Computing power is dirt cheap, thanks to cloud infrastructure. Jurisdiction is always a few steps behind, though — who is really going to bust down the door at a server farm in Russia to arrest the operator? There exists a bounty of consumer ID and payment data flows around the world, ready for the taking, with the Dark Web providing ample opportunities to sell and buy stolen information (to say nothing of insiders and their own thievery, of course).
That’s the bad news. The good news — and there is always good news — is that merchants, card networks, issuers and others in the payments and commerce space have pretty good technology, too (or, at least, theoretical access to it), and that prevention of crime provides ample room for innovation.
In a way, the world has entered a new era of fraud (and fraud prevention). The contours of that new world formed the basis of a recent PYMNTS discussion between Karen Webster and Rob Eleveld, CEO at Whitepages Pro, a global identity verification services provider.
He described the current era as “Fraud 3.0.”
Fraud 1.0 basically ran from the birth of Amazon to perhaps 2005 or so, when the verification of online shoppers’ physical addresses was a main feature of digital fraud prevention. “Today, a six-year-old hacker can beat that,” Eleveld told Webster. Fraud 2.0 ran until recently, and was notable for the rise of anti-fraud platforms that were eventually bought by credit card companies, such as CyberSource by Visa and Accertify by American Express.
Now, the explosion of “basically free computing power over the last couple of years” has led to Fraud 3.0.
What does that mean in real terms? Here’s one way to look at it: Generally, criminals used to buy credit card numbers by the hundreds off the Dark Web — those digital black marketplaces that are increasingly being surveyed, analyzed and graphed by fraud prevention service providers. Then, in Eleveld’s words, they would “peck away on some eCommerce or banking site” until they found an entry and a solid opportunity for fraud.
Today, a criminal or gang of criminals can buy 100,000 credit card numbers in a single purchase and “just hammer away with some automated script,” which will “make it past any rules-based system” and eventually enable fraud.
As digital payments become more global, and as the global digital economy continues to grow like a child in a growth spurt, that results in a “target-rich environment” for criminals — where confusion over which law enforcement agency can do what plays in favor of those fraudsters.
“Legal jurisdictions just cannot keep up globally,” Eleveld said. “If you’re a fraudster, in your worst week, you might drink a lot of coffee and have some late nights, and not be able to break in anywhere, but the FBI won’t break down your door.”
One consequence of that is the responsibility attached to merchants when it comes to fraud prevention. Not only are their reputations at stake (as well as their money, either by trying to make customers happy again or through the inevitable lawsuits), but they cannot rely on issuers, or perhaps even the card networks — at least, not during this part of the Fraud 3.0 era.
Are merchants really ready, though? Are they prepared for shifts in payments that, for instance, enable them to avoid interchange expenses, but make them caretakers of more consumer and payments data that can be easily exploited by criminals?
“I honestly don’t think they are ready,” Eleveld told Webster. Criminals are targeting payments because of the higher number of payment flows enabled by digital technology and new payment methods, but “the merchant community is used to fighting fraud more on a transaction-to-transaction basis.” Merchants are accustomed to writing off fraud losses via that old model, but criminals are becoming more sophisticated and ambitious.
That said, over the past year or two (in the rise of Fraud 3.0), “we see the merchant becoming more innovative” about fraud prevention, and more willing to share information with issuers than has been the case, he said. “We also see the card networks wanting to share and drive more data up and down the payment rails” – which, after all, are only as good as the organizations that operate both ends.
The issuers, in Eleveld’s view, are lagging behind those other two parties. “Issuers basically err on the side of caution and shut down any transaction” that looks suspicious. That means a lost transaction for the merchant and lost revenue for the card network.
That doesn’t mean the situation is hopeless, of course.
“The card networks themselves, they understand that if they don’t innovate, someone else will,” he said. That holds especially true as PSD2 in Europe and other initiatives seek to encourage FinTech and payments innovation, at least over the long term. “Issuers don’t have a lot of incentive to innovate, because there’s not an immediate feedback loop for them,” Eleveld added, saying that “if a couple of big issuers get on board, I think others will as well. That’s the tricky thing. You have some ‘chicken and egg’ going on here.”
Other potential tools that could favor merchants and payment service providers include handling authorization and verification at check-in instead of checkout, as both Amazon and PayPal have shown how to do. That can serve to balance consumer convenience with more security. While a consumer browses an eCommerce site or marketplace, the information given during check-in is verified on the back end to make sure that person is legitimate.
“Where this breaks down,” Eleveld said, “is using sign-ins from Google and Facebook. It’s hard to imagine consumers feeling comfortable giving those companies access to payments information.”
It’s always a high-stakes race between the lawful and the lawless, and right now, one can be forgiven for thinking the criminals are in charge. However, it doesn’t have to be that way. At the least, legitimate businesses, with determination and skill, can gain more than a few steps on fraudsters and make this golden time a little less lucrative.