According to the Nilson Report, as of December 2018, there were 22.11 billion payment cards in circulation, worldwide. eWallets are also being added to this mix, with Juniper Research predicting that by 2024, half of the world’s population will be using them. Add to this, the convenience of online purchase and Card-not-Present transactions, and you end up with a massive, interwoven, mesh of potential security gaps that cybercriminals can, and will, exploit.
The result, a cascade of cybercrime attacks across the payments industry with losses expected to reach $200 billion by 2024.
There are ways, however, to buck the trend towards cybercrime in payments.
How Cybersecurity is a Threat to Payments
Knowing what you're up against is the first step in prevention. The following list shows a few of the key areas seeing increasing or waves of cybercrime in the payment industry. This gives you a flavor of the wide scope of tactics used by cybercriminals in exploiting online payment systems:
Identity theft and synthetic identity (including account takeover)
Digital identity and ‘identity networks’ are exploding across industry. Digitization of accounts is behind virtually everything we do online. Some of these accounts are powerful. For example, any customer with an online bank account has had to go through a “Know Your Customer” (KYC) process to get that account. This means that the data associated with that account has intrinsic value due to the verification of the data to add assurance.
Cybercriminals can use verified data and high assurance online accounts to commit fraud. If a fraudster has enough data on an individual, they can use these data to create a verified online account that “proves” they are a legitimate customer. This account can then be used to open bank accounts, apply for payment cards, and propagate a cascade of payment fraud.
Alternatively, a fraudster can attempt an account takeover of an existing verified digital identity account. Various techniques can be applied to achieve this. One such technique is credential stuffing, whereby a cybercriminal uses stolen login credentials to take control of an online account. In 18-months to July 2019, there were 61 billion credential stuffing attacks.
Synthetic identity is a variant of the above. This technique is based on the creation of a digital identity using a mix of real and fictitious personal data. This is a highly sophisticated operation that cost the credit card industry $6B in 2016.
All of the above is facilitated by the massive numbers of stolen data; the number of data records breached in 2019 reaching 15.1 billion.
Social engineering as a fraud enabler
The API economy and cybercrime
Application Programming Interfaces (APIs) are used to transform the technology landscape. API use has allowed the connection of multiple components to create ecosystems that service identity verification, anti-fraud checks, authentication, and other important aspects of the digital transformation of banking and payments.
But cybercriminals are always on the lookout for opportunities to sneak in under the hood. APIs offer a way to exploit systems through vulnerabilities and misconfiguration of security settings.
PSD2 has opened up banking significantly through the encouragement of the use of Open Banking APIs. Open banking is an initiative, driven out of the EU and UK. However, the “Open Banking Report 2019”, found that 87% of all countries in the report had open banking initiatives in place. So this movement looks set to drive and change online payments.
The remit of open banking is to engage customers with their bank and allow those customers to seamlessly and securely share financial data. As open banking continues uptake, cybercriminals will look for ways to exploit the system. This is one to watch going forward.
How Regulations Help to Mitigate Payment Fraud
Mitigating Payment Fraud Using Machine Learning
Regulations are facilitated using technology and security awareness campaigns. The mitigation of online payment fraud requires an ecosystem of fraud prevention and detection techniques and tactics. Just as fraudsters use any tactic and opportunity they can to commit fraud against payment systems, financial institutions must fight back using the most powerful options available. In the modern anti-fraud technology stack, this means machine learning (ML) based, anti-fraud solutions.
A white paper from Juniper Research, “Fighting Online Fraud in 2020” expects an increased use of ML for fraud detection and prevention. The use of ML provides the versatility to match the expectations of customers for a great user experience with the complexity of fraud detection when dealing with billions of events.
Machine learning and other artificial intelligence (AI) solutions are maturing into versatile and effective services across the sector. The mix of smart anti-fraud platforms alongside customer and employee security awareness creates a strong toolkit for the financial industry when fighting payment fraud.
A Hopefully Not So Risky Futures in Payment
Cybercriminals are opportunists. As the payment landscape changes allowing for more seamless customer experiences, with it comes potential security exploits. Keeping up with these cyber-threats is an ongoing and complicated task. Any solution that can offer help to ameliorate this situation is welcome.
- Learn more about EastNets Cyber Security services
- Learn more about EastNets Payment Fraud Solution en.SafeWatch PaymentGuard