The good news is that today’s payment landscape is becoming faster, easier, and more digital.
The bad news is that fraudsters and cybercriminals are increasingly keeping pace, innovating upon established methodologies to improve the effectiveness of their methods as well as developing new attack tactics.
Michael Jabbara, global head of fraud services at Visa, tells PYMNTS that while the “core components” of the payment ecosystem are relatively constant across both physical and digital channels (think: money movement infrastructure that enables an exchange between buyers and sellers), the methods bad actors are using to target and attack these key components are constantly evolving as consumer behavior changes and new technologies and players are brought to market.
“It’s a continuous spectrum,” Jabbara said. “[Businesses need to] think about every interaction across multiple dimensions and think strategically about the appropriate safeguards to put in place to reduce potential incidents of fraud.”
He emphasized that while the individual layers of defense that companies erect may be vulnerable on their own, when these protective layers are stacked together the collective sum provides a greater and more robust shield against fraud than its separate parts taken individually.
Read more: Rise of SVB-Driven Fraud Shows How Fast Criminals Move
Companies increasingly have their hands full fighting fraud, and more than 9 in 10 executives (95%) surveyed by PYMNTS say they consider using innovative solutions to improve fraud detection and anti-money laundering (AML) compliance a high priority.
Driving this, said Jabbara, is a growing “democratization of malicious tools” giving bad actors quick and easy access to a growing arsenal that can be leveraged across new, modern areas like card not present (CNP) environments.
“There’s been an explosion of online merchants that may not have the necessary checks or controls around velocity and authentication that leave them open to these attacks,” he said, adding that Visa proactively provides its partners with the right tools to limit CNP fraud’s impact.
Still, in some senses defending against fraud in today’s digitized, modern environment is a little bit like playing whack-a-mole: as soon as one bad actor is stymied, another one pops up to take its place.
“What we’re seeing now is a J-curve level of amazing innovation that’s happening [with technology], but it’s also happening on the fraud side, too,” Jabbara said.
He points to the rising evolution of “brute force” attacks on payment ecosystem infrastructure using “hyper-rapid enumeration tactics to systemically test payment credentials” as an example, where bad actors then monetize the jailbroken credentials through crypto purchases, gift cards, and other use cases.
“Putting in checks to assess whether something that is apparently legitimate is actually legitimate is only becoming more crucial,” he said.
See: Persistent Fraud Has Smart Businesses Switching From Playing Defense to Offense
Jabbara notes that while historically fraud control and prevention was centered around velocity controls, the increasing sophistication of fraud schemes now makes it mission critical to take a proactive approach across three core areas.
The first, he said, is aggregating and cross-corelating both behavioral and transactional data elements in real time; the next is “creating sophisticated, intelligent rule thresholds that allow [businesses] to increase the true positive rate” of each interaction; and the third and final piece is establishing an automated “best course” action on top of the data linked to the cost-benefit ratio a business feels comfortable with.
“While the advice of focusing on the fundamentals is necessary, it’s no longer sufficient,” Jabbara said, adding that bad actors are already starting to steal and hold onto encrypted data in preparation for just-around-the-corner quantum computing tools to enter the market and allow them to decrypt the illicitly obtained data using quantum processing power.
What this requires, he stressed, is a continued investment by organizations in multiple layers of defense.
“In a post-encryption world, authentication becomes king … knowing that each person is who they say they are is going to be absolutely key,” Jabbara said. “So putting in those investments now to be able to aggregate different data streams, cross-corelate them, and then build an action engine on top is crucial to stay ahead.”
The onus on defense in the near future, he said, will be more and more around the cardholder and customer on a personal level. “If we’re creating these very secure protocols that are hacker proof, then the most valuable hack point is going to be that individual themselves.”