Fraud Prevention Archives - Page 2 of 3 - Digital Payments, Payment Security and Lending

The Comprehensive Guide to Secure Digital Transactions with 3D Secure

Ravi Battula / May 28, 2024

Have you ever wondered how your online card transactions, whether domestic or international, result in a seamless shopping experience without concerns about merchant credentials, card data security, or delivery issues? The answer lies in EMV 3DS (3D Secure). This protocol is noticeable on the payment checkout pages of online merchants and at Point of Sale (PoS) terminals. What is 3D Secure (3DS)? 3D Secure (3DS) is a payments protocol that facilitates card transactions (credit, debit, prepaid, gift) at PoS or online globally. It ensures that any cardholder from any bank can seamlessly transact with any merchant acquirer worldwide. The three domains involved in a 3D Secure transaction are: 1. Acquirer Domain (Merchant’s Bank) 2. Issuer Domain (Cardholder’s Bank) 3. Card Network Domain How 3D Secure Works? During the checkout process, when you enter your card details online or swipe your card at a PoS terminal, the merchant/acquirer domain resolves the issuing bank. This process links to the cardholder’s account details, prompting the user to enter a one-time passcode (OTP) sent to their registered mobile device or email. This authentication step verifies the transaction’s legitimacy, adding a layer of protection against unauthorized use. The latest version, 3D Secure 2.0, incorporates advanced risk-based authentication and supports multi-factor authentication, including biometrics, enhancing both security and user experience. Why to invest in 3D Secure? While some businesses may view the implementation of 3D Secure as an additional cost, it is a strategic investment with substantial long-term benefits. Implementing 3D Secure can reduce chargeback fees, fraud-related losses, and dispute resolution expenses. Additionally, providing a secure online shopping experience builds customer confidence, leading to increased sales, loyalty, and trust. The Role of 3D Secure in Fraud Prevention Fraud is a significant concern for businesses, prompting the adoption of advanced authentication protocols like 3D Secure. Originally developed by Visa as “Verified by Visa” and later adopted by Mastercard as “Mastercard SecureCode,” 3D Secure adds an extra security layer to online transactions. By incorporating additional authentication steps, 3D Secure reduces the risk of unauthorized transactions, lowers chargeback rates, and enhances customer trust. Wibmo’s Innovative Solutions for Secure Transactions Wibmo addresses secure digital transaction challenges with its EMVCo-approved EMV® 3DS Server and SDK. Designed for Android and iOS platforms, these solutions enhance transaction security and reduce chargeback risks. The EMV® 3DS Server integrates the latest security protocols, while the SDK supports seamless transaction flows and comprehensive device data collection. According to recent surveys, fraud rates have increased by 15% in the past year, with identity theft, fraudulent payment schemes, and unauthorized transactions being common risks. These illicit activities can cause significant financial losses, damage reputations, and disrupt corporate operations. Advanced authentication protocols like 3D Secure, combined with a thorough understanding of fraud’s true impact, enable businesses to strengthen their defenses and protect against evolving digital threats. Understanding the True Cost of Fraud Fraud’s financial impact goes beyond immediate monetary losses. It includes stolen funds, chargeback fees, legal consequences, and reputational damage, which can tarnish a company’s image, lead to customer loss, and generate negative reviews. Addressing fraud effectively requires recognizing these multifaceted repercussions and implementing robust security measures. By understanding and leveraging 3D Secure, businesses can ensure a secure, seamless, and customer-friendly payment experience, fostering trust and driving growth in the digital economy. Key Features of Wibmo’s 3-D Secure solution (SDK, Server) – EMVCo Certification for Security Assurance – Seamless Transaction Flow Support – Versatile UI Support (Native and HTML) – Cutting-Edge Security Protocols – Flexible Hosting Solutions (Cloud or On-Premises) – And More! Benefits of 3DS Server Implementation – Elevated Security Standards through MFA (Multi factor Authentication) support – Effortless Regulatory Compliance – Frictionless Transaction Experience – Comprehensive Device Data Security – Simplified Integration – And More! Investing in 3D Secure is not just a prudent decision; it’s a strategic imperative for businesses aiming to thrive in the digital era. By prioritizing transaction security and customer trust, businesses can lay the foundation for sustained success in the digital realm. Secure your transactions, invest in 3D Secure, and embark on a journey toward a future where digital payments are synonymous with safety, reliability, and seamless experiences. Keep an eye on how Wibmo’s robust 3D Secure can help you achieve everything to fight fraud. To know more about Wibmo’s 3-D Secure solution, you can write to [email protected]. Author: Ravi Battula, Head of Payment Security & Merchant Acquisition Business Wibmo A PayU/Naspers FinTech Company 3D Secure, Digital Payment, Fraud Prevention, Secure Payment

Tech Bytes

Navigating the Digital Fraud Landscape: How Wibmo’s Trident FRM Empowers Merchants to Combat Fraud and Enhance Customer Trust

