The main goal of Strong Customer Authentication (SCA) was, and still is, to make online payments more secure for both customers and businesses. But similarly to vaccines, once a new one is invented, viruses find new loopholes to thrive in. While the basics stay the same, the fraud prevention environment is ever-changing. That means that businesses need to constantly stay on top of their game, just like fraudsters.
A few words about SCA
Strong Customer Authentication, and the regulations involved in its enforcement e.g. 3DS 2, are designed to reduce fraud by making the checkout process more fortified by the stipulation of a two-factor authentication process which is based on additional information that the user provides. SCA requires the use of at least two of the following three elements:
- Something the customer knows (e.g. a PIN/Password)
- Something the customer has (e.g. a Phone)
- Something the customer is (e.g. fingerprint, facial/voice recognition)
The fortification of the identification process is aimed to minimize the probability of fraud by strengthening the verification of the customer’s identity. As beneficial as this process is, it won’t stop fraudsters from devising new ways to fight it. The introduction of the chip-and-PIN technology drove fraud to the eCommerce channel. Before eCommerce became a main drive to the online fraud industry, fraudsters were thriving in channels of mail and telephone orders way before its existence.
Asking the experts
We asked Ori Troyna, PayU's global product security clan lead, about the changing conditions in the fraud and security sphere, and where he sees fraudsters turning to next:
Q: What are the most prevalent fraud attacks you see in payments?
A: I see three types of fraud attacks which are more prevalent than others:
1 - Fraud related to Tokens - whether trying to steal them or find weaknesses within them. The objective is to retrieve the information behind the encryption.
2 - Credit-card database theft - we see these types of breaches in many countries. I am referring to massive databases of thousands of credit card numbers which are offered for sale.
3 - Account takeover - attacks designated to gain access and credentials to personal accounts in order to get a hold of the payment method(s) related to that account. Those attacks are especially prevalent in websites where basket sizes are relatively small - eBay, food websites, etc. In Brazil, there’s an entire market of thieves whose main goal is to take over ifood accounts to get free food or resale.
Q: In your perspective, how has SCA changed fraud attacks and what do you expect its evolution to be?
A: I think that even post 3DS2, we are still going to encounter attacks trying to bypass SCA. The same thing happened after 3DS1.
The explanation for that might be that even though there is an obligatory deadline, when we have not-for-profit actions that merchants need to take, those tend to be partial and Adhoc - leaving us with a breakable and even vulnerable solution.
Some fraud-trends we can expect to see in that context are attacks targeting low transactions, or attacks targeting various stages of the fulfillment process. I also foresee attacks taking advantage of the lack of transaction signing in online payments. When a customer is purchasing a commodity in a physical store, he/she are requested to sign for the amount they had to pay. That part of the purchase almost never exists in the 3DS process, so fraudsters can change the amount the customer allegedly agreed to pay to a different one.
The last trend I foresee fraudsters putting a bigger emphasis on is social engineering, especially via mobile. The human link is eventually very weak and we tend to very lightheartedly press on incoming text messages or install apps on our mobiles. I can think that I’m paying X amount to a specific app whereas I'm actually paying to another.
Q: What new forms of fraud can we expect to see in 2020?
A: I expect to see a greater emphasis on fraud taking place in the fulfillment process, where fraudsters will manipulate and take advantage of weaknesses behind-the-scenes. I also see the use of social engineering as a major fraud trend, with a special emphasis on taking advantage of the weaknesses of different devices e.g. mobile.
Q: What markets/segments are more susceptible to fraud?
A: Small basket-size transactions (less than $100) are more susceptible to fraud, as well as transactions involving audiences or credit cards which are non-European.
Q: What’s the best practice you can recommend to businesses to fortify their operations against fraud?
A: Until a global standard will be enforced, I wouldn’t give up on traditional fraud solutions. I would do my research and check whether different solutions allow me to identify problematic transactions beyond those that are SCA-compliant (we mustn’t forget that SCA is not applicable to all transactions, and there are quite a few exemptions). I would also make sure my SCA implementation is according to the requirements and do a web/mobile analysis for my website to check what possible fraud vectors can be relevant.
My last recommendation is to implement the not-so-common transaction signing. This small but powerful implementation can eliminate many fraud attacks that may occur during the fulfillment process.
Q: Final words of advice?
A: Like everything else, there’s never a magic solution, and fraud is no exception. Nevertheless, we do see a positive trend of halting fraud attacks - even momentarily - by coming up with new and improved ways to protect transactions. It’s our job as “protectors” to find new ways to challenge those who try to make the ecosystem vulnerable and unsafe.