The future of fraud after PSD2's Strong Customer Authentication deadline

Jonathan Williams from MK2 Consulting talks about what PSD2 will do to the fraud it targets, as well as the effects of what criminals will try next

No one in the European payments industry will be unaware that Strong Customer Authentication (SCA) is coming or is already here, although the deadlines vary between the UK and EU/EEA. It’s a tale of two industries: personal and business banking is compliant already but there is room for improvement, while the cards industry is still aligning the different parties – merchants, acquirers, issuers, cardholders – so that it all works seamlessly for ecommerce. 

As a physicist, I am used to natural laws. One which I’d not come across in science is the Conservation of Fraud. Like the Conservation of Energy, it says that the effort expended using fraud to extract value is (fairly) constant, while losses go up and down depending on the effectiveness of prevention measures. Fraudsters don’t simply give up when we make it harder for them, they just look for the next easiest route. 

What will happen to fraud? 

So when we ask what will happen, we need to consider not only the first-order effects – what will PSD2 do to the fraud it targets – but also the second-and third-order effects of what criminals will try next. 

Firstly, will SCA be successful? There is no reason to assume that, correctly implemented, it will not. The risk is that, by looking for loopholes in the law to make payments frictionless for consumers, we may make it easier for criminals. This is the logic which chooses known-insecure, SMS-based one-time passwords over secure tokens. In addition, there are exceptions, for example payments initiated through acquirers outside the PSD2-zone for which SCA is not mandatory (although it will be good practice).

Secondly, criminals will look to frauds which SCA does not address. Many countries, including the UK, have seen the growth of ‘push payment’ attacks which (re-)direct payments to an account in criminal control. Estimates in the UK alone are of billions of pounds lost per year and, because the payment is made by the genuine business or personal customer, SCA cannot prevent it. Measures such as confirming the name and address of an account before initiation can help, but the move to instant SEPA payments in Europe puts all providers under time pressure. 

PSD2 also allows third parties to access payment accounts using ‘Open Banking’ or XS2A interfaces. Broadly, this allows customers to benefit from services using banking data and payments that banks could not afford to develop individually. Personal financial management, retail payments, and improved credit scoring are merely three possible applications. There are, however, weaknesses in the trust scheme which could mean that fraudsters can obtain SCA credentials to take over a customer’s account. 

As an example, criminals could develop a website purporting to be a real or fictitious ‘third-party provider’. As part of signing up, they could request the customer’s SCA login information but instead of using it for ‘Open Banking’, they could transmit it to the bank in their own online banking session, pretending to be the customer. This might allow them to login, re-issue cards, make transfers, or set up scheduled payments. Alternatively, they could change security information including address, e-mail, and challenge questions to lock out the genuine customer while they emptied the account.

The measures to minimise this are simple: 

• standardisation of processes; 

• consistent user experiences; 

• education of customers; 

• better analysis of operational data; 

• improved authentication mechanisms. 

Criminals benefit when there is confusion. If a customer does not know what to expect, they will accept whatever they are told, whether by a payment service provider or a criminal. Time and again, the payments industry has failed its customers by not informing them well or early enough. 

But issuers are in danger of drowning in data and thereby failing to spot tell-tale signs. Automated analysis and especially machine learning or AI can help make sense of this new data, but new technology will require supervision and explanation to the regulator. Ensuring algorithms that are unbiased will be a key challenge as we start to use them. 

Finally, criminals will be attempting to get around SCA technologies so payment services providers must be on their guard to identify weaknesses early, patch, or retire compromised mechanisms and look to new technologies such as behavioural biometrics to secure transactions.

So, will fraud losses go down or up? While the fraudsters will continue to expend effort, losses to payment fraud could decrease, but only if we are all focussing on the right outcomes. Technology on its own will not solve the problem but it can help us move in the right direction.

This editorial was published in the Fraud Prevention in Ecommerce Report 2020/2021, the go-to source in securing transactions while offering a frictionless customer journey.

About Jonathan Williams

Jonathan is an independent advisor in interbank and card payments. He has led product management in successful start-ups in cybersecurity, telecommunications, and enterprise software industries and his current focus is on identity, financial crime, Open Banking, and compliance.

About MK2 Consulting

We provide financial organisations with the clarity they need to understand the impact financial crime prevention, identity management, and payment operations have on their business. Our in-depth knowledge and independent advice help you analyse your operations and adopt the right strategies to improve efficiency, increase revenue, and ensure regulatory compliance.