Harnessing technology to hold back a tide of online fraud

The COVID-19 pandemic has reshaped the modern economy to a degree that few would have predicted. Government-imposed lockdowns demanded that millions of people stay at home, accelerating a shift toward online shopping, entertainment, and news media.

As well as legitimate online activity, there’s also been an unprecedented opportunity for fraudsters and other unscrupulous cybercriminals to target unprepared businesses and individuals.

To safeguard sensitive payment data exchanged between businesses and consumers online, the now mandatory 3D Secure authentication protocol and Strong Customer Authentication (SCA) requirements, were put in place.

Research from Arkose Labs reveals an 85% year-on-year jump in online fraud. This figure comes from the 2022 State of Fraud and Account Security report, which analysed more than 150 billion transaction requests in over 254 countries and territories.

The world is devoting more time, money, and energy to the Internet than ever before. Likewise, there is very little reason to assume that this new wave of cybercrime is going to go away either, unless measures are put in place to slow it down.

The public is reluctant to abandon their newfound practices of digital payments and online data exchange. Internet sales, as a proportion of total retail sales, have been climbing fairly steadily since 2006. Branches of banks across the world are closing down, as customers make the switch to mobile banking. Major global businesses like Microsoft are touting the benefits of ‘hybrid’ working, which combines remote working and a traditional, centralised workplace. 

The ubiquity of Internet coverage has been a major contributor to online payments being ingrained in every aspect of our daily lives and offering consumers an easy way to spend their money. This is by design. When Amazon secured a patent for its game-changing ‘one-click’ ordering system, the company removed a barrier to purchase, and, thereby, gave itself a considerable competitive advantage. This is a trend that has continued right up to the present day; the fewer stages shoppers have to pass on the way to a purchase, the more likely they are to complete that purchase.

Older methods of preventing fraud, such as static passwords, have struggled to keep pace with the rapid technological shift. Closing transactions as quickly as possible presents a bottleneck: personal credentials often must be stored where they can be easily retrieved – not only by legitimate actors, but also by fraudsters. And consumers are unwilling to surrender this convenience for the sake of security. Thus, banks and financial institutions have been forced to develop ever more sophisticated means of deterring fraudsters while still providing frictionless commerce. Since online fraud isn’t just a problem for consumers, but for retailers and financial institutions too, the need for security innovation has never been more pressing.

The solutions to this problem are many and multifaceted. Of all the possible ways to address the issue, the technological path proves its appeal by being more direct and straightforward. Two-factor authentication, for instance, provides a means by which users can quickly identify themselves using something they know (e.g., a password), and something they own (e.g., a smartphone). Throw in fingerprint scanners and facial-recognition software, and you have an impressive (though not insurmountable) technological barrier for malicious third-parties.

The next line of defense is regulatory arrangements. In 2015, the European Union ratified the second incarnation of the Payment Services Directive – PSD2. Being a directive rather than a regulation, this collection of measures had to be implemented by member states. Despite Brexit, it’s also coming to the UK, after the Financial Conduct Authority (FCA) set a deadline for its implementation for 14 March, 2022.

The directive leverages the mandatory use of Strong Customer Authentication (SCA) measures in order to bring every online transaction in compliance with the most relevant version of the 3D Secure protocol. Fortunately, with the more stringent security requirements comes a more flexible approach to conducting online payments. Thus, the second iteration of the protocol (3DS V.2) introduces an exemption mechanism for low-risk transactions to improve customer experience and payment approval rates.

The intent for this new raft of rules is to improve cardholder protection while bolstering competition among issuer banks and non-banking financial institutions. The incentive will follow a blueprint set out by the General Data Protection Regulation (GDPR), and its effects could be just as far-reaching.