10th January, 2020
Ai Editorial: The PSD2 Strong Customer Authentication (SCA) migration completion deadline for online payments in Europe continues to be a weighty issue, with concerns about the preparedness and compliance still coming to the fore, writes Ai’s Ritesh Gupta
The SCA requirements were originally planned for the 14th of September last year (with new migration completion deadline being 31st December 2020), but still concerns pertaining to PSD2 making online shopping more difficult and the same negatively impacting cart abandonment rates in the initial years of implementation are being highlighted.
As for the travel sector, a study by Amadeus in September had indicated that only one in three travel merchants were expected to be SCA-ready for the September-2019 deadline. The report featured 50 large travel firms (€1billion+ revenue).
All the stakeholders acknowledge the complexity of the payments markets across the EU and the hurdles resulting from the amendments that are needed.
As per the findings of a survey in December last year, (commissioned by Riskified, featuring 2,000 consumers and 200 retailers evenly split across the UK, Germany, France, and Spain):
The top three authentication methods being studied by issuers include; One Time Passwords (OTP) (SMS to a mobile device), authentication within a mobile banking app, and 3DS. Among these, OTP and 3DS authentication are expected to adversely impact the user experience. Specialists recommend that merchants should use exemptions where possible. Also, by using fingerprints or facial recognition, one can combat fraud while also increasing convenience for consumers.
PSD2 SCA 2020 plan
Even as the European Banking Authority asserted that the definition of SCA had been set out in PSD2 when it was published in 2015, a section of the industry states that the authority has failed with PSD2 at least in the short-term. Moving on the industry clearly needs to make fraud prevention and compliance efforts a priority. In terms of how the roadmap is going to shape up this year, the extension offers various players (issuers, acquirers, PSPs and merchants) extra time to entirely support EMV 3DS 2.1 and 2.2 by the end of this year. One can expect an incremental EMV 3DS execution with the new deadline.
Merchants need to test, preferably a flexible offering that can set up both 3D Secure 1 and 2 authentication protocols. This way if a specific issuer isn’t ready to support 3DS2, then the offering will by default redirect transactions to 3DS1.
Ingenico ePayments recommends following steps to prepare for the authority’s deadline:
By March 2020: integrate 3DS in your payment flow
By July 2020: use EMV 3DS 2.1 in your payment flow or be ready to do Step Up with EMV 3DS 2.1
By September 2020: SCA exemptions are available with EMV 3DS 2.2, if exemptions are not supported than all transactions will require 3D.
With this incremental approach, merchants will fully support EMV 3DS 2.2 by the 31st of December 2020.
Keen on exploring fraud prevention and payment-related issues?
Check-out Ai’s conferences scheduled for 2020: https://lnkd.in/fE7UK_T
6th January, 2020
It is imperative for travel merchants to focus on dynamic friction, a fraud prevention approach which focuses on behavioral and situational attributes to apply right friction to the right person at the right time, writes Ai's Ritesh Gupta
For any entity that is looking at balancing customer experience and fraud prevention, doing away with legacy fraud-fighting solutions is must as it tends to apply friction in a blanket, indiscriminate way to all users, customers and fraudsters alike. With dynamic friction, risk level is assessed in real-time so that merchants can offer safe, convenient, and customized user journeys that only become more accurate and appropriate over time.
Sift Trust and Safety Architect, Kevin Lee, shared that while 99% of users on a website are legitimate, there still needs to be protection from the ~1% of users that are attempting abuse.
Keen on exploring fraud prevention and payment-related issues? Check-out Ai’s conferences scheduled for 2020:
29th November, 2019
Travel merchants can't apply the so-called "airport security" approach for screening every transaction.
Rather there is a need to identify astute options to ensure the booking flow isn't unduly disrupted for legitimate shoppers. Companies have to leverage a shopper's fraud and risk score in order to ensure UX and fraud prevention aren't at odds with each other.
This way they can take a vital step towards seamless plus secure ecommerce.
25th November, 2019
The significance of hiring the right people as organizations try to curb various forms of e-commerce fraud must not be undermined.
“Diversity (while recruiting people), specialized knowledge/ skills, and training and support (is key to curbing fraud,” said Tina Burgess, Senior Manager of Risk and ePayments, Points.