Animesh Jha / April 19, 2024

The Evolving Landscape of Digital FraudFrom phishing scams to elaborate whaling tactics, digital fraud has become increasingly sophisticated, posing significant threats to both consumers and merchants. Fraudsters adeptly exploit vulnerabilities and leverage stolen data to infiltrate webstores, perpetrating fraudulent activities with alarming ease. The Merchant DilemmaFor merchants, the prevalence of digital fraud presents a formidable challenge. Distinguishing genuine customers from fraudulent ones requires meticulous scrutiny, potentially introducing friction into the checkout process. However, striking the right balance between security and user experience is paramount, as excessive checks can deter consumers accustomed to seamless, one-click purchasing. Trident Fraud Risk Management (FRM) by WibmoIn response to the escalating threat landscape, Wibmo presents Trident FRM, a groundbreaking solution poised to revolutionize digital identity validation and verification. With real-time payments gaining prominence, the ability to swiftly discern between legitimate customers and bad actors has become indispensable. The Multilayered Approach of Trident FRMTrident FRM adopts a multilayered approach to fraud orchestration, leveraging cutting-edge technology and advanced analytics to accurately ascertain digital identities while maintaining efficiency and security. By seamlessly integrating with existing systems, Trident FRM establishes a framework of trust and security, empowering merchants to embrace real-time payments with confidence. Comprehensive Insights Across the Customer JourneyBeyond transactional validation, Trident FRM offers insights that span the entire customer journey. From initial discovery to final delivery, Trident FRM provides comprehensive coverage, mitigating risks and enhancing trust at every touchpoint. Empowering Merchants in a Fraught LandscapeIn a landscape fraught with fraudulent activities, Trident FRM emerges as a beacon of resilience and reliability, equipping merchants with the tools needed to navigate digital commerce with confidence. With Trident FRM, merchants can unlock new possibilities, safeguarding their businesses against fraud while fostering seamless, secure shopper experiences. Key Considerations for MerchantsAs merchants navigate the complex realm of fraud prevention solutions, several key considerations must be taken into account: — Accessibility to a robust ecosystem of security partners and technologies. — Enhanced visibility and access to industry-wide intelligence. — Flexibility and scalability to align with evolving business needs. — Option for a trial period to evaluate efficacy before commitment. — Complementarity with existing anti-fraud investments and optimization of ROI. — Provision of performance guarantees and benchmarks for reliability and efficacy. — Adaptive machine learning capabilities responsive to evolving fraud tactics. — Evaluation of true costs and benefits, including potential revenue loss from false declines. — Complementarity with authentication efforts, particularly in the era of 3D Secure. Merchant Fraud Facts and StatisticsAccording to the 2023 MRC Global Payments and Fraud Report, merchant fraud continues to pose significant challenges, with 71% of merchants experiencing an increase in fraud attempts over the past year. Additionally, the report highlights that false declines cost merchants an estimated $443 billion in potential sales annually, underscoring the importance of striking the right balance between fraud prevention and user experience. Furthermore, research by Juniper Research forecasts that global online payment fraud losses will exceed $20 billion by 2024, highlighting the urgent need for robust fraud prevention measures in the digital commerce landscape. In this context, solutions like Trident FRM play a crucial role in mitigating fraud risks and safeguarding merchants against financial losses. With digital commerce continuing to expand rapidly, merchants must prioritize fraud prevention strategies that not only protect their businesses but also enhance the overall shopping experience for consumers. Through innovative solutions like Trident FRM, merchants can navigate the complexities of digital fraud with confidence, ensuring the integrity and security of their online transactions. Author: Animesh Jha, Vice President — Fraud & Risk Management Wibmo A PayU/Naspers FinTech Company 'Ecommerce'], 'Fraud Detection'], 'Fraud Prevention', 'Merchant Services', ['Digital Frauds'

