Antifraud systems keep getting more sophisticated and regulations are evolving with the growth of online payments. But criminals are keeping pace. They are perfecting social engineering schemes that trick consumers into giving up personal data that can then be used to commit fraud.
The number of cybersecurity threats is growing in line with the development of digital businesses and cashless payments. Europol in its recent report (IOCTA 2019, Internet Organised Crime Threat Assessment) states that “data remains a key target, commodity and enabler for cybercrime”. Fraudulent activities and malware are becoming more technologically sophisticated, while a growing number of bad-faith activities involves social-based schemes.
Most criminal actions in the past year were performed through viruses, phishing and social engineering methods in order to gain financial assets and personal payment information, according to top-20 Russian banks. Noticeably, since 2015 fraudulent transactions in mobile applications have grown by 600%, in part because more consumers now prefer to use mobile applications for online banking rather than the traditional web channel.
At Yandex.Checkout we explore cybersecurity trends not only as a payment service provider, but also as a vendor for own antifraud solution used by more than 120,000 merchants from 75 countries. Our FraudDetector was initially introduced in 2018 as an internal system to protect Yandex.Money’s users e-wallets from account takeover. (There are now more than 60 million registered e-wallet users.)
The payment security landscape in the European Economic Area is undergoing a major transformation following the introduction of the revised payment services directive, PSD2.
The same system was then extended to reduce Yandex.Checkout merchants’ financial risks and to maintain payment conversion. FraudDetector is a complex product based on artificial intelligence and machine learning, which detects scams and malware, mitigates abnormal activities and finds new fraudulent patterns.
Psychology or technology?
Today most banks rely on the 3D-secure authentication standard that applies an extra step for verification of the purchase (biometric recognition, password or code). Ubiquitous integration of this solution and further versions of it are yet at the implementation stage in Europe, which provides wider opportunities for committing fraudulent activities. Thus, CNP (card not present) fraud continues to be the main priority within the payments sector, and continues to be a facilitator for other forms of illegal activity. When card information is entered on the website it is hard to say if it is provided by the cardholder with his or her consent—or if it is stolen from the owner.
For example, FraudDetector from Yandex.Checkout automatically analyzes dozens of parameters in order to recognize the owner of an e-wallet or the card:
- Identified device: previously used for payments with this card
- Familiar store: it has already accepted payments with this card
- Replenishment of a recognized mobile phone’s balance: this card has already been used to add money
- Absence of 3D Secure at most popular and high-demand merchants with a respectively low average check
- Replenishment of a linked phone number: this number is linked to this e-wallet
- Transfer to a recognized e-wallet: to own additional account, or to a friend or relative.
Retailers can adjust the kind of authentication required for a particular transaction based on the consumer and the transaction, an approach called “adaptive authorization.” Based on our experience, the number of transactions using adaptive authorization rate has almost doubled since 2016, while authorization via text messages has fallen by almost the same rate. Savings from adaptive authorization have shown a 4-fold growth since 2016. As per segments adaptive authorization in video games accounts has increased to 50% non-3DS payments and up to 90% for payments in retail stores.
According to yStats.com, a Germany-based secondary market research firm specialized in global ecommerce and online payments, in the UK, for example, CNP accounts for more than 50% of total card fraud, and in Asia-Pacific for more than three-quarters. Between 2018 and 2023, online payment fraud losses worldwide are projected to more than double. As a result, consumers are increasingly wary of the safety of their information, with more than two in three respondents in a recent global survey choosing security over convenience as the top factor in their online experience.
However, emerging technologies such as mobile biometrics are expected to help strengthen the security of CNP transactions. Due to the rapid proliferation of mobile devices supporting fingerprint, iris scan and other forms of biometric authentication, the number of in-store and remote payment transactions authenticated with mobile biometrics is projected to surge by 2023.
Illegal acquisition of financial information is financially beneficial for criminals both for resale and for fraudulent spending. For example, in Austria criminals by various means try to obtain credit card information and later add the card to their Apple/Samsung/Google wallets. That gives the fraudster free rein to spend, as the authentication on his phone is based on his face or fingerprint. When these payment methods were introduced in Russia, criminals followed the same steps, along with stealing consumer data by phishing and by stealing authorization tokens used in online transactions.
The payment security landscape in the European Economic Area is undergoing a major transformation following the introduction of the revised payment services directive (PSD2). One of its main provisions requires digital payment transactions to be authenticated by at least two mutually independent verification forms, known as Strong Customer Authentication, or SCA. The authentication forms can be based on knowledge (e.g., password or PIN), possession (e.g., a mobile phone or a wearable device), or a physical feature (e.g., fingerprint scan, face, voice or iris recognition).