When fraud and impersonation stand in the way of ecommerce

While ecommerce has become a significant channel for buying and selling in many countries, it is more complicated than equivalent face-to-face transactions. The major cause of problems for ecommerce is also its strength: buyers and sellers are normally remote from each other. The challenge for seamless, efficient ecommerce is how to transform (rather than replicate) a physical transaction into an online setting, which challenges some of the assumptions underpinning face-to-face payments and explains why the ecommerce ecosystem exists: to facilitate trust and increase confidence. This article outlines my personal views built up over twenty years of working in ecommerce.

Who we’re dealing with

One of the new problems is knowing who we’re dealing with. When we, as consumers, want to make a payment, it’s almost always to a person or entity we know and for a clear purpose, for example, to settle a debt. Ordinary users aren’t interested in the sequence of letters and/or numbers specifying the destination or source accounts. But the modern systems we have built rely on numbers rather than a nebulous ‘identity’. This is a difference between cheque clearing, which are routed to a named recipient, and credit transfers, which are routed based on bank codes and account numbers. There is therefore a mismatch between what the user intends and what the system supports.

This is made more difficult in an ecommerce environment: establishing identity on the Internet is widely acknowledged to be complicated, but we are also advised not to share our payment details. For this reason, proxies – identifiers that can be used instead of the account numbers processed by payment systems – may be preferred for usability; these include mobile phone numbers and e-mail addresses, but governments might prefer to use their own identifiers, such as for benefit payments.

Ensuring that payments are made by and to the intended party is vital. Social engineering methods can be used to take over accounts and to dupe payers into transferring funds to fraudsters. Criminals are becoming increasingly competent at obtaining or intercepting security credentials to facilitate this. Being confident about who is receiving the funds is an important capability, but today we, as payers, can’t always be sure who owns a bank account.

In the UK, Authorised Push Payment (APP) scams have increased where criminals try to redirect payments to ostensibly valid recipients. The Payment Systems Regulator (PSR) has driven the adoption by the largest banks of the Confirmation of Payee service to counter this by matching the name against the account details.

Assessing the danger with authentication methods

The adoption of strong methods to authenticate customers is widespread on banking channels and is in progress across online card transactions. For some payment mechanisms, authentication is built-in. For mobile banking payments, for example, the mobile banking app performs the authentication on login or at the point of transaction using the security features of the phone. Apple Pay and other schemes allow online payments to mostly be made via apps or websites that are integrated with them. This is particularly helpful in allowing access to biometric authentication factors that can check the individual themselves, not just information or items they possess, such as a security token.

For some sellers, confirming the identity of their buyer is difficult. In an online setting, the seller and buyer may have just met, so asking for identity proof can be awkward. That’s why authentication comes in: a card issuer confirming that it’s their customer, again, is a real step forward in confidence and potentially customer experience.

In addition to technologies like 3-D Secure 2.0, which allows a card issuer to send and receive an online authentication request to their cardholder, other services have been developed to reduce a variety of risks like checking the history of an e-mail address or identifying malware on a payer’s device. Each of these tackles a specific type of risk and only by using them in concert can a payment service provider really have an assessment of the danger of fraud.

What else is in store?

But it’s not just transferring physical interactions; the ecosystem exists to ensure trustworthy and efficient usage of payment systems. This can include e-invoicing or request to pay services, due diligence checks, and security and risk management capabilities. It is worth remembering that users of payment services have a choice in how they make and receive payments. Offering them options that meet their needs efficiently is important. While various transactions are processed using payment cards, many others, especially B2B, use credit transfers such as Faster Payments in the UK. In addition, Open Banking offers new methods to initiate payments through authorised third parties which can work closely with sellers.

In summary, ecommerce can be impeded by lack of confidence: in the identity of payer and payee, in payment data – amount, date, references etc. – and in the integrity of how the payment is made. Users of payments should be free to choose payment methods in which they have confidence, and which are simple to use. This is important in ecommerce for both payers and payees. It is therefore vital that the industry continues to innovate in the ecosystem to ensure that users achieve these goals whilst giving all parties, including PSPs, confidence every time.

Jonathan Williams is a payments expert having worked in the industry for twenty years. He currently works at the Payment Systems Regulator as a Technical Specialist. The contents of this article are the author’s own views and do not necessarily represent those of the PSR.

This editorial is part of The Fraud Prevention in Ecommerce Report 2021/2022, the ultimate source of knowledge that delves into the evolutionary trail of the payments fraud ecosystem, revealing the most effective security methods for businesses to win the battle against bad actors.

About Jonathan Williams

Jonathan is a technical payments specialist for the PSR for both card and interbank payments. He has led strategy and product management in successful startups in cybersecurity, telecommunications, and enterprise software industries.

About Payment Systems Regulator

Every time anyone uses a cash machine, transfers money, uses contactless, or gets paid, they use a payment system. Payment systems are always evolving and the PSR is here to make sure they work well for everyone.