Not so long ago, payments cyber fraud was done primarily by brute force, through guessing passwords and usernames — a scattershot approach akin to trial and error, conducted by lone individuals or small groups. However, that’s changing.
In an interview with PYMNTS, Jim Lerdal — executive vice president of operations at PULSE, a Discover Financial Services company focused on transaction routing and settlement services — said that kind of fraud is becoming institutionalized and smarter.
“Fraud is an industry for the crooks now. They are developing job rules. They're developing product roadmaps. They are hiring people from the industry. They are gaining insight into how the transaction flows work,” he said.
Their efforts are also widespread and nonstop, said Lerdal of the cybercriminals who band together to attack financial institutions (FIs) and their end customers. They seek to test every new payment type (across small and large merchants), as well as pinpoint weaknesses in firms’ fraud detection and mitigation programs.
Drilling down a bit, within the institutionalization of fraud, certain types of commerce are finding favor among fraudsters. Lerdal pointed to P2P payments and eCommerce as key areas of attack.
“In the old days, it was ATMs and the point of sale [POS],” he said. “The complexity of the payment system today is leading to more opportunities.”
With the evolution of fraud, the detection and prevention efforts also change. As Lerdal told PYMNTS, there’s no one-size-fits-all approach when it comes to fighting attacks. When establishing the foundation of an effective FI cybersecurity program, though, he said it’s important to have a culture in place with a set of rules for different modes of transactions.
Before eCommerce truly took root, much of fraud mitigation centered around what he termed “velocity counters.” Five transactions made in a short period of time would have raised red flags for merchants at one time. Today, however, that velocity is fairly commonplace.
In looking for activities that can point to anomalous behavior at a specific point of transaction, governed by a set of rules, Lerdal pointed to ATM-slamming. This is when an ATM that typically does five transactions per hour from 8 a.m. to 5 p.m., then three transactions per hour after 5 p.m., suddenly shows 50 to 100 transactions in a burst of minutes.
For the FI that has such a compromised machine in the field, he said, “you want to make sure you have the tools to identify that activity and shut it down.”
PULSE, for example, has a group of in-house fraud analysts who work with a set of rules that govern POS, eCommerce or international payments.
“We’re constantly educating ourselves as much as we can,” Lerdal said.
He added that other variables must come into play when examining risk, focused on a consumer’s history: where, when and how they shop and transact.
Using A Debit Card At Walmart
That level of detailed insight plays directly into one overarching theme in commerce.
“In today's environment, the consumer expects that the merchant and the issuer really understand them more on a personal level,” said Lerdal.
That understanding demands that the customer who pays regularly at Walmart on a Friday afternoon, for instance, should not be challenged at the register when they present their debit card for a purchase.
Lerdal pointed out that debit transactions are inherently different from credit transactions (from a risk-assessment standpoint), as FIs and merchants must determine that the person trying to pay at the POS is actually the person tied to that DDA account. In the event that a challenge pops up for a legitimate transaction, he noted, the consumer expects that the company will know them, and that the decision will be reversed quickly.
“There is nothing like getting a message from your financial institution on your phone that asks if you are at Walmart and — when you confirm that you are — the FI reverses its decline, and you leave with those groceries right now,” he told PYMNTS. “That is the level of service that consumers want today.”