alexskopje - stock.adobe.com
Various technological advances have reduced the risk of card-not-present fraud, but as we enter a new era of autonomous machines and devices, a new type of risk is emerging, warns Daniel Cohen, director of RSA’s fraud and risk intelligence unit.
“With 3D Secure technology analysing normal buying behaviour, consumers usually do not even have to enter a password when buying goods and services online unless the transaction looks suspicious, but this could create new opportunities for cyber criminals where neither the card nor card holder are present,” he told Computer Weekly.
According to Cohen, the problem of human-not-present fraud is being driven by the trend towards digitisation and could emerge as a big issue as autonomous machines and devices become more prevalent in society.
As machines get more autonomy to make purchases for their owners, it will give rise to new authentication challenges as banks and merchants work to manage this risk.
“For cyber criminals, digitisation means everything is becoming more accessible and, as a result, fraud is becoming easier,” said Cohen. “A growing number of channels are opening up to make it easier for customers to interact with the bank.”
In a relatively short space of time, the world has moved from physical interaction at banks to phone services and, more recently, to banking services online through websites and mobile apps, said Cohen.
“This rapid evolution of banking to become more convenient has had the effect of increasing our interactions with the banks, but this creates challenges in terms of authentication and being able to tell fraudulent and legitimate transactions apart, making it much easier for fraudsters,” he said.
Another factor making it easier for fraudsters is that they have more channels to exploit, which banks are being forced to open to remain relevant in an evolving market.
“This is only going to get more challenging in the future, with regulations such as the revised Payment Service Directive [PSD2] and all the cool stuff that fintechs are doing to use APIs [application programming interfaces] to get direct access into our accounts to provide even more ways to interact with banks,” said Cohen.
“It potentially becomes even more challenging when you consider all these trends in the light of the internet of things [IoT] and how that impacts the financial industry, giving rise to concerns about human-not-present fraud because ‘things’ will acting on our behalf, which is something we are already seeing, such as shopping orders being placed on Amazon by the Alexa virtual assistant.”
Virtual assistants placing orders
In the not-too-distant future, said Cohen, it is possible that such virtual assistants will be placing orders in anticipation of users’ needs based on things such as monitored conversations in the home and online information about sporting events, for example.
“While digital services are bringing a whole new level of convenience for consumers, security is becoming a lot more challenging for providers of those services as consumers’ identities become attached to more and more devices, moving us further into the era of human-not-present transactions,” he said.
Fortunately, said Cohen, the banks are coming to terms with this new world that is emerging and are adapting their fraud defence and prevention strategies accordingly, based on their overview of the different interactions that are taking place.
“Fraudsters are going across channels to carry out their attacks and banks understand that they can no longer defend a single silo channel, but need to look at all channels to identify connected activities.” he said.
Read more about cyber fraud
- Fake profiles and throw-away devices are transforming social media into a cyber criminal marketplace, a fraud report reveals.
- Cyber fraud costs SMEs more than £1,000 per case.
- Identity fraud continued to rise in 2017, hitting an all-time high of 174,523 cases.
- UK plans laws to protect company directors from ID theft.
- Cifas calls on UK government to help tackle fraud.
The value of this approach was demonstrated by a case study carried out with a large US financial institution in which Cohen’s team combined call centre data with online banking data for analysis to achieve an increase in fraud detection rates of 2.2% by being able to see the types of attack that were trying to target both channels.
In this way, analysts could see what fraudsters were attempting to do through the call centre and how many times they failed the authentication checks. At the same time, they were risk-profiling the same individuals, enabling them to assess the legitimacy of their web transactions.
“While 2.2% may not sound like much, from a fraud perspective, it meant that the financial institution involved was able to save an additional $500,000 a year on average,” said Cohen, demonstrating that knowledge of behaviour on the telephone channel increased fraud detection rates for the online channel.
“That 2.2% is also significant in the context of PSD2, because if you can prove to the regulator that your basis points are low and that you have the right measures in place, you can allow frictionless flows of up to £300 before you need to step in with your authentication challenges.”
In a similar exercise involving a European bank comparing online banking data and pay-by-bank e-commerce transaction data, Cohen’s team was able to achieve a 3% increase in fraud detection rates. “It goes to show that cross-channel knowledge of interactions or behaviours drives total fraud detection rates up,” he said.
Banks have recognised the need to have an omni-channel view of the different interactions and do their fraud risk assessments across the various channels, he said, because not only are cyber fraudsters working across multiple channels, but so do ordinary consumers, starting something on a laptop, continuing it on the phone and perhaps completing it through a virtual assistant while travelling in a car.
“This is true for all consumer-facing businesses that have different channels through with they interact with consumers, and they should follow the banks’ lead and adopt an omni-channel approach to doing their risk profiling and gain from the visibility you have in each of the channels,” said Cohen.
“In enterprise security, we were talking about breaking down channels years ago, and now we are starting to talk about it in the context of fraud, so that fraud assessments are carried out in the light of what is going on across all the available channels of interaction, especially as interactions become increasingly through third parties.”
This means banks will no longer have direct access to customers or their devices and will therefore no longer be able to rely on defence strategies based on recognising trusted customer devices.
“Down the line, we are not going to have access to the device because it will be just some API call or a virtual assistant doing something, so behaviour and continuous authentication is becoming a key element of fraud detection, driven by the need to see as much as possible about customer interactions,” said Cohen. “Fraud detection is now all about comprehensive risk profiling.”