With EMV slowly but steadily rolling out across the U.S. and e-commerce on the rise, the payments system is turning into the perfect breeding ground for card-not-present fraud. But fear not, say payments pros, because while technology may offer up new opportunities for exploitation, it also brings to market potential solutions to head off crooks at the pass.
The Federal Reserve’s Mobile Payments Industry Work Group is trying to draw attention to the subject with a recent white paper exploring the problem of card-not-present fraud, specifically in the mobile payments environment.
That paper – titled “Getting Ahead of the Curve: Assessing Card-Not-Present Fraud in the Mobile Payments Environment” – fits neatly into the Fed’s larger motive of fostering collaboration among industry stakeholders. Where cybersecurity is concerned, financial industry regulators have taken up the role of collaborator and partner, rather than that of enforcer. Regulators, including the Fed, have focused at least in part on information-sharing as a means of strengthening the overall system.
The report’s authors told Banker & Tradesman that while of course they think any stakeholder in the payments system could benefit from reading their paper, smaller to mid-sized merchants and financial institutions could have the most to gain.
“They’re the ones who often don’t have as much knowledge, or opportunities, or resources,” said Marianne Crowe, vice president of the payment strategy group at the Boston Fed and one of three authors of that paper. “If we can level set the industry in terms of explaining some of this stuff to them, we hope they can get some benefit and make some better informed decisions.”
Crowe and her co-authors – Payments Strategy Group Director Susan Pandy and David Lott, a payments risk expert with the Atlanta Fed – first identify the different functions within the card-not-present environment, and they lay out which functions are vulnerable to which kinds of attacks and the magnitude of risk associated with those types of attacks. For instance, the magnitude of risk is low where a jailbroken phone is concerned because while jailbreaking a phone destroys the device’s security controls, larger merchants and payments service providers often have the tools to recognize when a device has been compromised.
Much of this can feel like it’s out of the hands of financial institutions, who are already tightly regulated, fairly secure and often left cleaning up the aftermath of data breaches and stolen credit card information.
But bankers can play a key role in educating their customers about the threat landscape, said Gerald R. Gagne, a member of the Boston firm Wolf & Co.
While it’s usually the merchant or the end user who is compromised, Gagne said, “[Banks] can definitely offer consumer education and make sure that folks know what the threats are. Some banks are actually offering secure browser technology for free to their retail clients.”
No Silver Bullets, But Plenty of Ammo
At times, fighting opportunistic cybercriminals can seem like a game of Whac-a-Mole. When you think you’ve whacked that sucker back into the abyss from whence he came, the critter finds another hole out of which to poke its weasely little head. The good news is that industry players are also rising the meet the threat.
“It’s kind of an untold story, but there’s a veritable army of fraud fighters out there,” said Raymond Pucci, associate director of research services for Mercator Advisory Group.
Pucci, who also authored a paper on that topic, described software providers as typically employing two common methods in the war on card-not-present fraud: rules-based scoring and neural network systems.
A company like Lexus Nexus, with access to reams upon reams of transactional data, might write rules that can tell a computer when a transaction should send up a red flag. The more information it gets, the better it gets at ferreting out fraudulent online transactions, so the machine eventually “learns” to do its job better.
“It’ll never be eliminated, certainly. I look at it as kind of an arms race,” Pucci said. “The fraudsters come up with ways of disguising their methods and then the card-not-present fraud solutions companies come up with a way to counter that.”
The authors of the Fed’s report also liked machine learning as part of the solution to stop card-not-present fraud. They also see promise in tokenization, encryption, multifactor authentication and biometrics, among others.
“I think we’re all in agreement about tokenization, particularly payment tokenization, which is used in payment wallets,” Pandy said. “We’re not alone; the industry sees a lot of promise for tokenization going forward.”
They don’t prescribe a one-size-fits-all solution, though.
“One thing that we always try to stress in pretty much all of our papers is that there’s no one single tool that is 100 percent bulletproof,” said Lott. “You really have to look at the situation and the environment to decide which tools are best.”