Ai’s new 2020 conference dates:
15th November, 2019
Ai Editorial: Deepfakes supported by AI techniques today are considered to be a growing problem. It is vital to build AI systems that can automated deepfake detection so that risks such as identity fraud can be tackled, writes Ai’s Ritesh Gupta
Artificial intelligence (AI)-based identity fraud is emerging as a serious issue. Recognition of one’s voices and face as a way to validate a person’s identity is under scrutiny with the rise of synthetic media and deepfakes. Be it for security-related risks, user privacy concerns or fraudulent transactions, repercussions are being probed at this juncture.
Technology to manipulate images, videos and audio files is progressing faster than one’s ability to tell what’s real from what’s been faked. According to the findings of a study released last month, the number of deepfake videos almost doubling over the last seven months to 14,678.
The level of sophistication with which fraudsters are moving ahead is exemplified by the recent case in which an executive was duped into transferring $243,000 to a bank account, or even the news of top AI-researchers in the U. S. struggling to cope up with computer-generated fake videos that could undermine candidates and mislead voters during the 2020 presidential campaign. Such cases of fake phone call or a video file show how deepfake techniques are encroaching in the lives of the people in a wrong way.
Deepfakes are powered by deep learning AI. The algorithms behind this AI are fed large amounts of data. Eventually, by capitalizing on such data, “deepfake” videos manipulate audio and video using AI to make it appear as though someone did or said something they didn’t. It does pose a challenge to validating the legitimacy of information presented online.
The case in China
Zao, a free deepfake face-swapping app, not only exemplified how quickly deepfakes have gone mainstream but also triggered a privacy backlash amid concerns about identity theft. The Chinese app allows a user to use their photographs and then its AI engine changes their faces with those of celebrities featuring in video clips. Zao amended its policies, and stated that the app will not store the biometric information of users and transferring of data wouldn’t be done without consent.
This privacy storm was mainly in China, but the threat of this trend was acknowledged everywhere since the app indicated how the technology is now available for smartphone users. In no time, questions were raised about the possibility of payment-related fraud, too. With biometric technologies such as Alipay’s ‘Smile to Pay’ being increasingly adopted as a form of payment across China, the concerns were valid. Alipay currently serves over 1 billion users. Ant Financial Services Group, which operates Alipay, stated that its facial recognition capabilities were safe and its facial payment system won’t be breached. It also emphasized that the team has implemented rigorous, best-in-class privacy, security and risk control processes.
What is coming under inspection is the efficacy of biometric security measures such as the voice and facial recognition. Can it be compromised by deepfakes that can almost perfectly imitate these features of a person?
Initiatives are in the pipeline, focusing on automated deepfake detection.
Identity verification specialist, Jumio highlighted that it is “vitally important to embed 3D liveness detection into identity verification and authentication processes”. The company is working on plans to combat advanced spoofing attacks including deepfakes. Its offering was recently introduced as a beta.
Facebook was recently in news for working on a ‘de-identification’ technology to morph a person’s face so that they remain unrecognisable to facial recognition technology.
Amazon Web Services (AWS), Facebook, Microsoft and other organizations have recently committed to initiatives that encourage work on technology that can be deployed to better detect when artificial intelligence has been used to alter a video in order to mislead the viewer. AWS has indicated that building deepfake detectors will require novel algorithms which can process a vast library of data (more than 4 petabytes). Established organizations have chosen to collaborate as it is being widely acknowledged that it is important to have data that is freely available for the community to use. For instance, Facebook is commissioning a realistic data set that will use paid actors, with the required consent obtained, to contribute to a challenge. No Facebook user data will be used in this data set, according to the company. Concrete results, especially better detection tools, are being awaited as the likes of Facebook and Amazon admit that identifying manipulated content and deepfakes is a technically demanding and rapidly evolving challenge.
Deepfakes aren’t fading away, and their consequences are being felt on a global scale.
