The Changing Face of Payment Card Fraud

According to the most recent Nilsen Report, in 2014 card fraud losses reached $16.31 Billion globally, up 19% over 2013. However, to put this into a better perspective, the average losses to fraudsters per $100 spent went up from $5.5c in 2013 to $5.7c, which in turn is up from $4.5c just 5 years ago.

This may not sound like a lot, but when the total payments volume driven by the major card brands was $23.78 TRILLION, the loss of tiny fractions of a percent per transactions translates to billions; $16.31 billion to be precise.

The biggest victim? That’s right, the US, who accounted for 48.2% of the gross fraud losses, but only generated 21.4% of the global purchase volume, giving them a loss ratio more than double that of the rest of the world (at $12.75 lost / $100 spent).

The causative factors are numerous, some of which are being addressed, some of which will only get worse BECAUSE the first ones are addressed;

  1. By far the biggest cause is the lack of EMV adoption in the US, where card counterfeiting accounted for almost 1/4 of all losses globally ($23.9%). This is particularly frustrating for regions where they have full EMV implementations, but fraudsters can just put transactions through US-based mag stripe terminals
  2. The US’s over reliance on predictive analysis anti-fraud techniques, which given its ‘back-office’ nature, is too little, too late. Besides, it’s only the larger merchants who can afford such measures
  3. US merchants have not embraced 3-D Secure to protect e-commerce transactions as they “care less about merchandise lost than they do shopping cart abandonment”. And it’s not just the loss of a single transaction, as an angry customer is unlikely to hurry back

Not that the rest of the world have anything to boast about, and seeing as the payment card industry will only expand over the next 5 years – which in itself quite ridiculous give the numerous alternatives-, the criminal gangs can be expected to double and re-double their efforts until unsecurable legacy transaction processes are finally replaced.

The only highlight in the entire Nilsen report – if you can call a loss a highlight – is that PIN-based ATM debit transactions were the lowest risk of all transaction types at only $1.3c lost / $100 spent. Which begs the question; Why on earth is the US implementing their EMV rollout with ‘chip & choice’, not ‘chip & PIN’? Why rely on just a more-secure-than-mag-stripe technology when 2-factor authentication is rapdily become a industry standard AND regulation?

The number of solutions to the challenges that are available today make the continued losses all the more frustrating; from mobile devices capable of multi-factor AND multi-mode (multiple instances of a factor) authentication, ‘enhanced positive data’ available from contextualised big data, to identity management techniques capable of adding reputational decisions to a given transaction, are all established products.

Seeing as over 2/3 of all Americans have a smartphone, even the simple and ubiquitous PIN has the capability of vastly reducing the continued fraud associated with magnetic stripe transactions. Integrate an out-of-band PIN authentication within existing acquirer transaction processes and the card data becomes almost meaningless.

Payment innovation will eventually make the current vulnerabilities a thing of the past, but why wait?

Invisible Payments, Are They Real?

In short, yes, they WILL be, but like everything worthwhile there is a significant cost involved. In this case, the currency will be your identity, and the more invisible you want payments – or any transaction for that matter – to become, the more of your identity you will have to spend. In this case, there is a direct correlation between your identity, and your privacy.

First, what is an invisible payment? Seeing as Wikipedia hasn’t even got a listing yet, I’ll take a stab at defining what invisible payments are to me;

A payment can effectively be called invisible when there is limited to no interaction required by the payment initiator (consumer) to complete the authorisation and settlement of a transaction.”

Any fan of Star Trek has seen this in play for decades. When was the last time you saw Captain Kirk reach into his pocket for a 10 spot or a credit card? Did he have to use biometrics or a swipe card to get onto the bridge? Maybe, but we saw none of it, and that’s the point.

Imagine this scenario; You walk into Sainbury’s and pick up a basket, then walk up and down the isles choosing your items. Once you have finished shopping, you walk out to your car [optionally] without any further interaction whatsoever.

What was the process?

  1. As you walked in, any number of authentication mechanisms were at play; from smartphone proximity (NFC), to facial and/or gait recognition, to whatever biometric innovation comes next;
  2. Both the shopping carts and the baskets could be easily be fitted with fingerprint, vein, hand geometry recognition sensors in order to assign the subsequent basket contents to you;
  3. As you place items in the basket, they are scanned and optionally listed on your mobile device for a running total / loyalty benefits / instant coupons and the like;
  4. Walk through a final scanner into a bagging area, or just go straight to your car, either way your final tally is calculated and the funds directly charged to the payment option of choice. It’s up to you if you want to authorise the final payment with a PIN number and/or biometric on your smartphone; and
  5. Everything you just purchased is now available on your home database for tracking of ingredients for a meal, expiration dates and so on.

