Digital Identity Summit 2019 - Empowering the network

The customer journey, the evolution of identity, Strong Customer Authentication (SCA) readiness, reducing fraud across ecommerce, banking, media, how to better collaborate, etc. are some of the most interesting themes that are emerging from merchant and financial services communities and are reflected in industry specific events and the respective ongoing conversation.

Between the 24 -25th of June, The Paypers had the privilege to take part in the Digital Identity Summit 2019, organised by ThreatMetrix and LexisNexis Risk Solutions in London. The event wanted to stress that cybercrime is a real fact, not a hot story that we see sometimes at the cinema, and that cybercriminals, via bots or in human initiated attacks, are gaining access to bank accounts and making fraudulent transactions. However, the focus was also on concepts such as shared intelligence, as crucial tool to fight organised criminal networks, and on people and organisations getting better at what they do, learning from their peers, and evolving together with the industry.

The context – Cyberwar is the new normal - David G. W. Birch

During the Digital Identity Summit 2019, Rebekah Moody, Market Planning Director at ThreatMetrix, revealed key findings of the ThreatMetrix Q1 2019 EMEA Cybercrime Report. The new edition is based on cybercrime attacks detected by the ThreatMetrix Digital Identity Network from January – March 2019, during real-time analysis of consumer interactions across the online journey, from new accounts creations, to logins and payments.

During Q1 2019, the cybersecurity company processed over 3.1 billion transactions in EMEA, with 71% originating from a mobile device, one of the highest figures off all regions, compared to 55% globally. According to the report, this is one of the key factors driving a lower overall attack rate in the region since mobile devices are inherently safer than desktops. For instance mobile transactions in EMEA are attacked at a rate of 0.7%, while desktop transactions are attacked at a rate of 3.8%. Nevertheless, fraudsters have also shifted their attention to the mobile channel. For instance, attacks on new account creations from the mobile channel in the media (including social networks, content streaming, gambling, gaming and online dating sites), have increased by 41% year-on-year in EMEA.

In terms of regions, the UK and Germany are top two cybercrime attackers by volume in EMEA. Following close are Ireland, France and Italy, indicating that a booming digital economy often goes hand in hand with a significant cybercrime industry. Still, the top ten attack originators also include Poland and Ukraine, suggesting that emerging economies are increasingly making their mark on the cybercrime world stage.

72 days left till PSD2’s SCA comes into effect

The cybercrime landscape continues to be shaped by evolving consumer behaviour, economic growth, technological development, digital identity schemes, faster payments, fintech and especially in EMEA, by huge regulatory reforms such as GDPR, PSD2 and open banking.

By now every payments-related event has on top of its agenda the SCA readiness topic and the way regulation is helping (or is an impediment for) businesses. For instance in Europe, at the moment, on the one hand we have PSD2 mandating that financial services organisations perform a rigorous identity authentication and verification of customers accessing account services and making payments. On the other, we have the open banking initiative that drives a tension between security and streamlined access to online goods and services.

Regarding SCA, not too many merchants are aware of the regulation, according to European payments community Vendorcom: in the UK almost 10% of the merchants, while in Germany less than 5%. Among those that are aware, we find mostly big retailers and big hotels chains, transportation companies and top mobile network operators.

As a result, ecommerce is viewed under great threat, with GBP 45 billion losses for the UK and over EUR 160 billion in the EU/EEA economies. Moreover, other concerns raised were an increased lack of ecommerce interoperability after September 2019 for big retailers such as Amazon, a decimated intercountry ecommerce growth, which might create an uncompetitive environment for businesses.

To prevent this from happening, all stakeholders need to be involved, and a key component of RTS’ SCA successful implementation is also explaining and making customers aware of the new regulation. Yet, Paul Rodgers, Chairman&Founder of Vendorcom, believes that currently it would be premature to commence a consumer communications programme on SCA as the regulation is not locked down, the technical standards are underdeveloped, and there is no rollout plan for acquirers, processors, gateways and merchants.

As a solution for this situation, he suggests a game plan, which is a two-phase, whole ecosystem collaborative initiative building on learning from CHIP&PIN Programme Management Organisation. Phase One implies locking down regulatory conditions and technical standards, which basically means implementing the technical/technological stuff; while Phase Two implies locking down operational rollout plans, instigating whole service user market rollout. In addition, there needs to be a similar two phase communication – to consumers as bank/issuer consumers and (only once the merchants are implementing a common solution) to the consumer as a merchant consumer.

It takes a network to fight a network in the mobile world

All in all, perhaps the industry doesn’t really need more regulatory changes, but rather requires more focus on collaboration. Data sharing consortia have the capability of binding businesses with similar goals, challenges or fraud risks and enable them collectively to fight fraud within modern digital markets.

Moreover, participants have the possibility to share in real time their positive and negative data attributes, across an agreed set of consortium members and contributors, and thus organisations can see a greater context within the data - understanding for example which other organisation has blacklisted a device and why. This allows for more targeted real-time risk assessments and supports smarter and more contextualised fraud decision. Since participants come from different verticals, there might also be some ‘cross-side network effects’ where the value of the consortium for each user increases with the number of users.

How does this work? For instance, device x accesses confirmed mule accounts at Bank 1 -> device x is added to consortium’s ‘Confirmed Mule’ shared list -> device x logs in at Bank 2 -> the login triggers consortiums’ policy rules and a case is created in Case Manager -> the case is confirmed as money mule and Bank 2 terminates the customer relationship -> using Digital ID and Related Events, Bank 2 uncovers additional mule account which is also closed -> device X is also added to the consortium’s ‘Confirmed Mule’ shared list to strengthen intelligence for other consortium members.

To conclude, Stephen Topliss, Vice President, Fraud and Identity for LexisNexis Risk Solutions said: “as economies increasingly shift toward mobile transactions, we need to be aware of criminals who seek to exploit new vulnerabilities and encourage companies to share best practices and knowledge when fighting cybercrime”… Special thanks to ThreatMetrix and LexisNexis Risk Solutions for having us in London.

About Mirela Ciobanu

Mirela Ciobanu is a Senior Editor at The Paypers and has been actively involved in covering digital payments and related topics, especially in the cryptocurrency, online security and fraud prevention space. She is passionate about finding the latest news on data breaches, machine learning, digital identity, blockchain, and she is an active advocate of the need to keep our online data/presence protected. Mirela has a bachelor degree in English language and holds a Master’s degree in Marketing.