In our most recent CNP post, we discussed how fraudsters have started the shift away from card present fraud to focus more on card-not-present channels1 (CNP), in part because of the introduction of EMV. The combination of the difficulty presented by EMV cards and the growth of ecommerce transaction volume has industry experts predicting that CNP fraud will nearly double in the U.S. by 20182.
Given this more pronounced threat, new methods and technologies aimed at mitigating CNP fraud are being developed/fine tuned. As fraudsters become more effective at their trade, so too must we improve the sophistication of our latest fraud mitigation strategies. It is important to note that there is no silver bullet in this effort. Effective solutions will be multi-layered. Today we share with you some of those methods that even just 5 years ago would have been too futuristic to deem realistic…but they are now, literally, at our fingertips.
Passwords are out; biometrics are in.
Think about this: Did you ever dream a phone would fit comfortably in your pocket that you’d be able to hold it up and take a high-quality photo, or a wristband could track your activity and heart rate? Or even further, that these devices would ever track your unique characteristics to validate you are, in fact, the one using them? Enter the wonderful world of biometrics; technology that measures your physical attributes—like facial features, voice, or even a retinal scan of your iris to define your unique identity. Biometrics is being hailed as the next big thing in mobile payments for convenience and most importantly, security. Currently, the most popular and main stream use of biometrics is your fingerprint to authorize a purchase when used with a virtual wallet, but that is just scratching the surface of what is being developed.
It’s all so eye opening.
Much has been made of the iris scan in recent years. Measuring the unique points in a user’s iris is considered another highly secure way to authenticate identity. Some campuses have even installed iris-scanning cameras to allow students access to buildings. Students put an eye up to a device, wait for the “go ahead,” and the door unlocks to the student center. It is said to be nearly 10 times more accurate than fingerprints since the iris image can’t be “copied, cloned, or stolen3.” Too invasive? It doesn’t stop there. Other forms of identification could soon include voice recognition, heartbeat profile, and other physical measurements and attributes that are specific to you.
Sefie Pay and Swiping.
In today’s culture of the self-obsessed photo, it seems only fitting that Mastercard™ and Amazon are looking at a “selfie pay” option to allow customers to use a photo to authenticate identity. All you’ll have to do is hold up your smartphone camera, take a selfie, and blink on command to prove you’re you and not your evil twin. Then buy whatever you want4.
Facial recognition can also be helpful for brick and mortar stores recording how much time a customer spends in a certain aisle, his or her emotions when making buying decisions, and simple demographics like gender, age, and race. In some applications, cameras and software can recognize specific people and cross-reference with other shopping data, like what you think of packaging and how much time you spend making decisions5.
Born with the intent to offer superstar marketers an in depth look at consumer purchasing behavior, behavior analytics are expanding to offer consumer patterns that help authenticate whether or not the online payer is in fact the person they should be. The complex algorithms look for behavior that deviates from historical data and can immediately flag events that seem irregular or suspicious and send real-time notifications of irregular patterns. The behavioral analytics look at things like how the user holds her phone, how hard she presses the keys, the usual navigation path she takes on the website, which pages she regularly visits, how long she usually spends on each page and how long she typically spends on the entire site, to name a few.
This technique replaces card data with a dummy value or numbers that are non-decryptable (i.e., “tokens”). They are unusable by would-be criminals because they have no value outside of a specific merchant or acceptance channel. Because this number is unique and different from usual credit or debit card numbers, your bank can prevent its use on a magnetic stripe card, over the phone, or on websites6. Tokenization has become an increasingly important means for card-not-present merchants to protect payment card information from hackers who want to use it to commit fraud7. If criminals try getting the card information, all they will find are a bunch of worthless tokens.
The impact of hi-tech security.
There’s much to think about with security around payment technology. Since personal features represent something you are, rather than something you know, like as a password or pin, biometrics and advanced tracking seem like the secure additions to this equation.
But with rapid development of technology, kinks need to be worked out to actually be compatible to support merchant environments (in and out of payments apps). A recent Javelin Strategy & Research study, “Overcoming False Positives” found that the increased implementation of CNP fraud mitigation strategies has resulted in false positives for 13% of payers. Since payers often do not revisit a merchant after such an occurrence, the estimated loss to merchants for false positives is $118 billion. The actual amount of ecommerce fraud in 2015? $9 billion. This staggering delta between the loss associated with false positives and the amount of CNP fraud combined with the consumer fear of loss over privacy mean that we have some ground to cover before we have an ideal, proven battle plan which incorporates these new approaches.
Visit us next week where we share what you can do now to help mitigate CNP fraud on your campus.