While the majority of the technology behind this transaction is more in the realm of the Internet of Things (IoT), the payments aspect is an extremely simple form of Identity Management on smartphones. What’s more, all of this technology is available today, the only thing missing is the demand.

There will be 2 extreme camps to the above scenario; 1) Where do I sign-up!? and 2) Never in a million years!

Most of us will be somewhere nearer the middle, and it should be clear that the further you get in to the ‘sign-up’ camp the more of yourself you have had to share. When it comes to invisible payments – and IoT for that matter – the convenience described above came at a cost to your privacy. And until security catches up with technological innovation, that cost is seen by most to be too high.

That’s the demand I mentioned above, and while scenarios like this will be common place one day, we’re not quite there yet.

[If you liked this article, please share! Want more like it, subscribe!]

New Payment Technology: A Race to the Bottom?

In a recent article on PYMNTS.com; 68 PERCENT OF PAYMENTS PROS SAY NEW TECH INCREASES RISK; “68 percent of [payment-systems professionals] say pressure to migrate to new payment systems puts customer data at greater risk instead of making it safer, according to a new survey by Experian and the Ponemon Institute.” This relates to EMV and mobile payments, but it is unclear exactly to which technologies they refer.

What it does not say is whether the insecurity is due to the pressure of the migration itself (which is implied), or to the inherent insecurity of the underlying technologies. These are two radically different concepts, from which the reader can draw wildly different conclusions.

As in any business, the pressures of maintaining a competitive advantage can lead to some very poor business decisions, and without a robust governance function unsecure systems can easily find their way into production untested. However, if the article is suggesting that it’s the new payment systems themselves that are the issue, we would strongly challenge that argument.

There exists today payment technologies whose security is far in advance of those possible for the legacy non-cash and non-chip based payment infrastructures. Mobile devices alone are capable of multiple multi-factor authentication mechanisms through every-day use. Integration of this technology is held up by many factors, but perceived insecurity of the data should not be one of them. EMV is also far more secure than mag stripe (for example), and the combination of chip and PIN is even more secure.

It is difficult to understand how you could introduce EMV unsecurely given its self-contained nature, but mobile payments is something altogether different and is easily addressed by the implementation of appropriate products and due diligence. This may well be what is of the most concern to those surveyed.

With regards to technology in general, and retail especially, neither the payment method itself nor security are core functions. Being paid for the goods is. It’s not surprising that that; “Only 51 percent of the Experian/Ponemon respondents agreed that “the security of electronic payments is a top priority issue” for their organizations.” In fact, we suspect the only reason it’s that HIGH is because Experian/Ponemon were talking to payment-system professionals and not the CEOs.

EMV roll-out in the US was never going to be completed by this October, and even 2020 is doubtful. The reasons for this are myriad; from the expense (which is significant), to investment only in technologies that are not future-proofed, to analysis-paralysis related to loyalty and value-add services, and to a trend toward competitive edge based on customer service alone all play a part in a decision that can quite literally make or break an organisation.

A payment, in its simplest terms, is a transfer of value from one place to another. Getting those payments transferred is a multi-trillion €/£/$ industry which has yet to provide the kind of leadership merchants are looking for. In the end the only thing that matters is that the consumer is able to securely authenticate themselves and make the transfers they want, when, where, and however they want, and it’s clear that current technology falls short.

EMV and tokenisation are security patches while the payments ecosystem transitions to mobile, and delays in implementation of either of these technologies is a direct result of retail’s inability to double their investment in payment acceptance channels, as well as their inability to know which of the technology horses is going to win the race.

[Ed. Written in collaboration with www.myPINpad.com]

EMV Liability Shift, How Mobile Authentication Can Ease the Pain

In October of this year, any merchant in the US who does not demonstrate the ability to accept EMV transactions can be deemed liable for the fraud associated with counterfeit cards.

That’s only 5 months from now.

Most people in the EU can’t really understand the confusion this has generated – we’ve had chip & PIN for well over a decade – but for the population of the US, swipe & signature is as natural as handing over cash. Retailers are rightly concerned that adoption will be a slow and painful process, but that may not be their biggest concern.

Estimates of the cost of transition from magnetic stripe to chip range from 12 (mine) – 33 (the press) billion USD, and the lion’s share of this will fall to the retailers who must replace their existing payment entry devices (PEDs) with chip compatible ones. The chances are good that this expense was not in their long-term costings, and bringing forward the end-of-life of their PED infrastructure is simply not an option in an industry where profit margins are razor thin.