Reading List, Stories

Unveiling the Unseen: eCommerce Fraud Prevention Secrets You Need to Know

Animesh Jha / December 14, 2023

As the popularity of eCommerce grows, so does the risk of fraud targeting online firms. The digital sphere offers enormous prospects for expansion, but it also attracts clever fraudsters looking to exploit flaws in payment systems and transactions. In this blog article, we’ll delve into the lesser-known parts of eCommerce fraud prevention, revealing the methods, technologies, and best practices that may protect your business and foster client trust. The Evolving Landscape of eCommerce Fraud eCommerce fraud comes in various forms, from stolen credit card information and account takeovers to sophisticated phishing attacks. As businesses adapt to new technologies and consumer preferences, fraudsters adjust their tactics accordingly. Understanding the dynamic nature of eCommerce fraud is the first step toward building a resilient prevention strategy. Account Takeovers (ATO): ATO occurs when fraudsters gain unauthorized access to customer accounts. This can lead to unauthorized purchases, misuse of stored payment information, and identity theft. Preventing ATO requires robust authentication mechanisms, including multi-factor authentication and behavioural analytics. Card-Not-Present (CNP) Fraud: With the rise of online shopping, CNP fraud has become a significant concern. Fraudsters use stolen card details to make online purchases where the physical card is not required. Address Verification System (AVS), 3D Secure, and machine learning algorithms are essential tools for preventing CNP fraud. Friendly Fraud: Contrary to its name, friendly fraud is far from friendly. It occurs when a legitimate cardholder disputes a transaction, often claiming they didn’t make the purchase. Friendly fraud can be mitigated by clear communication, transparent billing descriptors, and comprehensive transaction records. Synthetic Identity Fraud: Synthetic identity fraud involves creating fake identities using a combination of real and fictitious information. These synthetic identities are then used to open accounts and make fraudulent transactions. Advanced identity verification methods and data analysis are crucial for detecting synthetic identity fraud. eCommerce Fraud Prevention Strategies Multi-Factor Authentication (MFA): Implementing MFA adds an extra layer of security by requiring users to provide multiple forms of identification. This could include passwords, biometric data, or one-time passcodes, significantly reducing the risk of unauthorized access. Machine Learning and Artificial Intelligence (AI): Leveraging machine learning and AI enables real-time analysis of vast datasets to identify patterns and anomalies indicative of fraudulent activities. These technologies continually learn and adapt to new fraud tactics, staying one step ahead of cybercriminals. Geolocation and Device Fingerprinting: Examining the geolocation of transactions and creating unique device fingerprints help in detecting suspicious activities. Unusual transaction locations or device behaviors can trigger alerts for further investigation. Behavioral Analytics: Analyzing user behavior helps create a baseline for normal activity. Deviations from this baseline, such as sudden changes in spending patterns or the use of unfamiliar devices, can be indicative of fraudulent behavior. Real-Time Transaction Monitoring: Implementing real-time monitoring systems allows businesses to spot and respond to suspicious transactions instantly. Automated alerts can be set up to trigger when certain criteria associated with fraud risk are met. 3D Secure Authentication: 3D Secure is an additional layer of security for online credit and debit card transactions. It adds an extra step of authentication, often requiring a one-time passcode sent to the cardholder’s mobile device, enhancing the security of online transactions. Fraud Scoring Systems: Employing fraud scoring systems assigns a risk score to each transaction based on various parameters. Transactions with high-risk scores can be subjected to additional scrutiny or declined altogether. Customer Education: Educating customers about safe online practices, secure password management, and recognizing phishing attempts can significantly reduce the risk of account takeovers and fraud. Clear communication builds a sense of security and trust. Best Practices for eCommerce Fraud Prevention Regularly Update Security Protocols: Stay ahead of evolving fraud tactics by regularly updating and enhancing your security protocols. This includes adopting the latest encryption standards, security patches, and fraud prevention technologies. Secure Payment Gateways: Choose reputable and secure payment gateways that prioritize the protection of sensitive customer data. Secure Sockets Layer (SSL) encryption is fundamental for securing online transactions. Monitor Chargeback Rates: High chargeback rates can be indicative of fraud or customer dissatisfaction. Monitoring chargeback rates allows businesses to identify and address issues promptly. Data Encryption: Implement end-to-end encryption to safeguard customer data throughout the entire transaction process. This ensures that even if intercepted, sensitive information remains unreadable. Regularly Train Staff: Educate your staff on the latest fraud trends, prevention techniques, and the importance of adhering to security protocols. An informed and vigilant team is an essential component of your fraud prevention strategy. Implement Device Authentication: Device authentication ensures that transactions are initiated from trusted and recognized devices. Unfamiliar devices may trigger additional verification steps to confirm the legitimacy of the transaction. Bottomline As eCommerce continues to thrive, so does the need for robust fraud prevention measures. By understanding the evolving landscape of eCommerce fraud, implementing cutting-edge technologies, and adopting best practices, businesses can significantly reduce the risk of falling victim to cybercriminals. A comprehensive fraud prevention strategy not only protects the business but also fosters trust and confidence among customers, contributing to long-term success in the dynamic world of online commerce. Stay informed, stay secure, and empower your eCommerce venture to flourish in the digital age. Author: Animesh Jha, Vice President, Engineering — Fraud & Risk Management Wibmo A PayU/Naspers FinTech Company Ecommerce, Fraud Prevention, Online Fraud, Online Fraud Detection, Online Payment Fraud

