Techniques for Mitigating CNP Fraud
There is no dispute that card-not-present (CNP) payment fraud is growing and will continue to do so. Moreover, those who commit fraud — fraudsters — are creative and engaged in a relatively low cost but high payoff game. A recent study projected that retailers will lose $130 billion in digital CNP fraud through 2023.
Given the difficulty of securing systems, becoming familiar with techniques to defend against fraud is critical for planning mitigation strategies and evaluating solution alternatives. Below, we outline a few such techniques to help you defend against fraud.
General Aspects/Best Practices
Know Your Customer
Know your customer (also known as KYC, “know your client,”) is the process of a business verifying the identity of its clients and assessing their suitability for a business relationship, along with the potential risks of illegal intentions. KYC is a series of legally required measures meant to prevent financial crimes (such a money laundering), as well as decrease the risk of fraud.
These procedures require proper identification from every customer (i.e., a customer identification program), at the time a relationship is established, in order to prevent the creation of fictitious accounts. If a potential customer refuses to produce any of the requested information, the relationship will not be established. Likewise, if the potential customer is not forthcoming with requested follow-up information, any relationship that has already been established may be terminated.
The challenge with KYC is balancing the needs for compliance and risk reduction with the friction that could negatively affect a current or potential customer.
Best practices for KYC will include some form of the following:
• A Customer Identification Program (CIP): Collecting information to verify a potential customer’s identity and verifying that information, and checking the person’s name against databases of higher risk persons.
• Customer Due Diligence (CDD): Using the above and additional information to assess the
potential customer’s risk, often by determining expected transactions in order to flag unusual, and potentially riskier, transactions.
• Enhanced Due Diligence (EDD): Requesting additional information from customers believed to be a higher risk.
• Ongoing monitoring and record keeping.
Layering Fraud Tools
Fraud is a constant threat in ecommerce. Fraudsters are always looking for ways to penetrate any fraud tool deployed by ecommerce sites. Each tool addresses certain types of fraud, and no tool addresses all types of fraud. Mitigating losses requires more than one technique — a “multilayered” approach.
Many merchants have been using a limited form of multilayered fraud management for years. For example, any merchant who uses Address Verification Service (AVS) in conjunction with card security codes or 3-D Secure is using a multilayered approach. This example applies fraud mitigation techniques at the point of a transaction. It does not address fraud that begins before the transaction is started (e.g., synthetic identity fraud).
The best solutions — the ones that are increasingly needed — look at all points of the customer journey and include techniques such as adaptive authentication and transaction risk analysis to spot fraud based on device, user behavior, and other indicators. While it is not possible to completely protect an ecommerce site from fraud, a recent Association for Financial Professionals report went so far as to suggest that “having a variety of protective measures in place will likely frustrate fraudsters and they’ll move on to easier targets.”5
Stakeholders are encouraged to consider the given techniques in light of their own risk appetite in terms of loss prevention versus revenue lost due to customer friction. Additionally, the sensitivity of a particular control should consider the impact of “false positives” (a genuine transaction identified as fraudulent) on customer friction vs. “false negatives” (a fraudulent transaction identified as genuine).
In general, a layered fraud prevention system will include both passive and active controls:
1. Passive control: Tools that monitor for anomalies while allowing non-suspicious traffic to flow unimpeded. These controls are invisible to the customer.
2. Active controls: Tools and processes that challenge a user to provide a response, often triggered by a passive control or by a policy set for higher risk activities.
Holistic risk management makes use of both passive and active controls to efficiently separate anomalous activity from low-risk legitimate usage and respond accordingly. This process can help determine whether to allow the requested action to proceed and can incorporate the riskiness of the requested action — i.e., lower risk activities typically may have a lower threshold for proceeding compared to higher risk activities.
Generally, the detection process leads to one of three outcomes:
1. Request approved.
2. Request challenged: The requestor is presented with a challenge which must be completed to continue (i.e., the active control).
3. Request denied.
In an ideal world, all legitimate requests would be approved, and all fraudulent attempts would be denied. However, requests fall along a spectrum of risk. The best systems can isolate the majority of good attempts from the bad attempts. However, a certain number will be indeterminate and require a challenge.
