Card-Not-Present fraud: are you even aware of your options to combat CNP fraud?

Card-Not-Present Fraud is growing rapidly, with a jump of 40% in 2016 (according to the 2017 Identity Fraud: Securing the Connected Life) compared to the year before and now making up 81% of all Fraud cases in 2017 (2018 Identity Fraud: Fraud Enters a New Era of Complexity). Account Takeover Fraud (ATO) and New Account Fraud (NAF) are standing out as these types of fraud are rising the fastest. In 2017 ATO Fraud tripled to a four-year high.

Why is this happening?

Commerce and business are moving online and so is the share of Card-Not-Present transactions. Additionally, the migration to the EMV standard for Card Present transactions, the adoption of incorporated chip technology in payment cards, has substantially reduced fraud at the point-of-sale (PoS). As an indirect consequence, the incidence of fraud has increased for virtual card purchases, better known as card-not-present transactions. CNP transactions include mail order and telephone transactions, but the vast majority are online transactions. The challenge with CNP transactions is that transactions cannot be authenticated using the same processes used at the physical POS. Therefore, CNP transactions require an alternative approach to authenticate the cardholder.

Fuelling this is the explosive growth in number of high profile data breaches like Yahoo and Equifax making this the perfect storm for CNP Fraud. A data breach exposing PII (Personal Identifiable Information) makes millions of people vulnerable to identity fraud through the illicit use of their data by fraudsters. Stolen personal identifiable information is used for credential stuffing with online bots, to test the stolen login credentials on multiple sites.

When a transaction is deemed fraudulent it becomes a problem for the merchant as it is the merchant’s responsibility to refund the customer. Given the rapid growth and impact of CNP fraud it is no wonder the payment industry is worried about these developments.

What can merchants do to protect themselves against CNP Fraud?

The default response to this is to point to 3DSecure, the EMVCo standard for strong customer authentication. The advantage of 3DSecure is the SCA and shift in liability to the issuer, but it can come at a high cost as it is claimed to reduce conversion. What merchants are often not aware of, are the various alternative solutions available to them to mitigate CNP Fraud. Without being exhaustive, we have listed some of the options.

Use of Strong Customer Authentication (SCA)

There is a wide range of vendors offering alternative technical solutions for SCA. Strong Customer Authentication, consists of a minimum of two different means of authentication, either something you have (Possession), something you know (Knowledge) or something you are or do (Inherence). Authentication is considered strong if at least two factors are needed to authenticate. Although merchants and users have been hesitant in adopting this due to conversion and convenience considerations, the adoption is now rising as awareness is increasing. In addition, the PSD2 Regulatory Technical Standards also require SCA, in addition to presenting an extra element (i.e. unique authentication code) for all CNP Transactions.

Real-time adaptive fraud detection

In addition to SCA, having an adaptive fraud scoring engine is needed to effectively detect and reject fraudulent transactions. Fraudulent or suspicious activities could be identified based on as much as the amount and the characteristics of the account or even on additional context information available about the transaction. Online (Card-Not-Present situations) the context information of the transaction provides important insights. Examples of context data are IP addresses, geographic location, device information, OS, OS Language, etc. Analysing these indicators can often reveal surprising similarities between transactions. For example, transactions which seem independent can be linked using a combination of indicators like the same postcode, OS and same OS language. This enables linking seemingly separate transactions to a single fraudster which would otherwise have gone unnoticed.

Behavioural recognition with Machine Learning

An additional step is applying Machine Learning to detect anomalous behaviour. Applying ML enables quicker detection of suspicious behaviour. Where it might take years for a team of highly skilled fraud analysts to design relevant rules to detect fraud, ML can do this in a fraction of the time. However, this does require a training to teach the ML what actual legitimate and fraudulent transactions are.

Intelligence and customer awareness

Customers are becoming more aware of data breaches as the incidents are in the news almost daily, and it is harder for them to know whether their account information is compromised or if someone is attempting to break into an account. Large technology companies are already fighting this by notifying users when a login was an attempt on their account, including the context of the login attempt (geolocation, information about the operating system, time, etc.). However, most websites and services do not yet offer this service.

Fortunately, there are platforms where you can find out if your credentials have been compromised. SpyCloud is a good example where one can check whether their login credentials have been compromised. The platform also offers a service to notify you if this would happen in the future.

Sharing of information

Another factor most researches agree on is the need for collaboration within the industry. Sharing modus operandi (MO) and information about fraudsters is an effective way to combat CNP Fraud. Although this is already happening in some regions, there are large variations to how much information is shared and how.

Although these are all good mitigating measures, the most effective approach is the combination of the above. Robust security is a layered approach suitable to the organization. The best approach is to combine these layers of security and ensure there is synergy in these efforts. This also means the payment industry needs to be cognizant of the options available.

About Jelger Groenland
Jelger Groenland MSc CISSP is Cybersecurity Lead at INNOPAY advising c-level on cybersecurity topics. INNOPAY is an international consultancy firm specialised in digital transactions.

About INNOPAY

INNOPAY is an independent consulting company, specialised in online payments, digital identity and e-business. We help our clients, including financial institutions, governments and corporates, to develop the compelling strategies and digital services for consumers and companies that are key for successful competition in a rapidly digitising world.