The evolution of fraud in payments

In this guest post Bethan Cowper, Head of Global Marketing at Compass Plus, takes a look at the constant presence of fraud inbethan cowper payments, and what organisations can do to protect against it.

When it comes to payments, the only constant in the evolving financial landscape is the existence of fraud. It often feels like fraudulent activity has been going on since the first payment was made, and is the third certainty alongside death and taxes.

Even with the total transformation of the payments market over the past decade, fraudulent activity is still a parasite that the financial world cannot shrug off. As more sophisticated fraud prevention systems are rolled out, criminals immediately adapt and change their approaches, continuously testing an organisation’s ability to safeguard their customer’s data.

Fraud figures are continually on the rise. According to Juniper Research, online transaction fraud will reach $25.6 billion by 2020, up from $10.7 billion in 2015. Whilst there is no fraud panacea, detection is becoming increasingly agile, though the figures may seem to suggest otherwise.

It is important to note that these numbers rise alongside substantial growth in areas such as e-commerce and m-commerce, and are relative to the sheer volume of money being moved electronically. According to Juniper Research, for example, fraudulent transactions made by mobile devices increased by 142 per cent in 2015; however, when viewed in conjunction with the forecasted growth from 72 billion transactions in 2014 to 195 billion by 2019, it is all relative.

 

The past and present of financial fraud

History allows us to look through behaviour shifts and patterns to become more aware of how we got where we are today. Looking specifically at online fraud for example, back in 1994 as the internet grew in popularity and merchants introduced the “buy” button on their websites, fraudsters quickly realised that they didn’t need to supply a cardholder name that matched the card number, as this information wasn’t checked at the authorisation stage.

This led to the ’famous name’ fraudulent attacks where payments were supposedly being made by celebrities, both real and fictional alike. In retaliation, merchants added additional checks and controls to reduce the likelihood of this happening; in their counter-attack, fraudsters created card number generators that spat out genuine numbers for use. Fraudsters would target a specific merchant and attack them mercilessly, but once this trend was discovered, criminals again adapted their behaviour, jumping from site to site to make the attacks less obvious.

By the early 2000s, using stolen card numbers – whether they had been skimmed, taken from bins or physically stolen – was too much like hard work; with the volume of card numbers being compromised still relatively low. Instead, it was much more convenient to steal card numbers in batches, either by hacking the merchant directly or by setting up dummy merchant accounts: identity theft fast became the most lucrative method of committing fraud. The introduction of updated regulations and mandates on the security around both storing and handling card data to combat this type of criminal behaviour put a serious spanner in the works, but not for long.

The online fraud battle is a virtual whack-a-mole. Merchants verified customers by setting up customer accounts; fraudsters quickly realised that all checks were carried out at the account set-up stage and started changing delivery addresses and personal information after the fact. Merchants then added increased verification checks. Any sign of weakness was constantly tested to see what would give. The shift to social media payments and mobile banking has only offered fraudsters more avenues to explore.

 

The evolution of fraud techniques

Moving back to fraud as a whole (card present or not), gone are the days of simple skimming, phishing and malware. Today’s fraudsters harvest card information as if part of a successful business empire, and it is this level of dedication that holds serious and immediate consequences.

An example of the instantaneity of fraudsters’ response to changing technology is that of the activity at an ATM.  Pinhole cameras and card skimming are the thing of the past: with the roll-out of biometrics to increase ATM transaction security, fraudsters already have the technology to skim fingerprints.

A recent release from Kaspersky Lab outlines the measures fraudsters are taking to fool biometrics: for example, cheating facial recognition by placing masks over human faces and imposing photos taken from social media. Biometrics can add an additional layer of security, however the risk is that should this information be compromised, it is impossible to change your fingerprint as you previously would have your password.

Another popular topic in the press is the introduction of EMV: moving from the magstripe to the chip to significantly reduce card present fraud worldwide. The state of payment cards in the US is a very current example of this, with a report from Aite Group and Iovation publishing findings that as more merchants become EMV-capable, counterfeit fraud will fall from a high of $4.5 billion in 2016 to less than $1 billion in 2020.

However, as a result, the same report predicts that card-not-present fraud will cost retailers and financial institutions $7.2 billion in the United States by the end of 2020. The report also found that bank account takeover losses will increase from $644 million in 2015 to more than $1 billion by 2020.

As the payments ecosystem evolves, everything is becoming increasingly interconnected. Payments have become synonymous with innovation, with contactless clothes and jewellery, shopping from your fridge and more recently, “selfie pay” and other forms of biometrics payments. The rise in available channels and the interconnectivity of omni-channel offer more and more avenues for fraudsters to explore. The cost of fraud is not simply financial loss; merchants and financial institutions have to bear a number of hidden costs, including loss of consumer confidence and damage to their brand and integrity.

 

Searching for a solution

Fraud solutions need to be more flexible than ever before, not only to deal with the sheer volume of transactions, but the number and types of points of attack. This doesn’t discount internal fraud either; risk control measures need to be set up to ensure that any one operator doesn’t have enough access to data to compromise security.

Whether fraud is attempted from the outside in, or the inside out, organisations must plan and implement a multi-layer security strategy. Firstly, to protect and defend customer and card data; secondly, to proactively identify and compile fraud activity patterns; thirdly, to predict and prevent future activity; and fourthly, to use real-time monitoring to detect potential threats.

Sophisticated fraud detection software can identify common fraud patterns and then track and block suspicious activity automatically, managing fraud and minimising risk through analytics. A collaborative, integrated, and multi-level approach will enable businesses to offer their customers peace of mind, guard against brand damage and fines resulting from data breaches, and ultimately reduce both the financial and the reputational cost of fraud.

 

Bethan Cowper is the Head of Global Marketing at Compass Plus, a company that offers comprehensive, integrated and flexible payment and retail banking software to payment service providers and financial institutions worldwide. She leads the strategic global marketing efforts of the company from the Nottingham office in the UK. Prior to Compass Plus, Bethan worked in a number of senior marketing roles covering brand management, product marketing and global campaign management in the financial services, IT and publishing sectors.

Related reading