Mobile payments and data vulnerabilities caused fraud to skyrocket in 2014. Merchants also incurred more costs in addition to their fraud losses, with each dollar of fraud costing them $3.08, compared to $2.79 last year.* By 2018, card fraud is expected to more than double, reaching $6.4 billion**. The fact is fraud isn’t going away and EMV will only pose more challenges, making you focus on your biggest vulnerabilities and ensuring you’re using the right tools at the right to the right degree.
So, where do you start? Good question. Here are some examples of solutions that can mitigate fraud risk and decrease losses.
Digital Fingerprinting - Analyzes a remote device and its characteristics, including installed plugins and software, time zone, and other identifying device features.
- Used to identify potentially fraudulent devices so you can take preventative measures.
Shared Device Reputation - Shares the ability to identify fraudsters that have already attacked sites with peers within a system—both within and across industries.
- Prevents first-time losses and speeds up ROI.
- Shortcomings include: Only effective when preventing fraudsters who have attacked before, not emerging threats already stored in shared databases. Additionally, this type of sharing can be seen as aiding competition.
Proxy Databases - Includes known proxies that fraudsters use to hide their IP addresses and true locations. Proxy-piercing information via IP address provides non-invasive insight into the risks involved with accepting transactions from specific IP addresses.
- Directs malicious traffic.
- Shortcoming: The database must be current to be effective.
Geolocation - Uses digital information via the Internet to identify the fraudster’s geographical location.
- Effective and non-invasive for comparing IP location to registered billing addresses to identify and block connections that pose a risk or block specific IP addresses from suspicious locations.
- Shortcoming: This can be used in court, but some geolocation tools may be limited in the level of detailed data provided.
Customer Validation - Uses consumer data from various public and private sources to validate the billing information associated with the payment type.
- Happens at multiple levels, including checking a billing address via an issuer to validate full name, address, phone, and email address.
- Shortcomings: Provider has limited capabilities. Leveraging additional detailed solutions can be costly.
- Helps prevent instances of identity fraud for merchants with high-value transactions or those involved in age-restricted industries like alcohol, tobacco, and gaming.
- Shortcomings: Can hinder the customer experience by slowing transaction speed. Asking for Personally Identifiable Information (PII) can seem probing, and customers may be hesitant to add all this information to simply make a purchase.
Knowledge-based Authentication - Specifically for high-risk CNP transactions, a user must answer a question that can’t be found in a wallet or online (e.g., prior residence, mortgage amounts, etc.)
- Used in high-dollar amount transactions or age-restricted industries to verify a user’s identity.
- Shortcomings: Requires a user to remember potentially obscure pieces of personal information. Can extremely impact overall user experience.
3D Secure - Additional authentication step for CNP payments that was developed by Visa as an XML-protocol to improve online payment security.
- Used as an additional security layer for online credit and debit card transactions.
- Shortcomings: Inconveniences the consumer by adding an authentication step during the sales process. Merchants may experience higher abandonment rates when customers see the 3D logo.
Mobile Secure Location - A data point that confirms a cardholder’s mobile location during post-transaction review. This identifies actual fraud cases and reduces false positive administrative costs.
- Reduces cardholder service interruptions and results in an optimized customer experience.
- Shortcoming: The secure location depends on mobile phone availability and is out of band fraud prevention.
Identification and Isolation of Suspect Transactions - Uses radio environment to capture a customer’s mobile device during the transaction so a merchant can gather information about Wi-Fi access, points in the area, verified GPS information, and IP address information.
- Information is processed on a secure server that examines signals to obtain a location estimation via Wi-Fi access points, cell towers, and geolocated IP addresses.
- Shortcoming: Doesn’t prevent the fraud from occurring because it completes post-transaction.
Biometrics - Uses keystroke analysis, fingerprinting, voice, iris, and facial recognition technology to identify and validate people.
- Expanded the ability for business to authenticate a person’s identity using components other than simple data points such as name, address, and location.
- Shortcoming: It can be bypassed altogether by exploiting vulnerabilities in the hardware or firmware, and cold booting the device itself.
- Authenticates that an email address being used during a transaction is associated with the name and address provided.
- Shortcoming: Could go to customers’ spam folder so they don’t receive it.
- Provides a secondary way to validate real customers such as millennials, unbanked persons, non-U.S. customers, and the younger demographic since they can’t necessarily be validated via traditional ways.
- Shortcomings: Needs to be used in conjunction with another verification method. If a user does not have a social media profile, this method will not work.
Photo by Stuart Miles/FreeDigitalPhotos.net
Rick Lynch is Senior Vice President, Business Development, at Verifi.