Reading List

Browser Fingerprinting- Part 2

Vaibhav Chandel / June 16, 2023

Are you all set to find out more about browser fingerprinting? We bring you Part 2 of this series. Types of Fingerprinting Techniques: Canvas Fingerprinting: The browser fingerprinting technique uses the HTML5 canvas element to identify variances in a user’s GPU, graphics drivers, or graphics card. Steps- First, the script draws an image, often overlaid with text. Then, the script captures how the user’s web browser has rendered the image and text. Naturally, every device with different hardware and drivers will render the image slightly differently, distorting its colour and shape. A hash is then computed using the rendered image’s data, which serves as the ‘canvas fingerprint.” The scripts used for canvas fingerprinting operate in the background to keep the user from realizing that the fingerprinting is occurring. This fingerprinting technique is accurate and not too processing-intensive, making it one of the most commonly employed script techniques. The visitor’s specific browser and device render images, which can be narrowed down to a pool of fewer than 0.01% of total visitors. WebGL Fingerprinting: WebGL fingerprinting is very similar to Canvas fingerprinting, as they both use the browser to render images off-screen. The WebGL API can be used to render 3D forms in the browser. With the help of the three.js JavaScript library, many 3D forms can be rendered, such as Sphere Cube Precomposed geometric shapes The test is not that reliable because it is too sensitive to changes in the environment, such as the size of the browser window or the use of the browser console. These changes caused the dimensions of the rendering context to be updated, which resulted in different rendering results when the page was reloaded. The methodology is still to use images to distinguish users based on their graphics drivers and device hardware. Media Device Fingerprinting: This technique uncovers a list of all the connected media devices and their respective IDs on a user’s laptop or PC. This includes all internal media components like video cards and audio cards, as well as all connected or linked devices like headphones. Media device fingerprinting is not widely used for fingerprinting functions. This is because it requires the user to grant access to their microphone and camera to get a complete list of connected devices. Audio Fingerprinting: While other fingerprinting techniques force browsers to render a text or image, this technique checks how their devices play sound. The browser vendor and version used impact minute differences in sound waves generated by a digital oscillator and differences in CPU architecture. Clock Skew: Clock skew is a measure that can be used to identify the hardware specifications of a machine by analyzing the uneven arrival of electrical signals from a clock generator at different components. These differences can be affected by temperature variations in the hardware and can be analyzed with sufficient data and numerical analysis. This is considered an extreme measure in the field of fingerprinting. Browser fingerprinting workflow: Utilizing browser fingerprinting for authentication during payments as an additional layer of security and protection against fraud is helpful, but it has to be coupled with a two-factor authentication process. Two-factor authentication involves verifying a user’s identity using two different methods, such as a password and a fingerprint or a code sent to their mobile device. By adding browser fingerprinting as a third factor, Wibmo’s Trident FRM solution uses canvas fingerprinting and creates a more secure and reliable payment authentication process. It is important to ensure that proper privacy protections and data security measures are in place, as browser fingerprinting data is unique to each user and can be used to track and identify individuals across different websites and devices. Additionally, it’s important to comply with data privacy regulations such as GDPR, CCPA, and the upcoming Digital Personal Data Protection Bill when collecting and storing browser fingerprint data. Fingerprinting and Online Fraud Detection: Browser fingerprinting techniques can be useful for identifying and targeting visitors with a pattern of fraudulent behaviour on a website. These techniques can be particularly effective in identifying users who use identity concealing techniques such as disabling cookies, using a VPN, or browsing in incognito mode. 1.In cases of account takeover, where malicious users try to hack a legitimate user’s account, fingerprinting and other user identification technologies can be used to add additional security measures to the login process for suspicious traffic only. 2.To prevent brute force or bot attacks, it is best practice to require users to solve a CAPTCHA after a certain number of failed login attempts and to lock out the user for a set time after a certain number of attempts, as such attacks often rely on automation and thus may not have the unique browser configurations of genuine users. a. Browser fingerprinting can detect bots through their unusual browser configurations. b. Multiple login attempts with the same fingerprint can signal a brute-force attack. c. Bots that either lack a unique fingerprint or use identical fingerprints can be spotted and investigated. d. It can improve CAPTCHA systems by triggering a CAPTCHA when a fingerprint is linked to suspicious activity. 3.For phishing scams, requiring email or two-factor authentication for new fingerprints attempting to log in and blocking repeatedly visited fingerprints can also be effective measures. Conclusion: Limitations and current scenario of browser fingerprinting: Author: Vaibhav Chandel, Product Manager Wibmo A PayU/Naspers FinTech Company BaaS

