Low friction, secure online payments

Online payments whether made from a traditional PC or any mobile device must be secure, strongly resistant to fraud, and convenient.

Currently online payments suffer from a couple of key issues relating to ease of use and security;

·         Extra security features such as 3DS (3D Secure) provide a frustrating consumer experience.  This leads to consumers abandoning shopping carts and merchants disabling the feature where they are provided the option to do so.

·         False rejections of payments by the issuers, again this provides a terrible user experience and shopping cart abandonment.

 

Both of the above issues lead to frustrating situations.  Examples of these are when people forget their 3DS credentials, or when you call your bank to be told the rejection was because of the merchant, then the merchant says it was the bank!

 

In addition to this the upcoming EU rules on electronic payments authentication, how we verify that the person who is paying is the right person, are likely to add to this complexity.

 

These regulations are the Revised Payment Services Directive (PSD2).  They have three objectives: harmonization, innovation and security.

On security, PSD2 requires ‘strong customer authentication’ to be applied for all electronic payments in Europe.  Strong authentication in this case refers to using at least two of these three factors;

·         something you know such as a password,

·         something you have such as a card

·         something you are, for example, a biometric.

 

The EBA (European Banking Authority)  is responsible for the regulatory technical standards to deliver strong customer authentication.

 

The above issues and potentially increasing complexity leads to a poor experience and shopping baskets being abandoned.  This is due to either friction in the process or false rejections of payments by the issuers.

 

So how can this situation be improved upon? We need a solution that meets the needs of consumers, merchants and issuers as well as the intent of the proposed PSD2 regulations?

Breaking these down;

 

Consumers want a safe, seamless and reliable payments ecosystem.

Merchants want a safe, seamless and reliable payments ecosystem that maximises consumer spending and minimises fraud.

Issuers want a safe, seamless and reliable payments ecosystem that maximises consumer spending and minimises fraud.

The EU and EBA want a safe, seamless and reliable payments ecosystem that maximises consumer spending and minimises fraud.  Additionally they specify through PSD2 that we must verify that the payer is the correct person using ‘strong authentication’.

 

As you can see the needs of the majority of people in the payments ecosystem are basically the same, safe, seamless and reliable payments!

 

Can we solve this and provide a solution that will minimise fraud, improve acceptance rates while maintaining or improving the customer experience.  The short answer is YES.

 

By combining advanced authentication solutions with card details it is possible to provide strong assurance that a user and card are correctly linked and that a payment is genuine.

 

Utilising relatively simple code and an authentication solution fast enough to be in the online transaction flow enables us to reliably link a card to a device.  Note when I say device I include laptops / desktops as well as phones and tablets etc.

 

By doing this we can immediately identify multiple attributes about the card, device and behaviour such as;

  •  Have we seen this device and card combination successfully used before?
  • Have we seen the same name on a different card from this device before?
  • Does this behaviour align with previous successful payments from this combination such as volume, velocity, amounts etc?
  • Where were these payments made from?

 

This is in addition to all the traditional fraud analytics applied to the card behaviour alone.

 

3DS can still be incorporated if required, even with all this additional information.  However its use can be minimised by asking questions such as; 

  • Have we seen successful 3DS from this device and card combination within a predefined period? 
  • have we seen the same name on a different card from this device successfully authenticate with 3DS?

If so then trust this as if it was a 3DS payment.  This would enable the ability to provide the assurance of 3DS, while minimising it’s adverse impact.

 

This requires some innovation and for the issuers, schemes and processors to work together, along with the EBA recognising that this meets the intent of their proposed regulations.

What are the next steps?

Schemes and issuers, work with the processors to enable these benefits.  Accept greater assurances and risk based decisions from processors.  A higher payment acceptance rate and lower fraud, all with minimal effort clearly benefits everyone.

To the EU, EBA and those writing PSD2, engage in the discussion and realise there are ways to meet your intent without adversely affecting the payments ecosystem.  Intelligence and innovation can provide ‘strong authentication’ without the need for any extra complexity in the payments process. We can in fact reduce the friction while improving the security.

 

Everyone involved in the payments ecosystem wants pretty much the same things, let’s be innovative and achieve these in ways that improve the experience for merchants and consumers.  This ultimately improves things for everyone!

 

Feel free to contact me via this blog, or find me on LinkedIn to discuss further and if you’d like to know some more details around how this really can work in practice.

K

RSA Security Summit London April 2014 – Digital Fraud; Setting the Scene

Presentation by Stephen Nicholas from Deloitte titled;

Digital Fraud; Setting the Scene

Where consumers lead..

–          94% UK consumers have shopped online in the past year

–          16% year on year growth in online spend

–          UK supermarket 10% of online revenue directly through mobile app

–          83% UK consumers have banked online in the last year

–          £91bn online card spend in 2013

…Fraudsters follow

–          Identity theft and account take over

–          Card not present

–          False refund claims

–          Finance and credit card applications

–          2 in 3 organisations believe the risk of digital fraud has increased in the past 2 years

–          41% of organisations have experienced digital fraud attacks

 

What is driving this?

