Guarding the Online Channel

If history is any guide, card-not-present fraud will spike now that EMV has officially arrived in the United States. Can a growing array of fraud-prevention technologies stem the tide?

When it comes to plying their deceptive trade, fraudsters exploit the weakest link in the security chain. With the EMV chip card standard having become official for U.S. point-of-sale merchants on Oct. 1, the weakest link for merchants and credit and debit card issuers became the card-not-present transaction.

With EMV, the card and terminal authenticate themselves to each other. But as merchants and issuers in other EMV countries have learned, chip cards are no better than the old magnetic-stripe cards in stopping online and telephone-based fraud, since computers and mobile devices do not come with chip card readers to authenticate the cards.

All a criminal needs to make a fraudulent transaction in the CNP channel is the card number, cardholder name, expiration date and, sometimes, the so-called card-verification value, or CVV2 in industry-speak, which can be obtained from a lost or stolen card or by other means.

With counterfeiting and lost-and-stolen card fraud at the point of sale harder to commit thanks to EMV, everybody is bracing for a boom in CNP fraud.

E-commerce, meanwhile, continues to grow rapidly, which even without EMV portends an increase in fraud losses. Through the first three quarters of 2015, seasonally adjusted e-commerce sales totaled $252 billion, up 13.2% from $222.6 billion through the same period in 2014, according to the U.S. Department of Commerce’s Census Bureau.

“In other markets around the world where EMV has rolled out, CNP fraud has spiked and the same thing is expected to happen in the U.S, especially in the high-growth channel of e-commerce,” says Al Pascual, director of fraud and security for Pleasanton, Calif.-based Javelin Strategy & Research. “As e-commerce sales grow, fraud will follow.”

No Friction

The prospect of CNP fraud rocketing as EMV continues to roll out in the U.S. is a frightening thought for merchants, because e-commerce fraud losses in North America have held steady at 0.9% of sales in recent years, according to Mountain View, Calif-based CyberSource, a Visa Inc. company. The lone exception was in 2011 when fraud totaled 1% of online sales.

To fend off the sharks, payments experts say merchants will need to deploy an array of potent new fraud-detection technologies, as well as solutions that don’t rely on draconian measures that mistakenly reject a substantial number of legitimate purchases.

The latter is critical since false positives cost merchants sales and can damage their brands. False positives also cost issuers interchange revenue. According to CyberSource, of the 53% of merchants surveyed for its 2014-2015 Online Fraud Management Benchmark Study that tracked order-rejection rates, more than 70% believed that up to 10% of rejected orders were valid.

Nor do merchants and issuers want to push consumers away by requiring them to jump through so many authentication hoops at checkout that they abandon their electronic shopping carts.

“U.S. consumers won’t go for fraud-prevention and consumer-authentication solutions that create friction at the point of sale, which was one of the complaints about 3-D Secure,” says Julie Conroy, research director of retail banking and payments for Boston-based Aite Group LLC.

Conroy predicts U.S. CNP fraud will hit $6.4 billion by 2018, more than double the estimated $3.1 billion in 2015 (“Repelling the Card-Not-Present Fraud Assault,” November, 2015).

3-D Not-So-Secure

3-D Secure systems, which are branded as Visa’s Verified by Visa, MasterCard Inc.’s SecureCode, and American Express Co.’s SafeKey, are one of the older weapons for fighting CNP fraud, and they can be effective. They prompt cardholders to enter a secret code in a pop-up window when checking out from a retailer’s Web site.

The rap on 3-D Secure is that many consumers balk at the request for the additional information, as well as requests to enroll in the service at checkout if they haven’t already. The high abandonment rate has prompted many merchants not to offer it.

“3-D Secure has a number of issues that will need to be overcome to make it a viable tool,” says Skip Foss, deputy chief of intelligence operations at San Mateo, Calif.-based Norse Corp., a provider of live cybersecurity attack information, by email.

