Online fraud is increasing.
When looking at online security, consumers and merchants should be
looking to internet banking, where banks and their technology
suppliers are developing some powerful tools to repel fraudsters.
Alison Ebbage reports.
Go deeper with GlobalData
The amount of web revenue lost to
fraud is on the up. Cyber criminals have now moved on from more
secure online banking portals to find and exploit the next weakest
link in the payments chain – merchants and consumers.
Banks have spent significant
amounts of both time and money attempting to make themselves
bombproof and better able to detect and repel cyber attacks as they
occur rather than after the event.
Duncan Ash, marketing manager,
financial services at SAS, comments: “Banks have been heavily
targeted by cyber criminals so have made vast improvements to their
online security. This has made life much more difficult for
would-be perpetrators of online fraud.”
Banks have also looked to their
internal processes to make sure they have much better capabilities
when it comes to detecting fraudulent activity.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataAsh explains: “By having a good
overview of activity and running various scenarios through the
system banks get a richer data pattern to analyse and can make
decisions on whether activity is fraudulent – based on contextual
information and normal behaviour patterns. HSBC has deployed this
technology in close to 30 countries and has worked hard to increase
the quality of its modelling.”
This sort of modelling – to provide better context around
payments and transactions – is now commonplace. For instance if a
system picks up that the same card is being tried from two
different IP addresses simultaneously it is obviously suspicious.
And if a customer tries to make a payment that does not fit in with
his or her usual activity then systems detect that something may
not be right.
Vulnerability
The card schemes themselves have
also reacted to online fraud with pretty much all the major players
having invested in fraud screening companies or tools recently.
In 2010, Visa bought CyberSource
and MasterCard bought Datacash. Both acquisitions add to security
and also mean that both are able to handle payments secure online
or mobile payments.
Steve Brunswick, strategy manager at Thales Information Systems
comments: “Card issuers have recognised the threat to online
transactions and taken action to combat fraud before the
transaction is approved and authorised. But it is now to the front
end that improvements should be made.”
3DS
The development of the 3DS
technology requires the consumer to supply additional
authentication. But a study in 2010 by Cambridge researchers
Murdoch and Anderson said that although the scheme was good for
banks and merchants, it effectively allows sloppy online security
from customers. (See A Cause for Celebration?)
“Merchants who adopt [3DS] get
their transactions treated as cardholder-present transactions with
much less risk of repudiation while banks get to shift liability
onto the customer… who… receives little benefit in security
while suffering a huge increase in their liability for fraud,” says
the paper.
Ash says: “3DS is a great idea but
in the course of everyday life, consumers have so many passwords to
remember that it is tempting to use the same one or use a simple
one such as a birthday – and this makes for weak online
security.”
Brunswick says: “Additional
security and authentication that is now commonplace when banking
online has yet to make its way to online transacting.”
He cites Card Automation Protocol (CAP) card readers that
generate a one-time password as being feasible within 3DS but not
necessarily doing much for usability and convenience of consumers.
In fact, just the fact that 3DS demands an additional username and
password can be annoying for customers and the trade off between
ease of transacting and security looks to be perpetual.
Analysis
As well as authentication devices,
analytics tools used by banks could also be transferred to the
merchant community. One of the biggest targets at the moments are
the insurance companies who, when working online through
aggregators, find themselves a step removed from the actual
insurance quote, thus making it harder to see anything potentially
fraudulent.
Ash comments: “Insurance companies
are currently struggling to distinguish between someone who is
genuinely trying different parameters to get the lowest quote and
those playing the system.
“A solution is to place analytics
profiling tools onto websites and that looks for certain keystrokes
combinations that can help to identify whether someone is trying to
play the system or whether it’s an innocent mistake. It also
reduces the number of false positives,” he says.
Brunswick thinks that the ultimate
solution lies in cultural change and the merchants themselves being
forced to behave more securely by their merchant acquirers and
their payments systems.
“The more pressure there is on merchants to use things like 3DS
and the cheaper they can make it for them then the more normalised
it will become and that will seep through to customers as well,” he
says.