But the thing that few people realise is that while the chip alone is a positive factor in fraud reduction (anti-counterfeit), the greatest benefit of the roll-out of EMV is only achieved when in conjunction with the use of a 4 digit Personal Identification Number (PIN). This effectively adds a second factor of authentication (the card is something you have, your PIN is something you know) making card present transactions significantly more secure. PIN alone would have significant positive impact as well.

It follows therefore that while organisations scramble to comply with the letter of EMV, there already exists in almost everyone’s pocket the capability to provide not just a PIN, but multiple forms of authentication and value-add services that far exceed the benefits of the chip; the mobile phone.

Even the loss of the Primary Account Number (PAN), which is the largest cause of card related fraud, is meaningless if the thief can’t complete the transaction. Add to this the numerous benefits of instant coupons, loyalty programs and even ratings & reviews, and the retailer now has the capability to enhance the customer journey while meeting the intent of EMV.

Neither the card issuers or even the card schemes themselves are fixated on EMV itself, they are only truly interested in reducing fraud. Retailers share this goal, even if they do not entirely agree with the way to get there.

It is up to authentication vendors to provide alternatives, and get those alternatives tested, real-world proven, and on the table. This will not be authentication vendors alone, or mobile device manufacturers alone, and the result will not be a decision made by card schemes alone. This will be a collaboration between ALL players, and will only work if everyone comes away a winner.

Especially the consumer.

[If you liked this article, please share! Want more like it, subscribe!]

Mobile Authentication: Exceeding Card Present Security?

Looking at this as objectively as I can (given my current career focus), I fail to see how the sheer number of authentication factors a mobile devices is capable of doesn’t make authentication of card-not-present transactions at least as, if not more secure than card present transactions.

Well, they SHOULD be more secure, the technology is available, but the payments and mobile industries cannot seem to get out of their own way.

Let’s examine the card present transaction: I walk into a shop, choose my items, then go the counter. The shop assistant rings in my stuff, I place my chip & PIN card into the terminal, enter my PIN and I’m done.

The only things ‘guaranteeing’ that I’m an authorised user of the card is that I have the card in my possession, and a 4 digit PIN number. Yes, some cards have photos on them, but they are few and far between, so the real security in a card present environment is the difficulty of obtaining the card and the PIN from the true owner. I will not underestimate just how difficult this is, but other that the true owner finding the card missing and reporting it, there are very few checks and balances.

Now let’s consider what you currently have to do to buy something online, and everything a mobile phone COULD be doing to provide security. Traditionally:

  1. To create a new account with most e-commerce retailers, you just need a valid email address – May or may not require confirmation from email address used.
  2. To add a payment card you need a valid billing address, and a mobile phone number – May or may not be validated in the back-end.
  3. To make a purchase, you log into your account, choose your stuff, then go to the checkout. You select the saved payment card you wish to use, then enter your CVV2 code and / or your 3-D Secure password.

All of this is far easier to fake / bypass than in card present environments, hence the higher rates of fraud.

Now, imagine a scenario where you have registered your mobile phone and tied it to the payment card in question. At your disposal you have all of these available to you;

  1. PIN / Password – the most ubiquitous form of authentication on the planet, and while it’s not the best, it most certainly adds a significant layer of complexity for the bad guys.
  2. Fingerprint – If you have an iPhone 5/6 or a later version of Samsung, you have fingerprint biometrics. This facility will only increase as time goes on.
  3. Voice Recognition – Nowhere near as prevalent as fingerprint, but gaining ground.
  4. Retina / Face Recognition – Combine these two because they both use the camera in a very similar way. Not a huge fan of these so far, they are rather ungainly.
  5. Geo-Fencing – a transaction request comes in from a Nigeria-based IP address and your phone is in Wandsworth, is that legit?
  6. Social Media Profiling – Not common at all …yet, but you could choose to add your social media profile to the purchase decision. e.g. you’re a rabid Arsenal (UK folks) / Redskins (US folks) fan, would you really be buying Spurs or Eagles merchandise respectively? Maybe, but I assume only to burn it.
  7. Reputation Profiling – Again, not common, but another growing form of identity management.
  8. Device Profiling – App layouts and such.

…and so on.

The vast majority of these will require an initial set-up and configuration, but will then be largely invisible to the user during use. Innovation without practical use is just a dream, and in this case practical use means that everyone can use it without inconvenience.

Done correctly, the integration of all of these factors during a transaction will take no more effort than a user expends in the normal use of their mobile device, but so far the individual vendors of each service and mobile device are trying to corner the market for themselves.

Digital transactions account for trillions of €/£/$ annually, there is room for everyone in the EVOLUTION (not revolution) of payments from Plastic & PIN to Mobile & Multi-Factor, and disruptive innovation will do nothing but delay the end goal;

Frictionless and ultra-secure mobile payments.

[If you liked this article, please share! Want more like it, subscribe!]