“Fraud Stops Here: How A Risk Team Keeps Payments Running” written by YapStone.
Risk teams are on the front line in the war against fraudsters and hackers – how to use technology to combat fraudsters and protect consumer payment information
In any payment service business, there are certain inevitable risks that must be addressed. With that in mind, each business develops their own strategy to assume the risk, mitigate it, avoid it, transfer it or even insure it. In most cases, the best strategy is a multi-prong approach.
For each business, the risk is dependent on the business and economic model, where they sit on the value chain, the services provided and consumed, whether the company is a platform or not (e.g. marketplace), the geographic footprint, the demographics of the consumers and their respective expectations.
A payment service business may confront specific operating risk in the following categories:
- Fraud – identity theft or true name, account takeover, first-party
- Credit – insufficient funds to meet obligations
- Operational – human or technical error
- Counterparty – settlement
- Technology – misaligned investment in infrastructure, obsolescence
- Cyber – protection of information systems and other threats like DDOS
- Contractual – uncertainty over liability, rights and obligations
- Payment Networks – rules, regulations, finality of payments
- Compliance – Federal, state, EU (if operating in European countries)
- Information – inaccessible, inaccurate or corrupt data; lack of intelligence
In terms of risk, fraud is the most protean, persistent, and requires constant vigilance and adaptation. In other words, once understood – other risks can be effectively managed through controls, agreements and other means; except for cyber and fraud which requires application of new technology, continuous monitoring and continual vigilance through behavior and data analytics.
Fraud Risk – Context and Extent
Today’s consumer expects a friction-free payment process — in online marketplaces, eCommerce websites, and mobile apps. They take the payment, at the click of a button, for granted with the expectation that the transaction will be completion immediately with fluid movement to the next stage. Furthermore, any interference in the transaction process will result in a risk of shopping cart abandonment or delays in confirmation of the transaction. Lack of immediate gratification is, for the most part, unacceptable to the consumer.
However, this seamless, brief span of time – from clicking the button to receiving a payment confirmation – is the culmination of a massive effort on behalf of CROs to prevent fraud. In the crowd of honest and deserving buyers hides an unsavory group of hackers and fraudsters; and they look the same. Our job as CROs is to find them, expose them and prevent them from unjust enrichment, making the online economy safe, secure and affordable for everyone. In the end the “customer pays” if the risk is not managed well enough through higher cost of the service or good. And the market will also reject the entity that cannot manage the risk effectively. It is a process that starts with deterrence, detection, prevention and mitigation. This can be summed up as containment of risk and is interdependent on all parties engaged in the payments ecosystem.
According to a report from Payments Cards and Mobile, U.S. businesses lost over $4.5 billion on credit card fraud. This figure accounts for roughly another $2.0 billion in the rest of the world. While this figure may seem large, it accounts for merely 0.1% of transactions, both online and offline. CNP fraud is expected to reach $7.2 billion in 2020 in the U.S. In Canada, of the CA$548 in credit card losses, CNP was 66%.
A recent Javelin’s survey indicated that in 2014, 12.7 million consumers experienced identity fraud.
Per IDT911, in 2015, the FBI estimated that more than “1,000 retailers are under assault with the same (or tweaked versions) of the malware that compromised Target and Home Depot.”
What are the most prevalent types of fraud and what can online retailers and marketplaces do to minimize them?
In any marketplace, a fraudulent transaction is returned as a chargeback when a credit or a debit card is used a vehicle for payment. Chargebacks are an inherent and unavoidable risk in online payments. A chargeback occurs when a customer makes a purchase or pays for a service and then the payment gets disputed by the cardholder with his issuing bank. Chargebacks primarily fall into two categories: Fraudulent and Non-Fraudulent.
Non-Fraudulent means the transaction between the seller and the buyer occurred however, the buyer was not satisfied in some way: services were not delivered or were defective, promised refund was not received, the payment was made by other means, recurring transaction was cancelled or the amount is different from what was agreed to, etc. All these can be classified as customer disputes.
Depending upon the nature of services, merchandize, merchant and service agreement non-fraudulent chargebacks could range from 20-80% of the total chargebacks. However, some of the chargebacks are related to fraud, meaning that the cardholder was actually a victim of a fraud or claiming to be in order to avoid payment or friendly fraud. A chargeback could also result from not having obtained authorization – these days this is rare. Or, it could result from processing errors or timing.
In both cases, as online transactions are considered Card Not Present (CNP) transactions, the merchant is debited for the amount along with a chargeback fee or whoever is deemed to be MOR (Merchant of Record). There are severe ramifications for “excessive” chargebacks in addition to the processing cost. Fines and penalties kick in and the merchant risks termination from the network when certain tier based threshold are met.
