Voice of the Industry

Bypassing strong authentication: expected fraud workarounds after SCA

Wednesday 15 January 2020 08:45 CET | Author Anda Kania | Voice of the industry

Fraud Prevention and Online Authentication Report 2019/2020 The main goal of Strong Customer Authentication (SCA) is to make online payments more secure, however, there is also a blind side of this. Mari-Anne Bayliss from CyberSource presents the risks caused by fraudsters turning their attention to out of scope transactionsFraud Prevention and Online Authentication Report 2019/2020

Strong customer authentication (SCA) has understandably been a major priority for the payment industry. While everyone focuses on compliance and on minimising the impact on customer experience, it’s easy to forget that SCA will also have an impact on fraud - and merchants should be ready for it.

We’ve seen it before: changes in purchasing and payment processes lead to shifts in fraud patterns. The introduction of chip-and-PIN technology drove fraud to the ecommerce channel. Before ecommerce became an influencing factor in creating the online fraud industry, fraudsters habitually had exploited the MOTO (mail order/telephone order) channel. With SCA due to provide additional security for ecommerce in the European Economic Area (EEA), it’s highly likely that we’ll see changes in fraudulent behaviour.

Savvy merchants are already asking us what to expect, so they can be prepared. We can’t know for sure what innovative fraud developments may emerge in a post-SCA world, but we do know that fraudsters will want to exploit gaps in SCA coverage. Therefore, we can make some educated predictions based on past experience and the details of SCA, to block away fraudsters’ attempts. Here are three things we anticipate merchants should look out for.

1. One-leg-out transactions

One-leg-out transactions - where either the issuer or acquirer is located outside the EEA - are out of scope of SCA. There are two ways fraudsters may take advantage of this.

Firstly, they can try to use non-EEA cards such as American card details, when targeting EEA merchants. If you experience an unexpected rise in non-European customers, treat it with appropriate caution.

Secondly, fraudsters can target non-EEA ecommerce sites with EEA card details. If you’re a global merchant with multiple country-specific websites and local acquirers, you may see fraudsters starting to target your non-European sites more often.

From a fraud management perspective, make sure the business has a cross-geographic view of what’s happening, especially if you have different teams managing fraud in different regions. It’s not just your EEA teams that need to be aware of what SCA might mean for fraud management.

2. Call-centre fraud

The MOTO channel is also out of scope of SCA, so we can expect fraudsters to dust off their pre-ecommerce tactics for impersonating genuine customers over the phone — not to mention coming up with creative new techniques.

As merchants have discovered with the growth of mobile fraud, different channels call for different fraud management tactics, even if many of the tools used are the same. We know that the fraud teams of many of our customers are already paying specific attention to their call centres, so that they’re ready to respond if this shift happens.

Bear in mind that it’s not only fraudsters that may migrate to the phone. Some genuine customers may be unfamiliar with new authentication methods and may decide to pick up the phone instead.

Fraud Prevention and Online Authentication Report 2019/2020

Our advice to any merchant not already monitoring fraud in their MOTO channel is to start doing so. Train your call-centre staff on what to expect and how to deal with it. Consider implementing additional authentication techniques, such as voice screening or out-of-band authentication via one-time password. And think about what else you might need to change if there’s a marked shift towards this channel. Do you need to deploy more call-centre staff? Are currently outsourced call-centre activities able to adapt to new fraud management demands?

3. More sophisticated impersonation

The arms race between the payment security industry and the fraud industry is not new, and if there’s one thing we can be sure of, it’s that fraudsters will bring the necessary effort and inventiveness to the job. If they cannot sidestep SCA entirely, we can expect them to work on more sophisticated ways to impersonate genuine customers, including account takeover and synthetic identity theft (the combination of real and fake information to create a new identity).

Fraudsters are also usually quick to leverage mechanisms that offer more convenient experiences to customers. Off the back of more sophisticated impersonation, fraudsters may also try to take advantage of the SCA exemptions.

What does this mean for fraud management?

Any time we make fraudsters work harder, we’re doing a good job — and SCA will certainly make fraudsters work harder. But as long as we also want to make life easier for customers, there’s an inevitable balancing act between maximising fraud prevention and minimising customer friction.

This means that, more than ever, fraud management teams need to move beyond ‘blunt’ fraud prevention approaches and basic tools. Balanced fraud management is usually cross-enterprise (not siloed per channel or geography), while also appropriately tailored to each channel and geography. It uses techniques to identify genuine customers alongside techniques to identify fraudsters. And it evolves to exploit new technologies for distinguishing between genuine and fraudulent transactions, such as machine learning, device fingerprinting, and a wider range of data services.

One thing is certain: while SCA is a great addition to ecommerce security, it’s not a silver bullet. In the post-SCA world, merchants will have new challenges to overcome if they want to continue to protect their customers, their brand, and their business against fraud.

About Mari-Anne Bayliss

Since joining CyberSource in 2017, Mari-Anne has primarily focused on solutions to support merchant compliance and smooth customer experiences under PSD2 SCA. She brings to the job 18 years of experience merchant-side, including 11 years in a fraud prevention role.



About CyberSource

CyberSource is a global, modular payment management platform built on secure Visa infrastructure,with the insights of a USD 427 billion global processing network. It helps businesses enhance their customer experience,grow revenue, and mitigate risk. For more information, visit cybersource.com


Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: CyberSource, SCA, fraud management, ecommerce, one-leg-out transactions
Categories: Securing Transactions | Digital Identity, Security & Online Fraud
Countries: World
This article is part of category

Securing Transactions