Effective risk management typically requires balancing the volume of challenges against the potential for loss — i.e., balancing the impact on customer experience against fraud prevention. Layering more advanced forms of fraud detection solutions may greatly improve the system’s ability to discriminate
between good and bad activities and enable organizations to achieve the competing objectives of fraud prevention and low customer friction.
A challenge method will often take into account both the friction it causes the legitimate customer and the security it provides. In order to manage customer friction, security should be aligned with the risk of the particular activity that is being requested by the end user.
Tokenization
In payment processing, tokenization is the process of substituting sensitive data with a non-sensitive equivalent. This sensitive data could be a card primary account number (PAN) or other personally identifiable information (PII).
The non-sensitive data is referred to as a token. It is a mathematically generated number that has no extrinsic or exploitable meaning or value. Thus, if the tokenized information is stolen, it has no value.
Multifactor Authentication
Definition/Description
Multifactor authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction.
Multifactor authentication combines two or more independent factors:
• Something you know (“knowledge”): For example, passwords, PINS, knowledge-based answers
• Something you have (“possession”): For example, card, bracelet, key fob, mobile phone
• Something you are (“inherence”): For example, fingerprint, voice, facial image
A system that depends on only one factor (e.g., a password) is vulnerable to fraud. MFA reduces that vulnerability by adding one or more unaffiliated factors.
A variation of MFA is “out-of-band” authentication. With out-of-band authentication, each factor is delivered through a separate communication channel. A one-time password delivered through a hard token with a user-provided password is an example of two factors delivered though different communication channels.
Examples of MFA include:
• Swiping or inserting a card and entering a PIN.
• Logging into a website and being requested to enter an additional one-time password.
• Swiping/inserting a card, scanning a fingerprint, and answering a security question.
• Using a USB hardware token with a desktop computer to generate a one-time passcode, and using the one-time passcode to log into a VPN client.
• Using voice recognition on a phone call.
Applicability
With MFA, the customer is asked for two or more factors — typically a password (“something you know”) and at least one other factor. The additional factor or factors come from different sources, including:
“Something you have,” such as:
- A one-time password delivered through SMS.
- A one-time password delivered through a hard token — the hard token can be a separate device or embedded in a plastic card.
- A one-time password delivered through an application.
“Something you are”: A biometric authentication, such as:
- A fingerprint ID.
- A face ID.
- An Iris scan.
Multi Factors can be used equally convenient and safe. Every secure factor may increase business transaction to benefit.
Despite greater security, adding authentication factors increases the effort and time it takes to authenticate a user and authorize access. Using MFA trades off customer friction for increased security.
MFA techniques typically involve more than one party, such as an issuer and a vendor.
Some methods of sending the second factor are more secure than others.
Using SMS to send one-time passwords is vulnerable to hacking. In 2016, the National Institute of Standards and Technology (NIST) withdrew support for SMS-based two-factor authentication, pointing to the risk of interception or spoofing.
App-based second factor generators are more secure. These require customers to have their mobile devices on hand. However, the applications can be hacked.
Hardware tokens can be even more secure. However, they are costly and can be misplaced by customers.
Biometrics are convenient, but, if compromised, can eliminate that factor completely. Given the potential risks of MFA alone, it is often used as part of a layered approach.
Customer Impact/Level of Friction
All MFA methods involve some customer friction. The amount depends on the method used. Using a hardware token, for example, causes significant friction. If a time limit is required for use, the friction can be greater. Biometric authentication generally causes much less friction.
Implementation Considerations
As with customer friction, implementation difficulty depends on the MFA method used. Using a password plus a one-time password delivered via SMS is relatively easy to implement. Offering hard tokens or implementing biometrics generally requires significantly more time and resources.
Conclusion
The best way to unlock the benefits of MFA and deliver a great user experience is to combine the approaches described here with a powerful Session manager. Indeed, a secure mainframe is best achieved in general by using a range of best of breed technology, expertise, and professional services. Implementing MFA as part of security journey means you gain a valuable way to mitigate risks, avoid costs, and meet the requirements of regulatory and audit.