Avoidance or and prevention should be the goal of every merchant regardless of the environment – card present or absent (CNP). By developing policies, delivering attentive customer service and relying on an expert payment partner to minimize risk, you can reduce your chargebacks and loss through contesting chargebacks. However, chargebacks related to fraud are hard to win and so merchants should focus on detection and prevention programs.
Vulnerability and Exposure Against Fraud
There are a number of ways fraudsters obtain just sufficient information to create a stolen profile and use fabricated or stolen account information to make an online purchase. Two leading factors are data breaches and social behavior.
According to ITRC, in the first 5 months of 2016, there have been 430 data breaches exposing 12.6 million records. 138 breaches tracked in 2014 involved more than 64.4 million debit/credit cards. Over the last 3 years, 16%-21% of the breaches exposed credit/debit card information and during the same period 43%-48% of the breaches exposed Social Security Numbers. These breaches feed into creating composite profiles of real victims or synthetic identities which are used later in committing fraud. These are staggering numbers.
Identity theft, account takeover and friendly fraud account for most of the fraud. Statistics indicate that about 12-15 million U.S. residents have had their information used for fraudulent purposes. According to one survey, 7.5% of the households reported some sort of identity theft. According to Javelin Strategy & Research Report of 2012, consumers receiving a data breach notification were 9.5 times were more likely to become a victim of identity fraud.
Social behavior of consumers also puts them at risk. Sharing of personal information, such as date of birth or phone numbers, through social media exposes users to identity fraud. In example, 68% of the people with public social media profiles shared their birthday information and 18 percent shared their phone number*.
*Use of hackable passwords – 73% of social media users rely on the same password across multiple sites. To make matters worse, 33% use the same password across every site. Finally, the average user visits 25 password protected sites but uses only 6 passwords*.
Given the rise of mobile devices, consider the following insights from a report published by NowSecure:
- 7% of mobile apps include at least one high-risk security flaw
- The average device connects to 160 unique IP addresses every day
- 35% of communications sent by mobile devices are unencrypted
- Business apps are 3x more likely to leak login credentials than the average app
- Games are one-and-a-half times more likely to include a high risk vulnerability than the average app
- 19 percent of the users still use WEP instead of WPA-2 giving Hackers the ability to obtain information through home WiFi
- 89% of public Wi-Fi hotspots are unsecured
- eCommerce websites account for 48% of all attack investigations. Other means are through skimming, phishing and smishing.
So How Do You Protect Against Fraud?
The biggest challenge is that you can never know for sure who is a legit shopper and who is a fraudster. Therefore, successful techniques rely on what is known as layered security. FFIEC – FIL-50-2011, “FFIEC Supplement to Authentication in an Internet Banking Environment” lays out a good conceptual foundation for layered security.
Combating fraud starts with the most basic steps to a complex set of algorithms trained to detect anomalous patterns or behavior. Execution of fraud detection strategies has four components – trained staff, platform to review, decision transactions, and technology – in the form of intelligence that rank orders, risk exposure, and access to data sources to augment internal intelligence. A combination of point solutions (such as device authentication) and with a broader solution set (including fraud scoring) works best for evaluating merchant and transaction in a marketplace environment.
A good risk management architecture should:
- Assign merchants and consumers certain adaptable parameters – periodic transaction limits, velocity, size of purchase that triggers review based on other factors such as prior history of activity, chargebacks – types and resolution
- Address channel and merchant category specific risks
- Include analytics tools and technology, such as AI, machine learning, decision trees, neural nets and other techniques to develop models with least friction and minimal review of transactions
- Provide access to multiple data sources in real-time to detect anomalous transaction and navigational behavior and cognitive analytics; previous history and negative information
- Leverage network effect and cross-channel information
- Offer a flexible decision engine that allows for construction and deployment of risk based strategy, respond to unanticipated events
- Host a platform to execute strategies, perform testing and simulation
- Deliver ability to receive and send alerts, enforce and execute processes in an ordered logic
- Support case management for investigations, receiving and reviewing, and contesting chargebacks
The fight against agile, sophisticated fraud rings operating from around the world with asymmetrical flow of information requires CROs to continually adopt and adapt new tools and technology, and continuously monitoring performance of various strategies. CROs have to be mindful of achieving trade-off between usability and friction that risk management injects in the process. However, today’s tools are getting better with passive authentication to achieve that balance. As online retailers and marketplaces face increased risk due to CNP, it is crucial that they adopt rigorous anti-fraud technologies to minimize fraud risk. Today, CROs must remain on high alert, so that the rest of us can continue to confidently click the “buy” button.