It’s no secret that the ongoing pandemic has increased the adoption of electronic payment methods, with consumers–and businesses–eschewing germ-laden cash for seamless, and often contactless, electronic transactions. What’s more, entire cohorts of shoppers, such as senior citizens, that clung to the in-person shopping experience have been forced to navigate websites instead and embrace digital payment methods.
With the holiday shopping season winding down, the sudden and swift shift generated thousands more digital payment transactions per day than even just a few months ago. In other words, the opportunities for fraud are rising exponentially. And the bad actors know it: A single password can unlock multiple avenues to siphon money from bank accounts, initiate fraudulent charges on credit cards, and trick consumers into making a payment to a nonexistent entity.
A favorite approach of those with malevolent intentions is so-called “credential stuffing” attacks, where large caches of stolen account credentials, which are also sold on the Dark Web to other fraudsters, are used to gain unauthorized access to user accounts. Automated at scale on a range of websites and applications, fraudulent log-in attempts are growing rapidly in no small part due to a reported 15 billion stolen user credentials from 100,000 breaches. The exposure could be any of a number of accounts in the online payment process.
Another common path to gaining unauthorized access is by phishing user credentials, sending official-looking emails to hundreds or thousands of recipients with links that, when clicked by the recipient, take the user to a malicious website that tricks the user into providing their username and password. Wells Fargo customers can attest to the success of these kinds of attacks, having fallen victim to one in June 2020.
Increasingly, however, fraudsters are “getting personal,” using the same phishing approach combined with thorough research of victims and targeted, highly professional, personalized communications. Bad actors are increasingly successful in gleaning valuable information and making fraudulent payments or transfers through these “spear phishing” or “vishing” (social engineered voice phishing) attacks. Barracuda Networks reported nearly 500,000 spear phishing attacks across all industries between March 1st and March 23rd of this year alone, as well as a huge spike relating to COVID-19.
So how can the payments industry stem the rising tide of these attacks? And what about the role of the consumer?
The calls for strong, multi-factor authentication (MFA) and a requirement that more types of transactions be authenticated are a good start, but the payments industry must balance user convenience with security obligations.
The first step in achieving that balance is for the payments industry to embrace strong authentication, such as on-device public key cryptography techniques. Such biometric and other possession-based authentication methods are stronger than leaky passwords and other knowledge-based authentication methods because user credentials and biometrics are never shared and never leave the user’s device. Not only does this approach completely eliminate the threat from credential stuffing and socially engineered attacks, but it also removes the responsibility and burden of security from customers’ and employees’ shoulders.
With transactions only verifiable by a named individual using credentials that are impossible to share, sensitive information becomes effectively un-phishable. But embracing the frictionless nature of biometric authentication and security keys is more than just good business practice and fiscal responsibility: It delivers a competitive advantage for any online payments processor that adopts the strategy, giving consumers peace of mind that their money is safe while also eliminating convoluted and confusing processes that get in the way of that safety.
