It’s pretty obvious that banks don’t want fraud to occur. It’s expensive and puts customer trust at risk. So, why are many banks still spending a great deal of time and money on trying to apply crude fraud prevention solutions to a fast-becoming outdated form of payment?
As I will explain below, it makes far more sense for the investment to be instead made on creating mobile payment solutions which make fraud tactics much harder to execute and easier to catch out.
Cards were initially built for paying in store. They required (and still do) a card number to be printed on the front. This is the first major fraud prevention challenge. As payments started to occur in other non-store situations, that number started to have value to those inclined to exploit it. Paying online with a card requires customers to enter their card details, et voila, money is pulled from their account or a line of credit and goods get shipped.
Most of the fraud prevention technology that exists seeks to protect sensitive information (like card details). The first step in fraud prevention for cards is requiring a signature with payment. Even when someone is paying attention to the signature on the back, most of us aren’t handwriting experts and a scrawl didn’t prove that difficult to fake… so, that measure alone wasn’t that successful.
Next? How about the requirement for a pin code. There is a whole field of science for guessing codes and fraudsters have little problem figuring out the pin and using someone’s card.
Onto the next level. Chip and pin provides hardware based security when paying. The problem is, this only works for physical payments and we know most fraud these days occurs online. This article from Australia talks about the fact that 78% of card fraud is in card-not-present scenarios. So, the whole online and app environment remains unaddressed from a security perspective.
Plenty of companies have developed and deliver various data-derived fraud prevention systems to stop fraud. It’s mostly on the bank and merchant end. Banks don’t want fraud as it costs them customers and money. The same applied for merchants.
These systems mostly work by looking at a transaction and passing it through a decision engine before the money is approved to be moved. The simplest aspect of such fraud prevention is to look at a person’s location. Where did they use the card last and where is it being used now? Is that person able to physically move between the locations during the time between the payments? If not, it could indicate that the card has been cloned and the latter transaction is likely fraudulent.
The internet merchant might be anywhere on the globe.
The next step in the data analysis is looking at behavior. Where does the person normally shop and would they normally purchase items like this? Are they logged in with their Facebook account and are they on their home or work network? Is the device a known device? Etc. etc. There are many intricate details to analyse before a payment goes through. And this is all because cards are basically an open door to a customer’s money.
It’s also the lack of real customer authentication when it’s used to make a payment.
Following PSD2, it’s anticipated that more payments will take place by charging a bank account directly, rather than being taken from a bank account via a card. This method requires strong customer authentication (SCA) before the payment is approved. As there is no legacy from the card networks to worry about, there’s a distinct opportunity to implement a fundamentally better way to approve payments. The payer can be authenticated when a payment is performed.
Essentially SCA seeks to determine: are you, you? Further, do you want to pay this recipient this amount with the money you have in this account?
The answer to this list of questions relies on a simple, yet secure way to authenticate a person’s identity.
With mobile payments, like Auka delivers, this is solved by enrolling the person for the payment solution and binding the device (the phone) and the biometric authentication method used by the person (their fingerprint or face) to the signature generated and authenticated each time a payment is performed. In order to make a payment, there’s never a need for any account or card data – in fact that data isn’t exposed at all during said payment process.
A payment is initiated by giving the merchant an arbitrary user ID. It’s random, temporary and represents the customer as a user right here and now but nothing else. The merchant sends the ‘bill’ to the system and the system forwards it to the user’s phone. No sensitive data exchange takes place. Then the user authenticates the payment securely on their device. There’s no need to enter sensitive details into a third-party device or box. The system verifies the customer’s ID and that they wish to pay the requested amount. Only then is the request sent to the bank for processing – along with the signature that was just made with a device, face, finger and active consent.
Only then, all the way down in the core system does the bank receive verified data about what account to charge for what payment. All orders are unique and verifiable with certificates and signatures. There’s no card data available for exploitation. Quite simply, this is the advantage mobile payments have in the fight against fraud.
As the global population becomes more educated and excited about the potential of mobile payments (done right), the likes of AliPay, Google (with Tez) and others will work to abolish most of the systematic fraud associated with payments.
Mobile payments and account based payments secured with SCA will reduce the amount of card payments, and with it, fraud.