Reading List, Stories

BIN Attack Fraud

Wibmo / June 1, 2023

Card not present (CNP) transactions are those where the purchase is made without presenting the physical card to the merchant at the point of sale. As more and more physical stores are using EMV-compliant terminals, Javelin Strategy & Research credit card fraud statistics report that card-not-present fraud is now 81% more likely to happen than card-present fraud. Card-not-present transactions can be done via online merchants, telephone orders, or mail. There are various modus operandi to commit CNP fraud, such as account takeover using phishing scams, malware infection to capture keystrokes, or friendly fraud. In such scenarios, the cardholder is involved in the fraud, and it is kind of a personalised attack. However, today we will talk about an impersonal attack where a fraudster exploits a BIN (bank identification number) and uses distributed computing power to automatically generate the remaining numbers and test these combinations to see which card numbers are correct and if the cards are active. This kind of attack is called BIN attack fraud. The subtlety of BIN Attack fraud is that it does not involve any data breach or ID theft; it is just a pure random coincidence that a victim’s card number is chosen. The compromised cards can have a significant impact on issuing banks in terms of chargebacks, call c entre volume spikes, and re-issuance expenses. Furthermore, any cardholder disruption or friction during this tenure leads to a loss of interchange revenues. The damage to the bank’s reputation could lead to cardholders switching the bank’s services to another, more secure bank. A merchant involved in BIN attack fraud faces increased disputes or chargebacks, additional fees, and regulatory fines. Depending on the nature of the attack and risk profile, the acquiring bank may choose to suspend support for the merchant’s site. The cardholder’s bank may restrict purchases from your site, resulting in further financial losses. Refunding any fraudulent transactions is an operational challenge, not to mention the reputational loss. Thus, BIN attack fraud is a problem both for issuers and merchants. Preventing a BIN Attack Fraud To prevent BIN attack fraud, the merchant or the issuing bank can deploy a few techniques: Enable 3D security. The latest version of EMV 3DS 2.x is an additional security layer for online credit and debit card transactions that aims to achieve a balance between security and user convenience. As a merchant, enable a CAPTCHA test to tell humans and bots apart. While this may create friction for genuine customers, it’s an effective deterrent against BOT scripts. Deploy an anti-fraud solution that can look at many aspects and block transactions or alert your fraud analyst. A good anti-fraud solution should have: Ability to spot multiple low-value transactions (unusually low for the merchant’s business). Multiple declines within a short period The timing of transactions may be unusual for the merchant, business, or cardholder. A large number of transactions from the same BIN were attempted in a short period of time (a few seconds apart). IP Velocity Checks: Even though these days, through proxy and spoofing, fraudsters can make it seem that the transactions are coming from different IPs, Use an anti-fraud solution that deploys good device fingerprinting techniques to solve this issue, as fingerprinting is impervious to IP proxies. Unusually large volume of international transactions for a given merchant or for a cardholder. Look for patterns, cards with sequential numbers, the same card number but different expiration dates, or CVV codes. Ability to create a profile for the merchant and cardholder and alert in case of any significant deviations. There are a few additional measures that the industry could take, such as creating advisory, actionable intelligence, and a listing of sites that anti-fraud tools can take advantage of. EMV 3DS 2.x allows merchants and acquirers to do a risk assessment prior to making an EMV 3DS authentication call to the issuer. A combined risk assessment from both the acquiring and issuing sides acts as a strong deterrent to fraudsters. Both issuers and acquirers can pool their intelligence and create a shared intelligence pool of fraud markings to identify common points of fraud. Information on declines on the switch side during authorization when fed into 3DS authentication ACS gives actionable intelligence to anti-fraud tools. BIN attack fraud is still a crude brute-force attack vector that is detectable, and preventive measures can be taken to interrupt it. A well-informed merchant and bank implementing a defensive anti-fraud solution that keeps itself abreast of the latest advisories combined with continuous monitoring of anomalous behaviour can stay a step ahead of this kind of fraudulent attack. Author: Ajit Nair, Director Product Management Wibmo A PayU/Naspers FinTech Company Cnp, Fraud, Fraud Prevention, Payment Fraud, Payments

Industry Insights, Product, Reading List

UPI Fraud Trends and Their Possible Mitigation

Sujit Kumar Mahato / March 16, 2023

With over 2 billion transactions worth over INR 4.5 trillion processed every month, India’s United Payment Interface (UPI) has revolutionized the digital payment ecosystem. UPI has been emerging as the most preferred payment method among Indians. However, at the same time, we are witnessing a rise in fraudulent transactions in recent times. A total of 1,46,495 unified payments interface (UPI) fraudulent activities were reported on the National Cybercrime Reporting Portal (NCRP) during the first and second quarters of 2022, as per the Ministry of Home Affairs (MHA). Up until now, banks and financial institutions have predominantly relied on educating consumers against fraud. But, in cases of fraud, the consumer is at the mercy of the grievance process, which adversely affects the consumer experience and dents customer loyalty. Fraud Trends and Their Possible Mitigation Impersonating Sellers and Customer Care It is more of a habit to google customer care contacts when facing issues with our online purchases. Fraudsters are flooding the internet with fake customer care details to lure in consumers. After gaining the trust of gullible customers over the phone, refund collect requests are shared via QR codes, SMS links, and so on. Financial institutions can integrate with technological solutions that detect and alert the customer in the event that a payment is made over the phone. Spoofed VPA IDs In the name of disaster relief or support, fraudsters created multiple spoofed VPA IDs that are remarkably similar to the original ones. In recent times, we witnessed an unprecedented rise in VPA IDs, similar to the PM Cares Fund. Maintaining a list of suspicious keywords such as support, relief, care, disaster, army, minister,” etc. and running risk rules over transactions being made to VPA IDs containing high-risk keywords have the potential to curb fraudulent transactions. Screen mirroring apps and malware Through malicious links, fraudsters get consumers to download screen-sharing or remote-access apps or malware. Once installed, the fraudster gains access to confidential UPI details, which are then used in combination with other modus operandi, such as SIM-swapping. Payment apps should have the capability to detect potential malicious apps already downloaded on the device and restrict payments from going through. Collect Request Through classified ads, fraudsters initiate conversation with sellers they are impersonating as potential buyers. Creating a sense of urgency, the fraudster intends to make a quick payment without much negotiation and sends a collect request, sometimes in the form of a QR code. The VPA IDs used by fraudsters are generally gibberish and at times have numbers or alphabets in sequence. Banks or financial institutions’ apps should have the capability to detect such patterns on beneficiary VPA handles. UPI has made digital payments more accessible and convenient for millions of people in India, and it is expected to continue to play a significant role in India’s digital payments ecosystem in the coming years. With continued efforts of educating consumers against frauds, banks and financial institutions should leverage the technological advancements against the mushrooming UPI frauds. Author: Sujit Kumar Mahato, Product Manager Wibmo A PayU/Naspers FinTech Company BaaS

