Stopping payment fraud without blocking real transactions

There is no denying the brutal impact of payment fraud, with $9 billion of annual criminal spending on US payment cards alone, according to research firm Javelin. Nearly six in ten information thefts studied in Verizon’s Data Breach Investigations Report involve payment details. Meanwhile, in-person card skimming continues to grow, with the last year witnessing a tripling of illegal reader installations at the new weak point, petrol pumps.

Cyber criminals continue to advance and merchants are taking aggressive action to counter them. But businesses’ assertiveness also leads them to decline swathes of real payments erroneously.

To balance their fightback, retailers must understand criminals’ tactics. A common fraud is social engineering, according to trade association the Merchant Risk Council, and it involves the deception of individuals so they hand over sensitive information.

Phishing is its most common form in which fraudsters amass information over messages, such as fake e-mails or websites from a bank, retailer or payment processor. Sophisticated cyber criminals engage particularly in spear phishing using highly targeted e-mails that include accurate information.

Tim Ayling, European director of fraud and risk intelligence at technology firm RSA Security, warns that fraudsters “will learn anything and everything about their victims – their address, daily routine, even the name of their kids’ school teacher”. He adds: “All of this is with the end-game of getting them to share bank details or even transfer money directly to accounts.”

Breaches involving e-commerce sites typically entail the “fairly straightforward process” of hacking a web application to steal logins, explains Laurance Dine, managing principal of investigative response at Verizon. Meanwhile, card skimming dominates in bricks-and-mortar retail.

Ecommerce fraud

Blocking real transactions

Companies are aggressively trying to block such theft and in doing so they often inadvertently kill masses of genuine transactions. The revenue consequences are dire. Javelin notes that $118 billion is lost by US retailers every year through false declining, more than 13 times the value of card fraud. And then there is the effect on brand reputation as more than one third of incorrectly blocked people decide to dump the retailer or their card.

This means stores and card issuers “must toe a fine line between protecting their assets and retaining customers”, explains Emma Cloninger, marketing co-ordinator at the Merchant Risk Council. She warns that merchants and issuers can easily overreact.

More likely than not, fraudsters won’t consider prices, read product reviews or look for discount codes

The danger of customers feeling “let down or even humiliated” by a payment decline and then airing their experience on social media, Mr Dine says, means businesses have to be careful. He adds: “In today’s hyper-competitive retail landscape, there will always be another retailer out there waiting to swoop up any disappointed or disenfranchised customers.”

Overcoming this challenge

Merchants are wisely turning to behavioural analytics and pattern spotting to improve their checks. “As a crude example, if a customer has made a transaction in Britain in the morning and then attempts to make one in Australia later that day, a flag is raised and further authentication is required. Then there are much more granular metrics to confirm that customers are who they say they are, such as the device used, payment method, IP [internet] address and the size or type of purchase,” Mr Ayling says.

Payment processor Mastercard is one firm monitoring patterns. Its fraud detection system, Digital Intelligence, “analyses and learns from consumers’ transactions, feeding this data into an intelligent network”, according to Ajay Bhalla, president of global enterprise risk and security at the company.

The data includes retailer and card issuer information. “From this we’re able to improve the customer experience by reducing the number of false declines, while preventing fraudulent transactions from being approved. In essence, we’re moving from managing fraud to managing better decisioning at the outset,” he says.

Ms Cloninger says retailers must also analyse how people behave on their sites. “More likely than not, fraudsters won’t consider prices, read product reviews or look for discount codes,” she says. “They’ll be in and out within a matter of minutes.”

Human judgment must remain an essential partner to this automated analysis. “Though artificial intelligence and machine-learning are excellent all-round tools, they are only tools,” Ms Cloninger says. When properly managed and maintained by humans, they improve fraud prevention. And for in-store or petrol pump fraud, where skimmers can be installed within seconds, it is essential humans monitor surveillance footage carefully.

Cross-sector human co-operation is also essential. “Collaboration and data-sharing isn’t an option, it’s a must,” says Mr Ayling. Ongoing discussions have shown a cyber criminal will typically use the same device and tactics when attacking in different countries. He adds: “Not sharing information across borders is only helping the fraudsters.”

By working together, businesses can reduce fraud and keep the buying process smooth. Companies already discuss confirmed fraud information and there is the potential to assess deeper information on global transaction patterns collaboratively.

US research from Mastercard and the Fletcher School at Tufts University, called the Digital Evolution Index, reveals the true potential of international assessments. Countries advanced in digital development tend to lead fraud detection and Mr Bhalla says this is because “those with digital payments operate on a borderless business model, making payments more convenient and fraud easier to detect”.

As companies look to become smarter in their fraud detection, they must ensure their innovation is more collaborative. “Fraudsters are consistently evolving, exploring new attack strategies and developing tactics to expose vulnerable targets,” Ms Cloninger concludes. It is only through co-operation that businesses will stay ahead of the crooks.