Payments fraud was already rising, and now experts predict increased online usage brought on by stay-at-home orders will only exacerbate the trend. While losses haven’t shown up yet, e-commerce activity taking place now is sowing the seeds of a dramatic jump in coming months. “Fraud is always a trailing activity,” notes David Mattei, a senior analyst at the Aite Group, a Boston-based consultancy.
One client, a financial institution, has already flipped its fraud-loss forecast for the year from an 8% drop to an increase ranging from 10% to 15%, Mattei says. “Other financial institutions shared the same sentiment,” he says. In some cases, “they’re already starting to see an uptick,” he adds.
Faked applications online for credit cards and personal loans are swelling in volume, too. Mattei says one institution is seeing a 5% rate of such applications, compared to an historic rate of 1.5% to 1.8%.
One tactic Mattei is watching is so-called human farming, in which criminals hire humans to use stolen credentials to break into existing accounts or to create fake accounts. Fraudsters have been relying on bits of code, called bots, to do this work, but are now finding human activity is often harder to detect. In terms of hits per day, Mattei says one fraud-measurement firm saw human-farming activity rise approximately 70% from late February to late March.
Organizations are starting to respond. The Accredited Standards Committee X9 Inc. on Tuesday said it has updated one online-authentication standard and issued a new one in response to fraud attacks since the onset of the Covid-19 restrictions. “These standards address improved security for the increasing number of online transactions, such as those being made during coronavirus stay-at-home orders,” the Annapolis, Md.-based organization says in a news release.
The new standard, X9.122-2020, “Secure Consumer Authentication for Internet Payments,” sets requirements for authenticating online transactions. “Although there are methods in use for authenticating Internet transactions, including dynamic floating PINs, one-time passwords and authenticating the cardholder via financial institutions’ online banking sites, there had previously been no standards for Internet-based consumer authentication of the increasing number of these transactions,” the organization says in a press release.
The update, X9.117-2020, “Mutual Authentication for Secure Remote Access,” creates what X9 calls an “authentication framework” for PINs, user IDs, passwords, and other authentication methods to allow financial institutions to conclude they are dealing with authorized users rather than fraudsters.
While X9 positions the standards as helpful in addressing fraud during the pandemic, Mattei stresses they have been in development for some time. “This group does great work to bring security standardization to the industry,” he says, but adds,” It will take some time for these specifications to make their way into commercial solutions.”
In the meantime, vendors of online authentication technology are starting to respond with fee relief. Melville, N.Y.-based Intellicheck Inc. said Tuesday it is offering its Retail ID Web service free of charge for 90 days to banks, card issuers, payments providers, and retailers. The service helps authenticate users’ identities.