Industry Insights, Reading List

Moving beyond SMS OTP Authentication

Sujit Kumar Mahato / November 10, 2022

If you have ever transacted or purchased online, you must have come across the OTP Authentication. The system-generated code delivered through SMS on your device serves as a verification of the claim that you are the actual owner of the device as well as the account/card/wallet through which the transaction is initiated. The authentication or verification of our identity as who we claim ourselves to be is a part of our day-to-day lives. Be it checking in at the airport or going past the security desk of an office, though we identify ourselves with our name, we authenticate ourselves with some other form of ID card. With growing security concerns, both in the physical and digital worlds, authentication methods have evolved not only to protect but also to provide a seamless experience to users. The ways in which one can be authenticated fall into three categories: · Knowledge: Something the user knows (eg. Password) · Ownership: Something the user has (eg. ID card) · Inherence: Something the user is (eg. Fingerprint) The above categories are referred as the Authentication Factors and the use of the number of factors in an authentication process derives its name. · Single-factor Authentication: Requires providing only one piece of verifiable information such as a password · Two-factor Authentication(2FA): Requires providing two pieces of verifiable information such as a password and then proof of possession of their smartphone (through an SMS OTP delivered on that device) · Multi-factor Authentication: Required to provide two or more pieces of verifiable information. As in the case of 2FA, where two categories (factors) of information are required, it is also considered an MFA. The idea of an OTP was first suggested in the 1980s by Leslie Lamport. With growing attacks and increasing authentication requirements, many patented OTP algorithms were developed. Today, OTPs are synonymous with two-factor authentication and are thought to augment existing passwords with an extra layer of security. Yet, fraudsters manage to circumvent it every day. SIM SWAP: In this scenario, a fraudster uses the stolen identity (name, email, government ID, etc.) to trick a mobile service provider into issuing a new SIM card for an existing phone number. Once the new SIM card is active, the original SIM card will be shut down, and the fraudster will try to gain access to the user’s financial application. Once the fraudster has gained access, the last line of defense—2FA or SMS OTP, is compromised. JAILBREAK or ROOT: Removing software restrictions put in place by manufacturers, to gain full access to the device’s operating system is called “jailbreaking” for iOS and “rooting” for the Android operating system. Generally, it is aimed at customizing the user experience or gaining access to a greater variety of unofficial apps. Jailbroken and rooted devices are susceptible to malware and viruses due to the weakened built-in security features of the devices. This eliminates security controls made by the manufacturer, which enables hackers to steal personal information, attack the network, or introduce malware, spyware, or viruses to circumvent the authentication measures in place. Investigating the feasibility of implementing a code by financial institutions that checks if the device is rooted or jailbroken prior to the installation of the mobile application and disallows the mobile application to install or function if the phone is rooted or jailbroken, can save its customers from possible fraud. Increasing layers of security is not a feasible solution for financial institutions when consumers prefer speed and convenience, even when it comes to accessing financial services online. User experience has become one of the determining factors when it comes to user adoption in any industry globally. Not receiving an SMS OTP, is one of the most painful experiences one can have as a user. Latency, in addition to the SMS cost, is a challenge for financial institutions in the exponentially growing digital era. Maintaining a balance between fighting fraud and improving the consumer experience is a challenge. Leveraging inherence-based authentication, such as biometrics, or ownership-based authentication, such as push notifications on the registered device, are some of the authentication measures that cater to both security and the consumer experience. Technological solutions with multiple authentication measures other than SMS OTPs and device binding are the way forward for providing a delightful customer experience without compromising security. Author: Sujit Kumar Mahato, Product Manager Wibmo A PayU/Naspers FinTech Company Authentication, Fraud Prevention, Global Digital Payments, Payments

