Nets' perspectives to challenges and solutions
We have identified three battles that issuers must win against criminals post Strong Customer Authentication:
1. Enriched information to consumers in authentication
Firstly, now that the technical systems have been strengthened by SCA, fraudsters are targeting the weakest point: people. They are mobilizing scams that are devious, timely and clever, and victims cannot simply be written off as gullible fools – they could potentially trick any of us on a Monday. Push payment attacks, when fraudsters deceive consumers or individuals at a business to send them a payment under false pretences or re-direct the payment to an account controlled by the fraudster, is on the rise. Here the payment is made by the genuine customer and SCA cannot prevent it. Criminals use social engineering techniques and may hack into email and other systems in order to set up their victims. We've seen a huge increase in smishing scams in the UK related to covid (test results / vaccine appointments), Brexit (online goods stuck at customs), the delivery companies (postage payment required to get goods), and the big retailers (Amazon-related).
At Nets, we are enabling measures to confirm purchase information, merchant name or logo, before authenticating consumers. These measures are empowering consumers to make smarter decisions and safer payments.
2. Empowered via AI-enabled Risk Based Authentication (RBA)
Secondly, as convenience equals conversion, we can expect fraudsters to be looking for vulnerabilities that will appear as Merchants and Issuers learn how to navigate exemptions in the regulation. These exemptions are intended to make the payment process frictionless for consumers, but consequently they open up loopholes for criminals. One example could be payments initiated through acquirers outside the PSD2-zone for which SCA is not mandatory, although good practice. Nets' 3D Secure team is working day and night to build easy authentication flows and sophisticated RBA functionality, including machine learning models empowering banks and issuers to deploy and monitor rules that balances user experience suited for the new reality to their risk appetite.
3. Data to enrich AI enabled decision making
Thirdly, Data is also a key weapon to fight fraud. EMVCo 3-D Secure 2.0, the new communication standard adopted by the card schemes to support authentication, allows more data to be provided by merchants to issuers. This includes fields like the customer's e-mail address so the issuer can check if it's one of the customer's known addresses and information on IP and device.
But issuers are in danger of drowning in data and thereby failing to spot tell-tale signs. Automated analysis and especially Machine Learning or AI can help make sense of this new data, but new technology will require supervision and explanation to the regulator. Ensuring algorithms that are unbiased will be a key challenge as we start to use them.
Nets has expected this increasing trend, as we knew SCA implementation would take place in December 2020, so we have been preparing for it. A designated model has shown to be a successful proof-of-concept against 3DS fraud in 2020. As we continuously gather more 3DS fraud data in 2021, our analytics advances quickly where new data elements are utilised to update our AI eco-system. The harmonisation of rules and models ensure a market-leading fraud-to-false-positive ratio for our Issuers.
Winning the fraud arms race
While online payments have gone through their 'chip and PIN moment' with SCA, it is now down to processors and their Issuing and Acquiring partners to remain a step ahead of the fraudster to keep fraud levels low. There are already signs of increasing attacks to dupe cardholders, so at Nets we will continue to assess new data sources, like v2 3DS, against our fraud data with our cutting edge machine learning models to ensure fraud cases are generated and dealt with appropriately.