Solution-Inner-banner

Blog

Cybersecurity Risks and Trends in Online Payment

According to the Nilson Report, as of December 2018, there were 22.11 billion payment cards in circulation, worldwide. eWallets are also being added to this mix, with Juniper Research predicting that by 2024, half of the world’s population will be using them. Add to this, the convenience of online purchase and Card-not-Present transactions, and you end up with a massive, interwoven, mesh of potential security gaps that cybercriminals can, and will, exploit.

The result, a cascade of cybercrime attacks across the payments industry with losses expected to reach $200 billion by 2024.

There are ways, however, to buck the trend towards cybercrime in payments.

How Cybersecurity is a Threat to Payments

Knowing what you're up against is the first step in prevention. The following list shows a few of the key areas seeing increasing or waves of cybercrime in the payment industry. This gives you a flavor of the wide scope of tactics used by cybercriminals in exploiting online payment systems:

Identity theft and synthetic identity (including account takeover)

Digital identity and ‘identity networks’ are exploding across industry. Digitization of accounts is behind virtually everything we do online. Some of these accounts are powerful. For example, any customer with an online bank account has had to go through a “Know Your Customer” (KYC) process to get that account. This means that the data associated with that account has intrinsic value due to the verification of the data to add assurance.

Cybercriminals can use verified data and high assurance online accounts to commit fraud. If a fraudster has enough data on an individual, they can use these data to create a verified online account that “proves” they are a legitimate customer. This account can then be used to open bank accounts, apply for payment cards, and propagate a cascade of payment fraud.

Alternatively, a fraudster can attempt an account takeover of an existing verified digital identity account. Various techniques can be applied to achieve this. One such technique is credential stuffing, whereby a cybercriminal uses stolen login credentials to take control of an online account. In 18-months to July 2019, there were 61 billion credential stuffing attacks.

Synthetic identity is a variant of the above. This technique is based on the creation of a digital identity using a mix of real and fictitious personal data. This is a highly sophisticated operation that cost the credit card industry $6B in 2016.

All of the above is facilitated by the massive numbers of stolen data; the number of data records breached in 2019 reaching 15.1 billion.

Social engineering as a fraud enabler

Proofpoint found that 99% of cyber-attacks rely on human intervention. Social engineering is the gift that keeps on giving to fraudsters, facilitating payment fraud either directly or indirectly.

Push Payment Fraud (PPF) is a case in point. Real-time payment schemes have helped to improve customer experience, but the same seamless, fast, mechanism is used by fraudsters to help commit cybercrime. The fraud involves social engineering and sometimes hijacked email accounts. There are many variants of this crime, but they all involve customers believing they are paying a legitimate invoice, but the money ends up in a fraudster’s bank account.

A business version of PPF is fake invoice fraud. Again, social engineering tricks are central to this scam. Usually, the fraudsters convince the business to change bank account details of a known supplier, payments then being transferred to that new account that just happens to be controlled by the fraudster.

The API economy and cybercrime

Application Programming Interfaces (APIs) are used to transform the technology landscape. API use has allowed the connection of multiple components to create ecosystems that service identity verification, anti-fraud checks, authentication, and other important aspects of the digital transformation of banking and payments.

But cybercriminals are always on the lookout for opportunities to sneak in under the hood. APIs offer a way to exploit systems through vulnerabilities and misconfiguration of security settings.

PSD2 has opened up banking significantly through the encouragement of the use of Open Banking APIs. Open banking is an initiative, driven out of the EU and UK. However, the “Open Banking Report 2019”, found that 87% of all countries in the report had open banking initiatives in place. So this movement looks set to drive and change online payments.

The remit of open banking is to engage customers with their bank and allow those customers to seamlessly and securely share financial data. As open banking continues uptake, cybercriminals will look for ways to exploit the system. This is one to watch going forward.

Loyalty fraud

Loyalty programs are very popular with both companies that run them and their customers. Often, loyalty cards contain valuable points and offers. This Intrinsic value makes them a target for cybercriminals who use them to commit payment fraud. A 2019 report by Forter, found an 89% increase in loyalty fraud. Often, loyalty fraud is associated with identity theft. Fraud.org put out a statement saying that they “estimated 14 trillion frequent flier miles and hotel points floating around unused, scammers have a very large, lucrative target in America’s hard-earned miles.

How Regulations Help to Mitigate Payment Fraud

The major threat of payment fraud has not been lost on the regulators. One of these is PSD2. PSD2 came into force in January 2018 but delays in some areas of the regulation have made it stop/start across the industry. The introduction of PSD2 has, however, meant sweeping changes across the financial sector. PSD2 enables PISPs (Payment Initiation Service Providers) and AISPs (Account Information Service Providers) to emerge across the space: Potentially adding in more entry points for fraudsters to act.

PSD2 was behind the previously mentioned Open Banking. But the regulation has also introduced a major change in the authentication of transactions. The SCA (Strong Customer Authentication) adds extra protection for Card-Not-Present (CNP) transactions. Typically, an online payment under SCA rules now requires additional factors to authenticate the user before allowing the transaction. There are exemptions from the rule under certain conditions and there is currently a delay in expected compliance, to 14 September 2021, but this additional protection is already implemented in many services.

Mitigating Payment Fraud Using Machine Learning

Regulations are facilitated using technology and security awareness campaigns. The mitigation of online payment fraud requires an ecosystem of fraud prevention and detection techniques and tactics. Just as fraudsters use any tactic and opportunity they can to commit fraud against payment systems, financial institutions must fight back using the most powerful options available. In the modern anti-fraud technology stack, this means machine learning (ML) based, anti-fraud solutions.

A white paper from Juniper Research, “Fighting Online Fraud in 2020” expects an increased use of ML for fraud detection and prevention. The use of ML provides the versatility to match the expectations of customers for a great user experience with the complexity of fraud detection when dealing with billions of events.

Machine learning and other artificial intelligence (AI) solutions are maturing into versatile and effective services across the sector. The mix of smart anti-fraud platforms alongside customer and employee security awareness creates a strong toolkit for the financial industry when fighting payment fraud.

A Hopefully Not So Risky Futures in Payment

Cybercriminals are opportunists. As the payment landscape changes allowing for more seamless customer experiences, with it comes potential security exploits. Keeping up with these cyber-threats is an ongoing and complicated task. Any solution that can offer help to ameliorate this situation is welcome.

Contact us today for a consultation: info@eastnets.com