Reading List, Stories

True Cost of Combating Payment Frauds

Sujit Kumar Mahato / September 14, 2022

A quick recap of major players involved in payment transactions : 1. Customer 2. Issuer Bank — holding the customer’s bank account 3. Payment Networks — Visa, Mastercard, NPCI, etc 4. Merchant 5. Acquirer Bank — holding the merchant’s bank account In simple terms, Payments Fraud is the one where someone made unauthorized payments/purchases. Though the liability of fraud differs(customer/merchant/banks etc) on a case-to-case basis, someone in the payment system has to finally bare the brunt and mark the money as lost in their respective books. Fraud is a global issue that affects not only individuals but also organizations — merchants, banks, insurance companies, and who so ever is dealing with payments. Payments frauds have been crippling every country across the globe and according to recent studies, the epidemic of payment fraud has been growing over the recent years. When it comes to payments, there are 2 major elements – 1. FALSE NEGATIVE — when an act of fraud goes undetected and through the payment system 2. FALSE POSITIVE — when a faulty fraud detection system blocks a legitimate transaction. Anti-fraud solutions and fraudsters are caught in a cat-and-mouse game. Both have been leveraging technological innovations to meet their underlying need and eventually adding to the cost of combating fraud. Whenever we come across the term COST, our first thought is that it’s a mere cumulation of expenses incurred in producing or building a product or service. However, in financial terms, the cost is segregated into — Direct Cost and Indirect Cost. The majority of the time, indirect costs are neglected when it comes to deriving the actual cost of a project due to the difficulty associated with deriving a cost-effective methodology for the assignment of indirect costs. When it comes to defining the cost associated with fraud, organizations generally tend to consider the amount lost in the fraud process. These numbers are a significant percentage of the topline revenue. Moreover, it’s a concerning fact that even less than 20% of businesses are able to fully recover the amount from unauthorized transactions and other fraudulent activities. Apart from the obvious Direct Cost — fraud amount value — associated with the transaction, the Indirect Cost often goes unnoticed. Cost of Combating Fraud: Huge infrastructure and resources — manual as well as technological are deployed by organizations in payment authentication and authorization. The cumulative loss arising from both False Positive and False negative scenarios burn a larger hole in terms of operational efficiency. Cost to Reputation: Businesses incurs huge cost when it comes to building a reputation of trust through the marketing function which employs varied techniques to increase the perceived value of a product or service over time. Undetected frauds and consequent delays in grievance redressal often leave the customer/merchant with a bad experience with their respective banks and also with the payment entities involved in the process. Cost of declining Genuine transactions: High False positive rates can leave the customers/merchants frustrated. Organizations leave no stone unturned through sales and marketing and customer support to acquire and retain a customer. In the era of fierce competition, if one thinks Customer acquisition is hard, think about the retention of a frustrated customer. It is somewhat now possible to measure fraud and error losses but one needs to surely factor in the Indirect Costs in order to make a proper judgment about a proportionate level of investment to be made in reducing them through the deployment of anti-fraud tools. Direct costs associated with fraud are just the tip of the iceberg and give even less than half a picture of the menace lying underneath. Author: Sujit Kumar Mahato, Product Manager Wibmo A PayU/Naspers FinTech Company Anti Fraud Management, Digital Payment, Fraud Detection, Fraud Prevention, Online Payments

Reading List, Stories

Account Takeover Frauds- Adaptive Protection Approach

Sujit Kumar Mahato / August 31, 2022

Once a fraudster has gained access to an account, they eventually end with either or combination of the following : – Make fraudulent orders – Reload digital wallets – Use loyalty points – Sell the confirmed account – Extract customer data to sell The process of gaining access to a victim’s login credentials to steal funds or information is referred to as Account Takeover Fraud (ATO). Fraudsters can take over any account type — bank, e-commerce, etc and have multiple ways at their disposal to trick gullible victims. Account takeover fraud is not new, but it is becoming more common. In 2018, account takeover fraud losses totaled around $4 billion. By 2021, this figure had increased by more than 200%. (PaymentsJournal) Fraudsters are finding innovative ways to carry out their trade. Screen-sharing apps are one of the newest additions to their arsenal as more and more individuals adopted digital payments during the pandemic for daily transactions. These screen-sharing apps were developed with the intention to provide tech support using the screen-sharing feature. However, these apps are now being used by fraudsters to access the mobile devices of their targets and make transactions without waiting for victims to share OTPs. Often gullible consumers fall prey to fraudsters pretending as bank officials who create urgency on the pretext of account/card block and ask users to download screen-sharing apps for account retrieval. Once installed, fraudsters have a clear view of not only the account credentials but also the OTP messages received over the phone, and consumers eventually end up with debit messages of their hard-earned money. One of the growing concerns is that ATO frauds are happening through screen-sharing apps despite the constant efforts from government agencies and banks to educate consumers not to share sensitive financial information or download apps from suspicious sources. Apart from the recent Screen Sharing Apps, a few of the other methods deployed by fraudsters to conduct Account Takeover Fraud (ATO) are : – Phishing: Impersonating as representatives of well-known brands/ businesses, the fraudster persuades the individual to click on links that redirect to spoof websites or install malware that does the credential harvesting. – Credential Stuffing ( Brute-Force): Dark web provides bank account/card details at a cost as low as USD 15. Once the fraudster has sourced a list of stolen credentials from the Dark Web, bots are used to run automated scripts to guess the correct account password by making multiple login attempts with a different password each time Account takeovers can significantly damage customer trust and brand reputation. Often, businesses introduce tighter security measures and add verification steps, but too much of either can harm the user experience. The need of offering an experience that is welcoming to consumers and hostile to fraudsters can be addressed through an adaptive protection approach. Billions of transactions take place across the globe generating valuable data points which are utilized in the concept of adaptive protection and the ability to run through layers of controls in real-time — including consumer behaviors and network anomalies — to determine whether a user should be pushed through with no friction, declined or given an alternative experience. Differentiating between good users and fraudsters helps in avoiding account takeover fraud. Wibmo’s TRIDENT FRM, an enterprise fraud, and risk management solution, evaluate diverse data points across channels and devices for the risk associated with each transaction. Learning and adapting to evolving consumer behavior as well as fraud patterns, TRIDENT FRM helps to detect and predict fraud while ensuring a delightful user experience. Author: Sujit Kumar Mahato, Product Manager Wibmo A PayU/Naspers FinTech Company Account Takeover, Fraud Detection, Fraud Prevention, Online Payments