–          Few deterrents or penalties

  • Few convictions / prosecutions
  • Stolen funds rarely recovered

–          Sophistication and scale

  • Record volumes of attacks
  • Agility from fraudsters, responding to change and controls

–          Low barriers to entry

  • Commoditised supply chain
  • All components available as a service

Fraud supply chain and business model is very mature with services, support, secure sites for buying and selling etc. all readily available.

 

What does this mean?

–          Loss of goods

–          Financial losses

  • £301 million 2013 UK fraud losses on remote card spend.
  • £41 million (Reported) 2013 online banking fraud losses.  Note – this is just the ‘reported’ (admitted to) amount. It is likely that the real number is a lot higher.
  • £105 million online losses suffered by retailers in 2013

–          Brand damage

–          Cost of security

–          Rejected business

–          Deterred business

  • 1 in 3 consumer stop doing business with those responsible
  • 73% of digital fraud affecting organisations ability to deliver new digital content / services

 

What are organisations doing?

–          92% view investment in fraud controls as a priority

  • But are we really investing in security and fraud?
  • What are your challenges in getting funding from the board? Examples include;
    • High costs
    • Unclear RTO
    • Organisation
    • Unsure on solutions
    • Impact

 

Final thoughts;

–          Do you know your threat landscape?

–          Do you know your controls – what is in place, how well is it working?

–          Would you know if you are attacked / breached?

–          Do you have understood action plans ready for then there is an attack or breach?

Basically cyber crime / cyber fraud is getting more sophisticated, more organised and more frequent.  However while businesses appear to be aware of the issues and there are known, very large costs associated with this, most businesses are not yet making the changes to combat this.

How do we get better board and business engagement?

K

RSA Security Summit London April 2014 – InTh3Wild – The current state of cybercrime

Talk by Nick Edwards of RSA around the current state of cyber-crime titled;

InTh3Wild – The current state of cybercrime

Trends;

1.       As the world goes mobile, cybercrime will follow

Stats and facts around mobile;

2007 – Apple introduces iPone, Google unveils Android OS

2013 – Jan – Apple hits 40 billion downloads, May – Apple hits 50 billion downloads

2012 – Android malware explodes

1 billion android devices shipped by 2018

1 million android devices currently activated / day

86% of all Android malware is repackaged versions of legitimate apps with malicious payloads

Focus of mobile malware; eCommerce, Online banking, Online trading.

–          Much of the effort is around harvesting credentials rather than trying to commit fraud via the mobile app – likely due to the limited functionality of many mobile apps

2012 – 300 million mobile bankers.

2013 – 530 million mobile bankers

71% of organisations allow their users to use their own mobile devices for company business

–          Even if you’re using a container technology could credentials be stolen?

–          What could be harvested from ‘screen scraping;?

Games are also a common app used for attacks;

–          Angry birds in space had over 150 million downloads in the first two weeks

–          Only requires a very low percentage of people to install a malicious version for the malicious user to have access to many compromised devices.

Phishing / SMSishing – SMS spoofing and phishing such as sending texts that look like they come from your bank.

SMS sniffers that sniff and send your SMS details to the criminal

Voice – recent android Trojan can record phone calls – these have 2 purposes, harvesting information, and using your voice to fool biometric systems that rely on voice.

2.       Hactivism

Political messages and defacements

DDoS and other malicious activities ‘for hire’

Trying to make hactivism legitimate – e.g. Anonymous creadet US ‘we the people’ petition to make DDoS a valid form of protest

Many different organisations such as Syrian Electronic Army (SEA), Anonymous, …

News sites as well as businesses are often targets

3.       Account takeover

Identity theft

Take over of online accounts such as twitter, facebook

Tools readily available for identity theft such as components or the Zeus plugin.

–          Can alert when users of compromised machines try to log onto banking sites and perform transactions etc. in real time

–          Keeps records of users history so they can answer questions around user behavior etc if prompted by customer services.

Security tools need to catch up with this to start dealing with these attacks that occur in real time

4.       Fraud as a Service

Cybercriminals increase effectiveness of fraud offerings

Ransomeware – scare tactics around crime and child porn etc. to extort money from users

Ransomeware – encrypts parts of or the entire computer and requires ransom to decrypt

Call centre service – fake call centres set up to call customers with compromised machines – set up locally so they sound correct and have knowledge of the local banks etc.

Analytics – crimeware now has the ability to provide ‘big data’ type analytics around its use, distribution, numbers of infected machines etc.

 

2014 – sneak peak;

–          More sophisticated mobile malware

–          Generic malware for advanced attacks

–          Bitcoin’s popularity / demand for stealing

  • Digital currencies and issues with them to become more prevalent

–          Trojans get more sophisticated

–          More breaches

Mobile is huge, criminals continue to become more organised and sophisticated with very low barriers to entry into the market.

Security must catch up!

K