Fraud itself is nothing new. For as long as there’s been people interacting with each other and exchanging goods and services, there’s been fraud. But with people spending more time online than ever before, the nature of fraud is changing.
Fraudsters are increasingly seizing people’s private accounts and stealing valuable information or using the accounts to carry out fraudulent transactions. As fraud goes high tech, so, too, are fraud protections. Instead of passwords alone, companies are turning to a combination of biometrics and other digital solutions to stop the fraudsters.
PaymentsJournal sat down with Diego Szteinhendler, vice president of Product Management Cyber & Intelligence Solutions at Mastercard, to discuss the holistic approach companies are adopting to combat digital fraud. Joining us in the conversation was Tim Sloane, VP of Payment Innovation at Mercator Advisory Group.
The recent evolution of security & authentication
Prior to the internet age, people primarily interacted in person. To fight fraud in the physical world, companies turned away from magnetic cards and instead embraced chips. This switch had a tremendous impact in securing transactions.
“But what has been happening at the same time,” explained Szteinhendler, “is that mobile payments have been growing and the vulnerabilities have moved to the digital world.” As a result, more fraud is occurring in the digital world.
Sloane agreed, noting that as society has moved from in person to online interactions, “we’ve lost the ability to track the user.” In theory, anyone can access an online account that’s only protected by a username and password; passwords alone aren’t enough.
This change has resulted in fraud happening way ahead of the payment transaction. Szteinhendler pointed out that upwards of 50% of login attempts are fraudulent, indicating that fraud has begun well before transactions occur. Data breaches give hackers access to reams of data on people and they’re using it to take over accounts and eventually initiate fraudulent transactions.
In the digital age, the prevalence of fraud is striking. There are about 5,000 credentials stolen per minute, according to Szteinhendler. Therefore, companies are turning to novel approaches to fight back.
Securing the touch points: a layered approach to identification
First, a company needs to identify the touch points, specific moments when they interact with the customer. “Any touchpoint with a user is a vulnerability or a potential one,” said Szteinhendler. Therefore, it’s essential that companies have a strategy to verify their user’s identity at each touch point.
In the physical world, having to enter a PIN while using a debit card is an example of verification via a piece of static information. But in the digital world, Szteinhendler cautioned against using static information to verify users; a PIN alone isn’t enough.
He pointed out that it’s too easy for this information to be compromised, especially in call center scams, where people are tricked into willingly giving out their account information under the assumption they’re talking to a legitimate call center.
Instead, Szteinhendler advocated for a more sophisticated strategy “where all the different areas or touch points or channels have a layered approach that is standardized so that the user has a consistent experience.”
The layered approach means using a variety of tools to verify a user’s identity. Companies should utilize biometrics, such as device finger printing, “and the behavioral biometrics, [such as] how the user traverses the website, to start to identify that user, even before they try to log into an account,” said Sloane. The benefit to this approach, he pointed out, was that you could still challenge a user who had the correct password if you thought the activity was suspicious.
Szteinhendler agreed with Sloane about the importance of using behavioral data, reiterating that it offered a good alternative to static information like passwords, but offered a nuanced perspective on challenging users.
Connected Intelligence: balancing security and friction
Challenging users, by having them type in a unique PIN for example, adds friction to the process. Szteinhendler warned that companies need to be smart in when they decide to add friction. Add too much, and you risk creating a horrible user experience where users no longer want to use the platform.
He said companies need to instead use intelligent friction. This means not adding friction for the sake of adding friction, but only doing so after assessing how likely it is that the behavior is fraudulent. In other words, companies should leverage all the existing data before challenging a user.
“As you see a user coming into a platform, you’re able to see where he’s coming from, you’re able to see how he’s behaving, whether or not that behavior is similar to the way they have behaved in the past, or if it’s similar to other people using the platform,” said Szteinhendler.
Mastercard refers to this approach as Connected Intelligence and breaks it down into three interconnected categories: approval, security, and customer experience. By leveraging data, Mastercard seeks to increase approvals as much as possible, not just in payment approvals, but also in login attempts. In turn, robust security measures are needed to make sure false declines are decreased while fraudulent behavior is curbed. But the security measures cannot impinge on the customer experience.
This balancing act is the core of Mastercard’s fraud prevention efforts.
“We’re using these three key pillars, and all of the different solutions that we’re building are talking to each other and adding more information so that at every single point, we are protecting the users and we are allowing as much information as possible to make the right decision,” said Szteinhendler.
The future of security authentication
In the near future, Szteinhendler believes that standards will be important in fighting fraud in payment transactions. He mentioned the adoption of EMV 3D Secure, a payment authentication platform, as an example. Additionally, he pointed towards FIDO as another example: FIDO is an alliance that is establishing common standards for biometric authentication.
“So all of these payments standards that protect, secure, and authenticate are emerging and are making the payment transaction and the payment experience better and more secure for the user,” he said.
The long term future entails a reimaging of digital identity. Szteinhendler believes that “static data and identity, as it exists today, will not serve us in the future.” Instead, he argued that a more holistic conception of identity is needed, one that puts all of someone’s personal data into one, private place owned by that person.
While summarizing these points, Szteinhendler encouraged listeners to read the white paper Mastercard released on the subject.
“I truly think that, as we move forward to the future, this idea of a secure identity that protects us all, but also allows for a better experience will be the way we will be interacting in the next few years,” he said.