“In the online environment, the requirement for 3-D Secure to interact with the customer via a pop-up window is currently used, and this is generally outsourced to a third-party by the card issuer,” Foss continues. “This creates a customer issue of trying to decide if the session could be a phishing attack. In addition, there are multiple methods available to hackers to insert themselves in the authentication chain to overtake the process, including capturing of card data, authentication data, and consumer information.”

For reasons like these, while 3-D Secure is popular in other parts of the world, American merchants generally have been reluctant to use it.

“The merchants we’ve signed up have not embraced 3-D Secure because the overwhelming perception is that it disrupts a sale,” says Jason Field, founder and chief executive of Instabill.com, a Portsmouth, N.H.-based online processor. “That perception needs to change and merchants need to be more educated about 3-D Secure, especially with 3-D Secure 2.0 coming in 2016.”

To make 3-D Secure more palatable to U.S. consumers and merchants, EMVCo, the standards body that manages the EMV specification for chip-based payment cards and acceptance devices, is developing 3-D Secure 2.0. EMVCo is owned by card networks Visa, MasterCard, Discover Financial Services, JCB, American Express, and UnionPay.

While details on how EMVCo will enhance 3-D Secure have not been formally announced, Daniel Almenara, vice president of authentication and decision infrastructure solutions for Riverwoods, Ill.-based Discover, says via email that the new version will include the following enhancements: All customers of participating issuing banks will be automatically registered; a new risk engine that challenges only high-risk devices; and a one-time-password to be sent to the customer’s preferred channel (voice, text, or email) so the transaction can be completed.

Replacing Passwords

Despite these changes, some payments experts argue 3-D Secure is only one piece of the CNP fraud-prevention puzzle. They say merchants and issuers will embrace other technologies, including biometrics and behavioral analytics, as part of a multilayered approach to security.

When it comes to mobile commerce, which Internet research firm comScore Inc. predicted would account for 17% of e-commerce sales for the 2015 holiday season, the use of biometrics to authenticate buyers is a logical choice.

Biometric-enabled mobile devices have been available in other parts of the world for the past decade and are making their way to the U.S. In addition to including fingerprint scanners, mobile-phone manufacturers such as Apple Inc. and Samsung Electronics Co. Ltd. are beginning to include voice-recognition technology in their devices.

“One of the advantages of biometric authentication is that it eliminates passwords,” says Mark Poidomani, founder and chief technology officer for SurePassID, a Winter Garden, Fla.-based provider of identity, cloud, and mobile-security solutions. “Even if a consumer’s credit card account data are stolen, criminals can’t fake a biometric authentication. Plus, doing away with passwords eliminates the need for consumers to remember all their passwords.”

San Jose, Calif.-based PayPal Holdings Inc., for example, offers accountholders the option of biometric authentication at checkout. When a PayPal user with a Samsung Galaxy S5 phone links her fingerprint to her PayPal account, for example, she can scan her finger on the device when checking out on any m-commerce site that accepts PayPal.

As the consumer scans her fingerprint, the system generates a unique number based on three identifying factors—the fingerprint, the device, and an encryption key from PayPal. The unique number is stored in a secure area on the mobile device and presented to PayPal each time the user swipes her finger during checkout. The fingerprint remains on the device and no biometric data are transmitted during a transaction.

“Leveraging the biometric capabilities of mobile devices is definitely an area with great promise in the fraud fight,” TJ Horan, vice president of product management and fraud solutions for San Jose-based risk-assessment firm Fair Isaac Corp., says by email. “The key is going to be standardization and acceptance of those methods to ensure larger adoption.”

Easier Authentication

One organization attempting to bring standardization to biometric authentication is the Fast IDentity Online (FIDO) Alliance, a consortium created to develop an open set of technical specifications that reduce the reliance on passwords. FIDO Alliance members include the leading card networks, PayPal, Google, Microsoft, Salesforce.com, Lenovo, BlackBerry, and others.

