Previous ArticleCashless gaming: a new era for how we pay to playNext ArticlePSD2 – a challenge or an opportunity?

Keeping step: fraud evolution

As soon as a new payments or currency-based instrument evolves, so too does a form of fraud to exploit it.

It’s 300 BC Greece, and a shipping merchant named Hegestratos is about to change the world. His attempt to con the insurers of a shipload of valuable goods – by sinking the boat but keeping the cargo, and claiming the loss anyway – is the first recorded instance of fraud in history. A trailblazing event in human society, and a harbinger of the financial arms race to come. 

In some ways, it’s surprising that it took someone so long to come up with the idea of commercial fraud. Mechanisms for distributing risk in monetary economies have existed since at least the 3rd millennium BC, when Chinese merchants developed sophisticated ways of distributing goods across multiple vessels to minimise losses in case of accidents at sea. Such systems led to insurance schemes that protected the owners of the goods in some ways, but they also threatened them in others – not least in creating opportunities for unscrupulous merchants to fake losses. So it seems unlikely that our man in Greece was actually the first person to commit commercial fraud. He was simply the first to get caught.*

He also set in stone one of the fundamental emergent properties of exchange-based economies. As soon as a new payments or currency-based instrument evolves, so too does a form of fraud to exploit it. Fraud is now so common, and so deeply ingrained in our collective experience, that consumers now take fraud for granted; they simply accept it as a fact of life.

Such acceptance hasn’t stopped us trying to solve the problem, of course. The latest smartphones now include face recognition algorithms that, in the case of Apple’s new iPhone X, have replaced conventional forms of biometric authentication. Much of this new technology works, at least within the limits of controlled test environments. But right now, it’s all addressing a problem that merchants are apparently not sufficiently addressing themselves. Evidence is growing that merchants are designing services primarily with convenience in mind, with security a secondary consideration; a fact that may be leading both to increased levels of fraudulent activity and increased levels of public acceptance of fraud. 

This is a hard problem to fix. The global merchant community is so diverse, and its customers so individual in their preferred payments approaches, that covering every base is problematic. Even card-not-present fraud – one of the oldest, most prevalent and best-understood varieties – remains problematic; while chip-and-pin has provided a strong defence, CNP fraud is still on the rise in some countries

Against that background, the potential threat of brand-new fraud mechanisms come even more starkly into focus. Initiatives such as PSD2, due to be enshrined in national law in EU states next week, will create many new opportunities for third parties as customer data becomes more widely accessible – not just for vendors and service providers, but for fraudsters too. So PSD2 regulations will also force merchants to adopt new procedures and methodologies to keep their customers safe. Exactly what this will entail remains shrouded in mystery for the time being – strong customer authentication (SCA) of some kind is a leading contender – but it seems likely that PSD2 will try to spread the regulatory burden across both issuers and merchants. 

One thing that does seem certain is that some of the quick-fix proposals being touted in the industry, particularly dynamic CVV and SMS-based authentication, are too clunky for both merchants and consumers, and won’t meet PSD2 standards in the long term. Whatever we come up with in our war against fraudsters, it will have to be something new. 

The good news is that some merchants such as Amazon and Apple are showing us that fraud reduction and friction reduction are not necessarily mutually exclusive. Their latest technologies – machine learning algorithms in the case of Amazon, facial recognition in Apple’s new iPhone X – illustrate that it really is possible for merchants to adopt technologies and strategies that defeat fraudsters without deterring shoppers. 

Not everyone can afford new iPhone X’s, of course, and Amazon’s proprietary fraud reduction algorithms are unlikely to be made available to the industry as a whole. But elsewhere, Mastercard and Visa are working on next-generation versions of 3D Secure technologies that are less irritating for both merchants and consumers, requiring fewer redirects and thus less interruption of the still-fragile online shopping process. And in time, the relentless march of technology will find other newer, better ways to protect every party in the transaction. 

Fraudsters will nonetheless find new ways to scam people. As one bubble is pushed down, so another will rise in response to the new tools and technologies. But as we approach 2018 and its hectic regulatory agenda – PSD2, GDPR and MiFID II, all within a few months of each other – it’s a good time to reflect on strategies that address the fine balance between safety and convenience. 

Scammers may not be sinking so many ships these days, but they’re still busy working on their next targets; a fact that is never far from our minds at Paysafe. We’re constantly helping merchants to protect themselves and their customers more effectively, and to understand the real scope of the threats and opportunities that they face as the payments landscape evolves. And in particular, we’re helping them manage their fraud protection strategies effectively, ensuring that they invest in the right measures – not just the popular ones based on received wisdom and old ideas. The millennia-old fraud arms race will undoubtedly continue; but thanks to Paysafe and the rest of the payments industry, the advantage increasingly lies with the good guys. 

For more insight into some of the most important fraud trends, download the Paysafe report: Lost in Transaction Volume II

* He may have been caught, but he was never convicted; Hegestratos drowned trying to evade the crew members who uncovered his cunning plan. A warning to scammers everywhere.