Reading List, Stories

RETURN FRAUD- The e-commerce way of Shop-Lifting

Sujit Kumar Mahato / August 24, 2022

The pandemic changed the way consumers shopped. A black swan event changed consumer behavior and Online shopping is one of the segments to reap benefits. The pandemic and the exponential growth in e-commerce forced traditional brick-and-mortar shops to adapt to the evolution. Pre-pandemic brick-and-mortar shops kept a cautious eye on shoplifters but the e-commerce boom came up with its own shoplifting nemesis, say Hello to RETURN FRAUD. Fraudsters abuse the retailer’s fraud policy which was actually created for customer delight and it’s the smaller e-retailers who bear the brunt of Refund Fraud. The modus operandi of Refund Frauds differs from traditional frauds as it takes place post transaction — once the goods have exchanged ownership from the merchant to the consumer. A thriving ecosystem, Fraud-as-a-Service (Professional Refunders) has come into place to support those who wish to take advantage of lax return policies without actually having to go through the process. Reddit and Discord channels are leveraged as promotional grounds for these Illegal Life Pro Tips (ILPT) Modus Operandi 1. Everything is legitimate during the online transaction. Fraud is initiated once the good is received by the consumer. 2. Consumer goes to a Professional Refunder who charges a percentage cut on the refund value. 3. Refunder impersonates the Consumer 4. Refunder initiates the escalation with the merchant and uses the PERFECTED METHODS to get a refund without returning the product. A few of the Perfected Methods : a) Substance Leak — With doctored images/videos refunders report hazardous breakage such as monitor capacitor leakage, or battery acid leakage, thus making the product legally un-shippable. b) Partially Empty Box — Generally used for tracked shipping where the package is claimed to have arrived but has missing components. c) Fake ID Tracking Numbers — A properly weighed package is returned back without the actual goods. The shipping address is doctored to a new but incorrect address. Refunder then initiates a return claim with the merchant — to whose naked eye the package appears to be shipped and delivered back. d) Blood or Maggots — Claiming of finding questionable substances (again, doctored images/videos) in the product received and thus a reason for why one can’t possibly handle the opened package. Refund Fraud not only is a concern to merchants but also runs a risk of putting consumers’ virtual assets at risk such as email, passwords, card details, etc — as refunders offer Fraud-as-a-Service, access to the buyer account. Apart from the complicated methods listed above employed by professional refund fraudsters, consumers, with a Robin Hood mentality, too are learning about refund fraud and executing Refund Fraud as : a) Bricking: A working item ( generally electronic items) is purchased with the intention to be returned after stripping down the valuable component and rendering the item eventually unusable. b) Wardrobing: Majorly observed with expensive clothing. An item is purchased, used, and eventually returned. c) Switch Fraud: Returning a previously owned defective or damaged identical item with the aim of cashing on to the refund. Be it the retailers or the e-retailers have a return policy in place but a fine balance needs to be maintained — neither overly complex nor overly relaxed. The process of refund dents a blow to the bottom line not only in terms of labor involved in the process but also in refurbishing the returned items. Trying to avoid Return Fraud by adding manual resources will be a mountain task in this era of data where organizations are sitting on a mountain of data as well as leveraging data from other sources. Multiple data enrichment tools provide services as quick reverse checks on multiple data points for instance email addresses. Current innovations in fraud detection software over the recent years have made it possible to curb the menace of fraud even with very little technical knowledge. Author: Sujit Kumar Mahato, Product Manager Wibmo A PayU/Naspers FinTech Company Fraud, Fraud Detection, Fraud Prevention, Return Fraud, Risk Management