Fraud is, and always has been, an unfortunate aspect of commerce. This is especially true as consumers turn more to digital transactions, where identifying fraudulent activity is more challenging. As people spend more of their time online, the potential for their accounts and private information to be compromised grows, resulting in increased levels of digital fraud.
For example, a hacker can log into an account using stolen credentials—or just by repeatedly guessing the login information, a repetitive task that can be automated through the use of bots—and hijack the account for their own criminal purposes. Attempts to do this are very common, as up to 40% of all account access attempts are high-risk of being fraudulent, according to NuData, a Mastercard company.
Once in possession of critical information, or in control of an entire account, a criminal can then initiate fraudulent transactions, and the data shows they’re doing so at alarming rates. Card-not-present transactions now represent 59% of all fraud, despite making up only 22% of purchase volume, per a report from The Federal Reserve.
One way to combat fraud is to introduce intelligent friction during the authentication process, for example, prompting for a one-time-password. Another is to reject questionable transactions or login requests. But if merchants are overzealous in denying transactions, it will negatively impact their business. One study showed that 44% of falsely declined consumers either stopped or reduced shopping with that retailer. And with false declines for payment cards totaling $331 billion in 2018, according to the U.S. Payment Forum, a lot of money is at stake.
Doing nothing is also not a viable strategy. Every $1 of fraud costs financial institutions and mid to large retailers an average of $3.27 due to chargebacks, legal fees, and other costs, based on a report from LexisNexis. Worse yet, the threat posed by fraud will only intensify because U.S. digital commerce is expected to increase by 60% between 2019 and 2022.
Therefore, it is crucial that companies stay ahead of the fraudsters without adding to the amount of false declines. So how should companies combat the substantial threat of fraud without creating a negative consumer experience?
Stopping fraud through multi-layered, intelligent authentication
The solution is found in the causes of the problem. Fraud is changing and expanding because people are doing more things online, from shopping to banking. All of these online activities leave a trail of data in their wake. By utilizing the reams of data that consumers generate each day, companies can more effectively fight back against fraud without hurting the consumer experience.
This multi-layered approach to fighting fraud is embodied in the way Mastercard thinks about addressing the challenge of security and friction. NuDetect, a Mastercard solution that harnesses the power of behavioral biometrics, uses billions of anonymized data points and machine learning algorithms in order to screen for and identify patterns of fraud.
Biometric data, location data, and patterns associated with the user’s shopping habits are bundled together and analyzed by AI to determine the likelihood that a specific interaction is legitimate or not.
Importantly, this process can start long before a payment transaction is initiated. In fact, a payment transaction need not even occur. In the case that an interaction is made on the user’s known device, for example, with behavioral biometric data matching previous activity, and on a website the user frequently visits, Mastercard can verify that the user is indeed behind the interaction.
This approach to fighting fraud also reduces needless friction. Instead of challenging users right away, which could annoy people trying to legitimately use their accounts, challenges would only be prompted if the activity is deemed suspicious. A login attempt on a known device at someone’s home in Boston would not result in a challenge, but a login attempt on an unknown device thousands of miles away from that person’s home might.
This data-driven, multilayered approach is a part of what Mastercard calls “connected intelligence.” It’s premised on having the ability to capture the existing consumer behavioral data and leverage it to make an informed, data-driven assessment of the probability of fraud. Furthermore, the process relies on swiftly communicating this information to the different stakeholders to enable them to make better decisions.
Connected intelligence in action
Consider how connected intelligence can work in the real world with a real consumer. It could start with a user navigating to a merchant’s website. As the user interacts on the site, NuDetect begins to analyze the behavior of this user — how they are holding their phone, their keystroke patterns, pressure points — to determine if it is a legitimate consumer or a bad actor. This is the first layer of authentication.
Based on this user’s behavior, NuDetect determines if it is in fact a human. The user logs in, browses the site, and decides to make a purchase. At this point, a payment transaction is initiated. To provide a more secure and seamless payment experience, the merchant decides to share more information with the card issuer in the authorization message through a new protocol developed by Mastercard that leverages the EMV-3D Secure standard, called Data Only. Designed to facilitate better decisioning without creating friction, Data Only carries data elements from merchants and shares them with issuers.
Before sharing the data with issuers, Data Only uses sophisticated AI to analyze the data and generate a fraud score and a reason code, and then sends this information to the issuer through Digital Transaction Insights.
In cases where the merchants want to fully authenticate a cardholder, they have a choice to perform an EMV-3D Secure (payment authentication) authentication which uses AI to authenticate a payment transactions and, in some cases, could add a challenge in the form of a one-time-password or biometrics presented to the cardholder to confirm the transaction.
Finally, all this information and authentication connects to the issuer’s decisioning engines through the authorization message, allowing issuers to make a more informed decision on each cardholder and transaction. This results in a better experience, a lift in approvals, and a reduction in fraud.
When transactions get disputed, then all the intelligence gathered will allow merchants, issuers and cardholders to solve multiple disputes in seconds and at a minimum cost providing an experience that is second to none, while still working in the most secure environment possible.
The trick to fighting fraud in the digital world comes down to approving genuine user initiated transactions and interactions while avoiding bad actors, all without adding too much friction. Companies such as Mastercard achieve this by leveraging multiple data points to make an informed decision before any transaction or interaction takes place. Such an approach makes the process of authentication seamless and creates a better experience for merchants, acquirers, issuers and cardholders.