Australia Battles Fraudulent Online PurchasesE-Commerce Payment Card Fraud Is Rising
There's bad news in Australia when it comes to payment card fraud: It's growing.
See Also: Tools and Tactics for Modern Crimeware
The biggest source of that fraud is online payments made without the physical card, or card-not-present fraud. That's due to fraudsters re-using stolen payment card details.
CNP fraud in Australia totaled AU$476.3 million (US$350.6 million) last year, up 13.9 percent from 2016, according to a report released Wednesday by the Australian Payments Network, an industry group that collects payments statistics. The figure has risen annually since 2012, when it was $183.1 million.
The 2017, CNP fraud figure accounted for 85 percent of all fraud on Australian cards, which totaled $561 million.
Even if the percentage of CNP fraud stays flat, the raw loss figure will likely still grow because e-commerce continues to grow, says Giselle Lindley, a principal fraud consultant for Asia and Pacific with ACI Worldwide. Criminal activity has shifted away from counterfeit cards and skimming, she says.
"For those of us who have been in the fraud risk management business for long enough, it is no surprise at all that we are seeing significant growth in online card fraud," Lindley says.
Following the Pattern
The increase in CNP fraud follows a well-known pattern. As countries have moved to EMV-enabled chip cards, in-person fraud at ATMs and merchants has become vastly more difficult. The embedded microchip in the card is used to verify a transaction, ensuring that the card hasn't been cloned. That means that card details can't simply be encoded onto the magnetic stripe of a dummy card and used, for example, in an ATM machine.
A bright spot in AusPayNet's report is that skimming and counterfeit fraud registered just $30.9 million, down nearly 48 percent from 2016.
"The industry has been very proactive. We are working together to combat card-not-present fraud."
—Leila Fourie, AusPayNet
As a result, fraudsters have migrated to using card details stolen in breaches online. Financial institutions and payments vendors have developed sophisticated risk modeling and analytics programs in an attempt to flag fraudulent purchase attempts, but the systems aren't perfect.
To combat CNP, AusPayNet is developing a framework with recommendations for how merchants, payments companies and financial institutions can reduce CNP fraud, says Leila Fourie, AusPayNet's CEO. The effort is centered on risk-based authentication methods that minimize friction with online shoppers, she says.
"The industry has been very proactive," Fourie says. "We are working together to combat card-not-present fraud."
Provenance of Data
Moves to introduce stronger security measures while using cards online have been met with opposition. Merchants fear overly intrusive security steps will cause shoppers to abandon their carts, says Stephen Wilson, managing director of Lockstep Technologies.
It's a complicated issue because the convenience vs. security trade-off is stark with online payments, Wilson says. Security methods such as Verified by Visa and Mastercard's SecureCode prompted shoppers to enter another piece of data. such as a password or passcode.
But those security methods were criticized because the pop-up windows were off-putting, especially because consumers had been repeatedly advised against entering personal information into unexpected forms, Wilson says. Plus, attackers could potentially harvest that data through phishing attempts.
The security methods also didn't solve the actual problem, Wilson says. "The problem is the provenance of data. You can't tell the difference between stolen numbers and original numbers online," he says.
The best solution is a system where card details can be digitally signed by a shopper with a private key, Wilson contends. Initiatives are underway to make web payments more secure, including efforts by the W3C's Web Payments Working Group and the FIDO Alliance, he notes.
In the meantime, Fourie says AusPayNet is recommending that merchants and financial institutions adopted a risk-based approach, stepping up security in certain scenarios.
For example, additional authentication steps could be imposed for high-value transactions or those initiated from an unusual locale, tapping into device data and location data.
Users could also be prompted to enter a one-time PIN or use a biometric verification method via one of their devices. There are also plans to bring back a revamped version of 3-D Secure, which is now being developed by EMV Co.
"The idea is that merchants and issuers will have a range of tools available to them to better authenticate the customer and to reduce fraud," Fourie says.
Also, AusPayNet's framework recommends that merchants or other entities that hold card data can tokenize it, which reduces the chance that a data breach would result in access to usable data.
Lindley of ACI Worldwide says that there's no silver bullet to solving the e-commerce fraud problem, but a combination of security technologies can help achieve the delicate balance between security and customer experience.
"Those doing this well are utilizing artificial intelligence and machine learning models to take the heavy lifting off maintaining relevant fraud detection strategies in a payments ecosystem where change is moving at a faster pace than ever," she says.