The good news is we may finally be witnessing the end of credit card fraud. The bad news, however, is that the online fraudsters and cybercriminals have moved on from poaching plastic to something even bigger: identity theft.
The shift comes at a time in which more robust authentication methods and standards, driven by new privacy laws, are lessening the dependence on cookies (the browser kind) and passwords, and ultimately will lessen cart abandonment in the offing.
But that bit of good news comes with a caveat, as LoginID Co-Founder and CEO Simon Law and Visa Head of Global Commercial Product David Henstock told PYMNTS.
The fraudsters, they said, are moving upstream, targeting online identities, passwords, bits and pieces of data with which they aim to fool merchants and out-fox financial institutions (FIs).
As part of the latest On the Agenda installment, the executives told PYMNTS that “kicking the cookie habit” comes as PSD2 requires merchants to meet new levels of accountability with payment transactions and levels of authentication too. The FIDO standards (promoted by the FIDO Alliance, in which FIDO stands for fast identity online) combine advanced technologies such as artificial intelligence (AI), behavioral analytics and biometrics to make sure that people are who they say they are as they transact on devices.
The urgency of strengthening authentication efforts is underscored, said Henstock, as research shows that in 2020, losses from account takeover (ATO) fraud at $6 billion was greater than existing card-related fraud at $5 billion. The fact that fraud is moving “upstream” is proof positive that chip-and-pin and 3DS efforts have been paying off.
Other research shows credit card numbers as type of credential that fraudsters wanted to steal fell, while email addresses and passwords rose, said Henstock.
At the same time, new privacy rules have been taking effect, Law said, and big tech players such as Apple have begun to rely on discrete authorization, working in conjunction with risk-based authorization, where users have to explicitly consent when they want their identity or authorization to occur.
“What happens is there needs to be an alternative solution,” said Law. “This is where a solution like FIDO will help. It’s an explicit consent and is what is called user presence testing.”
A consumer has to swipe their fingerprint on a device or press a button, for example. Law noted that not all devices can be supported by FIDO, and that’s where risk-based authentication comes in.
The two approaches complement each other, he said.
Moving To Standards
A multi-layered approach is and will be necessary, said Law and Henstock, against a backdrop of what might be termed fragmented regulatory approaches. Although PSD2 is the law of the land in Europe and is getting pushed out in the U.K., don’t expect a wholesale regulatory push here in the states.
“I don’t know if North America or the U.S. will adopt an open banking standard, but I think there’s a lot of things that we can learn from those guidelines, especially in terms of how people do authentication,” said Law.
Europe, concurred Henstock, is where a lot of solutions and technologies are being “tried out” in pursuit of the right level of friction and consumer experience, where the perfect user experience (UX) is a goal, but it’s hard to achieve. Visa has embraced 3DS, enabling the merchant and issuer to exchange communications to perform strong authentication and verification (with safer payments the result, at least initially, but broadening out to other use cases in the fight against data breaches).
“What we’re looking to do is to provide [a] standards-based approach — not just payment authentication, but a consumer authentication to help really drive passwords out of the ecosystem,” said Henstock.
The standard that the industry is coalescing around is FIDO, which takes entire vectors of fraud out of the system. Delegated authentication, added Law, allows authority to be “delegated” from an issuer to a payment service provider or merchant (combining FIDO with the 3DS network), which ultimately is beneficial to the customer checkout.
Of delegated authority, said Henstock: “What we’re looking to do is to combine secure customer authentication solutions that we can bring to our merchant community at this point, but with some other kind of newer capabilities that are being tested out also very relevant to the issuer and the FinTech side as well.”
In terms of the mechanics, said Law, with a nod toward biometrics, the FIDO approach is a distributed model, which is privacy-preserving because the biometrics are stored with the device and are never shared with third parties. (There’s also an approach that stores biometrics in the cloud.)
Explaining the FIDO biometric philosophy, he said, “What happens is the hardware signs a digital signature that identifies yourself with your biometric … your actual fingerprint and the template is actually securely stored locally.”
Looking ahead, Law and Henstock told PYMNTS, FIDO and strong customer authentication (SCA) will be enough to send fraudsters down new avenues of attack — dispersed, you might say, to other platforms, other vulnerabilities.
The battle will be never-ending, as always, “kind of like a cat and mouse game,” Henstock said.