The fraudsters go, always, to the path of least resistance.
Michael Pantano, global head of Compliance at Worldpay, told PYMNTS that as 2021 moves toward its close, we’re seeing fraudsters probe several “attack” vectors — from card testing and bank identification number (BIN) attacks to brute force attempts to guess passwords — without mercy.
“We certainly had our hands full this year with the pandemic,” he said, noting that there’s been a marked increase in BIN attacks in which fraudsters take the first six numbers of a card — or the BIN — and leverage technology to try different number combinations to gain access to working accounts.
“It’s been a specific challenge for us to get ahead of that curve,” he said.
Fraudsters have been focusing on small- to medium-sized businesses (SMBs) in search of new and vulnerable targets, he said.
The urgency is there, as PYMNTS has noted in its own, separate research that as many as 65% of shoppers are likely to abandon merchants if there is even a single encounter of payment fraud or data theft.
Read more: Consumers Will Now Drop A Merchant Over A Single Data Breach
Ebbs and Flows
He said amid the ebbs and flows, where breaches come in waves, merchants, financial institutions (FIs) and other stakeholders need to get up to speed with 3DS 2.1 authentication, the protocol tied to online card-not-present (CNP) transactions. The updated protocol 3DS 2.1, which builds on 3DS 2.0, boosts the amount of data and details merchants send to issuers at the point of sale (POS) itself.
The most recent earnings report from FIS (parent company of Worldpay) underscores the surge in online commerce. In the company’s second quarter earnings report, its merchant revenue segment growth was underpinned by 31% eCommerce growth.
The U.S. may be behind the curve since 3DS 2.0 was previously mandated in the EU, “but we are seeing some positive results,” Pantano said, in implementation and providing smoother experiences for end users, due in part to protocol updates that allow biometrics and other advanced technologies to be used in authentication.
Both 3DS 2.0 and 3DS 2.1 shift more liability to the issuers, while conversion rates can be improved across merchants’ sites. Those enhanced lines of defense are proving especially urgent as the fraudsters have moved online, in lockstep with the waves of commerce that have also migrated to digital channels.
“That’s where Worldpay from FIS is moving, too,” Pantano told PYMNTS. “We’ve created our own fraud mitigation tools to look at that activity to get traction, to find processing history, to model it, to use intelligence, and help our merchants.”
Friendly fraud — where consumers make online purchases and then initiate disputes with the issuing bank — is emerging as a robust threat, particularly with the volumes of online purchase (and delivery of) goods across any number of verticals.
At a high level, the pandemic has sharpened financial services firms’ and merchants’ awareness of regulatory compliance mandates and the fact that firms have reputational risk every time there is a beach, he said. Firms including Worldpay have been consulting with merchants to ensure that their sites are safe and that they are examining their vulnerabilities more closely.
“There are always new fraud schemes going on, and we all just need to be constantly aware about what’s happening, with our ears to the ground,” he told PYMNTS.