“Our mission is to replace user names and passwords with more secure forms of authentication that recognize the owner of the device and the device itself,” says FIDO Alliance secretary Philip Andreae, who is a North American marketing executive for France-based chip card maker and digital security technology provider Oberthur Technologies.

SurePassID has adopted the FIDO user authentication standard for its mobile-payments security services. When a consumer using a mobile device with built-in biometric authentication software logs onto a merchant’s app or mobile Web site for the first time, she is asked to register the device.

Next, she is prompted to place her index finger to the device’s screen. The app or Web site interacts with biometric software in the mobile device to capture the fingerprint and store it in a secure environment. Each time the consumer accesses the app or Web site to make a transaction, she is prompted to present her fingerprint for authentication.

Other forms of biometric authentication that can be leveraged on mobile devices using the FIDO specifications include voice and facial recognition. A voice print can be captured by asking a consumer to speak her name into a mobile device’s microphone. Facial recognition can be captured by asking the consumer to snap a selfie using the phone’s camera.

“The FIDO model makes stronger authentication easier for the consumer,” Poidomani says.

‘The Right Balance’

Although biometrics provides merchants with a higher level of certainty that the buyer is the person he claims to be, the technology still requires consumers to perform an additional task at checkout, and that can still disrupt the transaction, some payments experts argue.

One alternative for removing friction is to give retailers visibility into credit card issuers’ authentication procedures and how those procedures can affect consumer behavior.

For example, the Consumer Authentication service from Mentor, Ohio-based CardinalCommerce Corp., a provider of fraud-control and e-commerce payment systems, allows merchants to determine which transactions to approve or deny, which transactions require more verification, and which transactions can be authenticated without any fraud screening, based on the potential risk.

As a consumer makes a purchase through a client merchant’s Web site, Cardinal gathers data around the transaction that issuers typically don’t see when receiving an authorization request from a merchant. This information can include the Internet Protocol (IP) address of the user’s device, whether the merchandise is frequently bought by criminals, and whether the customer is a repeat buyer.

Cardinal passes this information to the card issuer separately from the request for authorization to provide a more complete picture of the risk.

CardinalCommerce chief executive Mike Keresman sees the service as a way to authenticate as many transactions as possible while keeping fraud screening non-intrusive for the consumer.

“Our approach to consumer authentication is to create the highest possible authorization yield without compromising fraud-prevention security and creating friction that can cause consumers to abandon the transaction,” he says.

Giving issuers more data when an authorization is requested helps them to spot transactions outside a cardholder’s normal range of activity, which is one indication of potential fraud.

As with 3-D Secure, authenticating a consumer with Cardinal’s authentication service shifts the liability for a chargeback from the retailer to the bank if the bank says it recognizes the consumer prior to authorizing the transaction, according to Keresman.

The service also gives merchants insight into the level of friction the consumer may experience during authentication, Keresman says. Merchants have the option of whether to proceed with authentication on potentially high-risk transactions even if there is a chance the consumer may abandon her shopping cart.

“Merchants tend to know what transactions are low-risk and which ones are high-risk, so helping them understand if the authentication process can cause cart abandonment helps them to find the right balance for when to use consumer authentication and when not to,” says Keresman.

A Figurative Red Flag

With criminals continually advancing the methods they use to perpetrate fraud, payments experts recommend that merchants and issuers use behavioral analytics in conjunction with fraud-detection technologies such as biometrics and cardholder authentication.

Behavioral analytics, which is popular with marketers because it provides insights into creating personalized shopping experiences, helps detect fraud by monitoring consumer behavior on a Web site to detect suspicious and unusual activities.

A merchant can compare real-time customer behavioral data to what it considers normal behavior patterns, as well as other patterns known to indicate fraud. Other variables weighed include site and page navigation and how quickly the consumer clicks through the Web site.

These insights give merchants and issuers a deeper understanding of transaction risk. For example, a shopper visiting a jewelry site who immediately clicks on Rolex watches and selects the most expensive item may be waving a figurative red flag about a potential high-risk sale.

