists, if they are who they say they are, is it a fake account...but it’s difficult if the name is John Smith. It (is) very manual.”
Another concept that merges social media data with fraud prevention, and has gained traction, is social sign-on. This method serves as a double-edged sword, as it allows users to avoid remembering numerous passwords, and offers merchants valuable knowledge about their customer base. Currently, only 35% of survey respondents offer social sign-on as part of their customer login process, but 56% acknowledged that they would place greater trust in customers who use social logins. Although the formal use of social media to combat fraud is still in its prepubescent stage, risk decisioning is essentially based on trust between consumers and merchants, and social media data offers an effective way of facilitating such trust.
Data is Knowledge- and Knowledge is Power
Machine learning and big data have gained international fame as two of the most popular buzzwords in 2016, but what do they really mean, and how are they being implemented? Fraud professionals know that data is knowledge, and knowledge is power, so they are keen on finding new ways to collect and analyze data points in order to make better decisions. In today’s world, many organizations are reaping the benefits of collecting data to enable real-time risk assessment, and they are always hungry for more.
Business intelligence comes in two forms of data streams- internal data sources such as customer purchase history or average spend, and external data sources like device and behavioral information. Internal data is often immediately available at little to no cost, and can easily be leveraged to inform richer decisioning, especially when communication channels are open throughout departments. Still, 58% of respondents said they know there is lots of useful customer information within their business that they do not currently use to fight fraud, and felt strongly that they could do more by feeding their risk engines with more internal data. As one respondent noted, “[often] the information is all there, and I could have told you it would result in a chargeback, but we did not have the data points.”
The report also emphasizes the importance of sharing positive data along with negative data, citing social sign-on as an example where the Marketing team may be collecting valuable consumer information, but the data is not conveyed to the Fraud team’s decision engine.
Meanwhile, machine learning has become a champion for early-adopters, continuing to show promise and drive results. Almost all businesses agreed that automated data analysis revealed subtle indications of fraudulent behavior that normally went unnoticed, and machine learning could be leveraged to develop strategies for enablement (reducing false positives), risk avoidance (mitigating fraudulent or high risk transactions), and efficient resource allocation (strategic card re-issuance and decisioning).
An Arms Race
The future of fraud is best characterized as an arms race between payments technologies and fraudsters/ fraud rings. One particular theme that emerged from interviews with respondents is that fraudsters are getting better and better at emulating legitimate behavior, making it increasingly difficult for human reviewers to detect compromises. Considering 81% of respondents are concerned about new attack types emerging before the technology is available to fight them, most businesses are frantically searching for technologies that will keep them ahead of the curve and add to their portfolio of security features. Successful solutions of the future will focus on proactivity instead of reactivity, respondents predicted, and will have increased data assets combined with machine learning/ automated intelligence at their core, with manual review reserved for only the most complex cases.
Another issue facing the payment industry that experts hope to solve is the emerging tension between UX (user experience) and fraud prevention, as more streamlined methods of payment become available to consumers. Although consumers are happy with fast and frictionless payments, fraud prevention teams are less so, as they rely on data points to assess a transaction for risk. With milliseconds to decide whether to approve a transaction or flag for fraud, risk experts are scrambling to collect the data they need in order to make a decision. One promising tactic is to focus on real-time checks on data gained without user interaction, such as device or historical data linked to a user, but that will require initial setup, such as registration and initial loading of the payment instrument, causing 79% of respondents to answer that the shift to frictionless payments will lead to greater tension between the needs of user experience teams and fraud teams.
The landscape of fraud continues to grow more complex, as new risks stemming from business activity such as new geographical markets, new product ranges, and new payment methods threaten to expose merchants. At the same time, innovative payments technology, such as IoT (Internet of Things) and invisible payments, is constantly emerging to put out the fires as they arise.
As merchants start to realize the vulnerabilities associated with mobile commerce, they will invest in fraud prevention tailored towards mobile, and will potentially mandate stronger authentication methods (such as 3D Secure and two-factor authentication). Social identity will continue to play a strong role in fraud prevention as an effective means for establishing trust, and players in the industry will begin finding ways to manage online identities through centralized repositories of digital identity information. All in all, “the future will be much more data-driven – the decision has to be a yes or no and move on.”
Learn how this major processor used Rippleshot Sonar (CPP Tool) to substantially mitigate fraud losses at pilot banks while increasing customer satisfaction (through a lower a false-positive rate).