The number of cybersecurity threats is growing in line with the development of digital businesses and cashless payments. Europol in its recent report (IOCTA 2019, Internet Organised Crime Threat Assessment) states that “data remains a key target, commodity and enabler for cybercrime”. Fraudulent activities and malware are becoming more technologically sophisticated, while a growing number of bad-faith activities involves social-based schemes.
Most criminal actions in the past year were performed through viruses, phishing and social engineering methods in order to gain financial assets and personal payment information, according to top-20 Russian banks. Noticeably, since 2015 fraudulent transactions in mobile applications have grown by 600%, in part because more consumers now prefer to use mobile applications for online banking rather than the traditional web channel.
At Yandex.Checkout we explore cybersecurity trends not only as a payment service provider, but also as a vendor for own antifraud solution used by more than 120,000 merchants from 75 countries. Our FraudDetector was initially introduced in 2018 as an internal system to protect Yandex.Money’s users e-wallets from account takeover. (There are now more than 60 million registered e-wallet users.)
The same system was then extended to reduce Yandex.Checkout merchants’ financial risks and to maintain payment conversion. FraudDetector is a complex product based on artificial intelligence and machine learning, which detects scams and malware, mitigates abnormal activities and finds new fraudulent patterns.
Psychology or technology?
Today most banks rely on the 3D-secure authentication standard that applies an extra step for verification of the purchase (biometric recognition, password or code). Ubiquitous integration of this solution and further versions of it are yet at the implementation stage in Europe, which provides wider opportunities for committing fraudulent activities. Thus, CNP (card not present) fraud continues to be the main priority within the payments sector, and continues to be a facilitator for other forms of illegal activity. When card information is entered on the website it is hard to say if it is provided by the cardholder with his or her consent—or if it is stolen from the owner.
For example, FraudDetector from Yandex.Checkout automatically analyzes dozens of parameters in order to recognize the owner of an e-wallet or the card:
- Identified device: previously used for payments with this card
- Familiar store: it has already accepted payments with this card
- Replenishment of a recognized mobile phone’s balance: this card has already been used to add money
- Absence of 3D Secure at most popular and high-demand merchants with a respectively low average check
- Replenishment of a linked phone number: this number is linked to this e-wallet
- Transfer to a recognized e-wallet: to own additional account, or to a friend or relative.
Retailers can adjust the kind of authentication required for a particular transaction based on the consumer and the transaction, an approach called “adaptive authorization.” Based on our experience, the number of transactions using adaptive authorization rate has almost doubled since 2016, while authorization via text messages has fallen by almost the same rate. Savings from adaptive authorization have shown a 4-fold growth since 2016. As per segments adaptive authorization in video games accounts has increased to 50% non-3DS payments and up to 90% for payments in retail stores.
According to yStats.com, a Germany-based secondary market research firm specialized in global ecommerce and online payments, in the UK, for example, CNP accounts for more than 50% of total card fraud, and in Asia-Pacific for more than three-quarters. Between 2018 and 2023, online payment fraud losses worldwide are projected to more than double. As a result, consumers are increasingly wary of the safety of their information, with more than two in three respondents in a recent global survey choosing security over convenience as the top factor in their online experience.
However, emerging technologies such as mobile biometrics are expected to help strengthen the security of CNP transactions. Due to the rapid proliferation of mobile devices supporting fingerprint, iris scan and other forms of biometric authentication, the number of in-store and remote payment transactions authenticated with mobile biometrics is projected to surge by 2023.
Furthermore, the introduction of the new security protocol for card transactions, 3D Secure 2 (3DS 2) is intended to mitigate the risk of online payment fraud. In Europe, it is also helping drive compliance with the Strong Customer Authentication (SCA) requirements that entered into force in September 2019, with an extended implementation period until the end of 2020.
According to Russian officials, the number of fraudulent activities performed using social engineering has increased by up to 70% in January-September 2019 in comparison to the previous year. Social engineering fraud schemes attempt to overcome security measures (two-factor identification, for example) and persuade the customer to transfer money or share a confirmation code using psychological tricks and triggers.
The most common consumer transaction fraud types are stolen credentials, geo shifting (in which the criminal hides his real location), carding (testing to see whether a card has been blocked by the legitimate cardholder), and BIN attacks (using a publicly known Bank Identification Number to fill in the first 6 digits of a card number and then testing the remainder of the digits to find a legitimate card). Account takeover attempts rely on social engineering patterns or upon computer or mobile software viruses. Services in all industries face these problems.
European social-based fraud patterns
Illegal acquisition of financial information is financially beneficial for criminals both for resale and for fraudulent spending. For example, in Austria criminals by various means try to obtain credit card information and later add the card to their Apple/Samsung/Google wallets. That gives the fraudster free rein to spend, as the authentication on his phone is based on his face or fingerprint. When these payment methods were introduced in Russia, criminals followed the same steps, along with stealing consumer data by phishing and by stealing authorization tokens used in online transactions.
The payment security landscape in the European Economic Area is undergoing a major transformation following the introduction of the revised payment services directive (PSD2). One of its main provisions requires digital payment transactions to be authenticated by at least two mutually independent verification forms, known as Strong Customer Authentication, or SCA. The authentication forms can be based on knowledge (e.g., password or PIN), possession (e.g., a mobile phone or a wearable device), or a physical feature (e.g., fingerprint scan, face, voice or iris recognition).
SCA is aimed at strengthening the security of CNP transactions. However, there is also a concern that additional friction in the payment process could lead to higher transaction abandonment rates. In one 2019 survey, around three-quarters of European consumers were still unaware of SCA, and one in three would cancel their purchase if faced with additional authentication requirements. Merchants, banks and payment providers are currently working on optimizing the authentication process for their customers in order to find the balance between compliance, security and convenience.
The technological infrastructure for non-cash payments is rapidly developing and is increasingly adept at detecting and preventing fraud. But cardholders and customers remain the main target because they possess the information criminals need: text codes, card information, passwords and biometrics. Cybercriminals increasingly leverage social engineering to get the data they need to make money from fraud.
Yandex.Money is a Russian payments-processing firm.