The technology also is considered extremely useful for evaluating the risk of consumers who have not created an account with the merchant and are shopping as a guest, or are using a device the merchant does not recognize.

One benefit of requiring customers to open an account is that the account is password-protected, which helps to authenticate the customer each time she shops. Many consumers, however, choose not open an account, especially if they do not expect to be a regular customer of the merchant, payment experts say.

“Criminals tend to act differently than a typical consumer, which is why behavioral analytics is helpful in detecting fraud,” says Markus Bergthaler, global director of programs and marketing for the Merchant Risk Council, a Seattle-based trade group of merchants concerned with online fraud.

One behavior pattern exhibited by criminals is the rapid filling out of data fields at checkout, which can be an indication that the purported shopper actually is a software application programmed to perform the task as quickly as possible.

“Most consumers take the time to read through the data fields at checkout,” Bergthaler says. “Any online merchant that offers guest checkout should be looking into behavioral analytics.”

Issuers, meanwhile, can use behavioral analytics to spot anomalies in cardholder behavior that indicate fraud. Behavioral profiling can help issuers reduce false positives between 40% and 60%, says Seth Ruden, senior fraud consultant for Naples, Fla.-based ACI Worldwide Inc., a provider of electronic banking and payment software and services.

Seamless And Secure

With the experience of the United Kingdom, Canada, and other EMV countries showing that criminals swarm to the CNP channel once EMV makes point-of-sale fraud harder to commit, U.S. e-commerce merchants and issuers can still take some comfort. Doing business in the last major country to roll out EMV means that the number and quality of fraud-prevention technologies is far better than what was available when EMV began rolling out in the U.K. more than a decade ago.

“One of the benefits of being a late adopter of EMV is seeing the lessons learned from other markets, which has helped evolve fraud-detection technology and made it stronger,” says Jeremy King, international director for the Wakefield, Mass.-based PCI Security Standards Council.

“Today,” he continues, “there is a broader discussion within the payments industry about how best to take a holistic, layered approach to fraud prevention that is seamless to consumers and secures the transaction.”

 

Updating the CVV

The three-digit value on the back of a Visa or MasterCard card is a key piece of information fraudsters need to deceive merchants and issuers. One drawback to these so-called CVV2 codes, however, is that they are static, which means that if the information is stolen, a fraudster could pass for the real cardholder.

To remedy the problem, card manufacturers Oberthur Technologies and Gemalto NV have developed dynamic CVV2 codes, which use computer chips powered by a micro-battery in a card to randomly change the code about once every 20 to 60 minutes. The code is displayed on a tiny LCD screen on the back of the card.

Frequently changing the CVV2 code makes it a temporary password that limits the number of fraudulent transactions a criminal could make using someone else’s card data.

“The technology does not interfere with the checkout process, and merchants don’t have to modify their Web site to accept the dynamic codes,” says Philip Andreae, vice president of North American field marketing for smart card maker Oberthur Technologies.

Each time a consumer makes a purchase with an Oberthur-produced dynamic CVV card, the issuer contacts Oberthur during authorization to validate the code.

One drawback is that dynamic CVV2 cards can cost several times more than conventional EMV cards, which can go for about $2 apiece in bulk. Oberthur expects prices for dynamic CVV2 cards, which are being tested in the U.S., to drop as low as $5 per card in bulk once the technology rolls out.

Meanwhile, Fort Lauderdale, Fla.-based Tender Armor LLC has developed CvvPlus, a daily CVV2 code made available to cardholders in real-time via text message, email, or online. Rather than issue new cards, financial institutions can enroll cardholders in the service, which is compatible with any existing credit or debit card. When the cardholder makes an online purchase, she enters her card number and the latest CVV code.

“The CVV code tables, which are updated daily, reside behind the issuer’s firewall so the issuer does not have to contact us at the time of authorization to validate the code,” says Madeline Aufseeser, chief executive and founder of Tender Armor. “It also allows the issuer to maintain complete control over CVV validation.”