Online fraud is increasing. When looking at online security, consumers and merchants should be looking to internet banking, where banks and their technology suppliers are developing some powerful tools to repel fraudsters. Alison Ebbage reports.
The amount of web revenue lost to fraud is on the up. Cyber criminals have now moved on from more secure online banking portals to find and exploit the next weakest link in the payments chain – merchants and consumers.
Banks have spent significant amounts of both time and money attempting to make themselves bombproof and better able to detect and repel cyber attacks as they occur rather than after the event.
Duncan Ash, marketing manager, financial services at SAS, comments: “Banks have been heavily targeted by cyber criminals so have made vast improvements to their online security. This has made life much more difficult for would-be perpetrators of online fraud.”
Banks have also looked to their internal processes to make sure they have much better capabilities when it comes to detecting fraudulent activity.
Ash explains: “By having a good overview of activity and running various scenarios through the system banks get a richer data pattern to analyse and can make decisions on whether activity is fraudulent – based on contextual information and normal behaviour patterns. HSBC has deployed this technology in close to 30 countries and has worked hard to increase the quality of its modelling.”
This sort of modelling – to provide better context around payments and transactions – is now commonplace. For instance if a system picks up that the same card is being tried from two different IP addresses simultaneously it is obviously suspicious. And if a customer tries to make a payment that does not fit in with his or her usual activity then systems detect that something may not be right.
The card schemes themselves have also reacted to online fraud with pretty much all the major players having invested in fraud screening companies or tools recently.
In 2010, Visa bought CyberSource and MasterCard bought Datacash. Both acquisitions add to security and also mean that both are able to handle payments secure online or mobile payments.
Steve Brunswick, strategy manager at Thales Information Systems comments: “Card issuers have recognised the threat to online transactions and taken action to combat fraud before the transaction is approved and authorised. But it is now to the front end that improvements should be made.”
The development of the 3DS technology requires the consumer to supply additional authentication. But a study in 2010 by Cambridge researchers Murdoch and Anderson said that although the scheme was good for banks and merchants, it effectively allows sloppy online security from customers. (See A Cause for Celebration?)
“Merchants who adopt [3DS] get their transactions treated as cardholder-present transactions with much less risk of repudiation while banks get to shift liability onto the customer… who… receives little benefit in security while suffering a huge increase in their liability for fraud,” says the paper.
Ash says: “3DS is a great idea but in the course of everyday life, consumers have so many passwords to remember that it is tempting to use the same one or use a simple one such as a birthday – and this makes for weak online security.”
Brunswick says: “Additional security and authentication that is now commonplace when banking online has yet to make its way to online transacting.”
He cites Card Automation Protocol (CAP) card readers that generate a one-time password as being feasible within 3DS but not necessarily doing much for usability and convenience of consumers. In fact, just the fact that 3DS demands an additional username and password can be annoying for customers and the trade off between ease of transacting and security looks to be perpetual.
As well as authentication devices, analytics tools used by banks could also be transferred to the merchant community. One of the biggest targets at the moments are the insurance companies who, when working online through aggregators, find themselves a step removed from the actual insurance quote, thus making it harder to see anything potentially fraudulent.
Ash comments: “Insurance companies are currently struggling to distinguish between someone who is genuinely trying different parameters to get the lowest quote and those playing the system.
“A solution is to place analytics profiling tools onto websites and that looks for certain keystrokes combinations that can help to identify whether someone is trying to play the system or whether it’s an innocent mistake. It also reduces the number of false positives,” he says.
Brunswick thinks that the ultimate solution lies in cultural change and the merchants themselves being forced to behave more securely by their merchant acquirers and their payments systems.
“The more pressure there is on merchants to use things like 3DS and the cheaper they can make it for them then the more normalised it will become and that will seep through to customers as well,” he says.