Creating An ‘Anchor Of Trust’ In The Battle Against CNP Fraud

As the world must go increasingly digital — perhaps permanently — people who had resisted the great shift to eCommerce have had to make the leap.

Ready or not.

Those less tech-savvy individuals represent juicy targets for fraudsters, who have been fine-tuning card-not-present (CNP) schemes to work across all manner of channels during the pandemic as we wield smartphones to make transactions or bank over the phone.

 

For financial institutions (FIs), there’s the increased attention that must be paid to digital onboarding and card account openings that can be co-opted by bad guys.

In an interview with Karen Webster, Entersekt CEO Schalk Nolte said that in a world forever transformed by the pandemic, digitally established global identities and trusted endpoints are critical means of achieving genuine account security.

The fraudsters, of course, want to take the path of least resistance, just as they always have.

And in the digital age, said Nolte, “what we’re seeing is that there really are no new techniques. It’s the same story, and the same things that we’ve seen, all over again.”

Aided by the dark web, where data is for sale, spanning medical records to credit card numbers, the bad guys can ply their trade, cobbling together synthetic IDs or using brute force credit card attacks.

But this time around, consumers have had to pivot online to buy goods and services that no longer had been readily available in the age of social distancing.

Against a backdrop where CNP transactions are up 80 percent, a success rate of only a few percentage points can yield a lucrative fraud scheme. CNP fraud, Nolte said, has become a numbers game.

“It’s scalable and can be done from anywhere — and you can buy things from anywhere on the planet,” he said.

All is not lost, of course, for the banks that want to protect their customers. But time is of the essence for FIs seeking to meet consumers as they jump into uncharted waters.

“There’s no time for glacial in the modern world,” he said of banks’ modernization efforts, “especially in the world of FinTechs and of the coronavirus.”

Banks, he said, are striving to truly embrace contactless payments, and this means they can leverage advanced technologies to find out whether transactions are legitimate or should be challenged. He pointed to the emergence of QR codes and near field communication (NFC) as avenues of contactless payments that are gaining ground.

Banks can do a lot in the background, said Nolte, by establishing digital IDs across channels.

“The digital ID is something that you’ve used to establish trust in the past,” he said.

By triaging different data points and sources, he said, additional layers of security can be introduced, triaging information to thwart synthetic ID creation.

“Just having information like your address or your Social Security number just does not cut it anymore,” Nolte explained.
Firms like Entersekt can assist banks by tracking and flagging, for example, a CNP transaction that purports to be from Europe, but where the mobile device from which the order is being sent is active in the U.S. (traced via sensor data, said Nolte).

Here, a bank can raise the “risk level” of the transaction a bit, introducing new authentication challenges before it can be completed.

That’s a form of healthy (even intelligent) friction, he said, and can cement trust between consumers and banks — a bonus, particularly for individuals who are less used to transacting online but find a measure of control reassuring.

“You need some form of anchor of trust,” said Nolte, and the anchor of trust can be rooted in the mobile device.

In some nations, official IDs can be as basic as a driver’s license; elsewhere, ID cards may have NFC or other advanced tech features. In the drive for document authentication — in this case, driver’s licenses — he said that a number of Entersekt’s partners have deployed flashing lights and colors to measure depth and reflections of those licenses (presented in selfies) in order to determine if they’re real or not.

“This is not something that can be scripted,” he said, as fraudsters can be challenged on the fly, in real time. In illustration of other lines of defense, he pointed to Entersekt’s own smart messaging systems. The solution allows the firm to reach out in real time to its users to ask for confirmation on transactions.

It’s important for FIs to leverage best practices, he said, through partnerships models that take into account that know your customer (KYC) and other regulations can vary from country to country.

“In the past, FIs could get away with trying to do some of these things themselves,” he said. “But KYC has become a true specialty field at the moment.”

In the continuing pivot to digital, he told Webster, “the banks should focus on what they’re great at, which is building a trusted relationship with their customers.”