Hear from fraud prevention and cybersecurity experts at Ai’s next ATPS –
13th November, 2019
Ai Editorial: Authentication of risky shoppers shouldn’t hamper the digital experience of all. Rather merchants must focus on finding ways to applying the right friction to right person at the right time, writes Ai’s Ritesh Gupta
Filling a form, verifying a payment method, registering for an account…when a shopper is presented with such options in the booking flow, it evokes resentment. No one likes to spend extra time or make that additional effort to verify their identity knowing that they are legitimate shoppers.
But travel merchants have to ensure that the least number of fraudulent transaction slip through. Key then lies in identifying that anomalous shopping behaviour in a more shrewd way that doesn’t screen every shopper!
As Sift’s Trust and Safety Architect, Kevin Lee points out; merchants can’t get away with their airport screening approach. Travel e-commerce players have to ensure trusted shoppers or consumers can sidestep added authentication, while potentially risky users undergo that further screening.
“They (merchants) need to focus on dynamic friction,” said Lee. “The concept means having the ability to apply the right friction to right person at the right time.”
The team at Sift describes it as the optimal application of friction to user journeys based on behavioural and situational attributes, applying it to the right person at the right time.
Many companies have this airport security approach where everybody has to go to two-factor authentication (2FA), enter CAPTCHA etc.
“Honestly that’s a terrible experience because 99% plus of consumers on a platform tend to be legitimate. They just want to move from A to B (or shop legitimately with any retailer),” said Lee.
So how to apply dynamic friction and what sort of signals can be used? Since there is so much of data from customers via the app usage, device usage etc. there is a need to use behavioural fiction or behavioural dynamics looking at the signals to identify normal behaviour for an authentic shopper on an app or an online platform. And then being in a position to spot an anomaly where certain behaviour doesn’t seem to be normal. Then only there is a need to introduce certain friction or additional check in the shopping process.
For example, looking at a certain security measures for a particular fraud, MFA is deemed to be an astute way of shielding user accounts, since hackers or fraudsters don’t often have access to the additional factor required to authenticate. But merchants fear that the introduction of MFA would cause friction. The way to go forward then is to capitalize on dynamic friction, because the judicious use of this authentication method doesn’t disturb the experience of authentic users and only those go through the MFA that fall in the category of risky users.
Also, the specialists ensure that as a shopper moves from the discovery process to the completion of the transaction, all interactions are assessed for risk. In case a risk touches a given threshold, extra verification comes it play. If the interactions come across as reliable, that extra authentication is eradicated, providing the shopper a more rationalized experience.
So in case of account takeover protection, the real-time risk evaluation suggests the level of authentication a particular shopper/ consumer should go through. Riskier actions with more red flags trigger MFA, while suitable actions pave way for a smooth interaction.
Dynamic friction in the travel sector
The application of dynamic friction in the travel sector, especially among airlines, is poor at this juncture, said Lee.
What tends to happen is that there are lots of legacy systems and rules in place to stop illegitimate shopping from happening. But 100% rules-based fraud prevention isn’t proving to be an ideal solution today. It’s not dynamic enough, it’s not fluid enough, said Lee. All of this is important since consumer today are very demanding when it comes to what they purchase, when, how and where they purchase. And that’s where machine running has contributed in terms of responding not only to new types of fraud but also to better recognising legitimate shopping behaviour.
Sift recommends an apt blend of risk and revenue decisions:
Ai’s new 2020 conference dates: http://www.airlineinformation.org/upcoming-events2/370-2020-conference-dates.html
4th October, 2109
The aspects that make mobile commerce attractive and convenient for consumers also result in complex hurdles for merchants when it comes to keeping a tab on fraud and authenticating mobile orders.
Fraudsters have been targeting mobile commerce owing to the fact a majority of businesses generally don’t differentiate between mobile and web-based transactions. What it essentially means that merchants need to be spot on with what is relevant for evaluation – rather than considering cellular IP addresses as unique identifiers, watch out for unique identification number associated with such devices; a new Wi-fi network doesn’t necessarily mean that the order is fraudulent etc.
Mobile experience is resulting in a richer set of data, and it is imperative for travel e-commerce players to focus on the right data points to deal with mobile commerce fraud, says Kevin Lee, Trust & Safety Architect, Sift.
Last minute mobile orders or even any conversion from mobile devices needs to be viewed as a testimony of appropriate experience being delivered. More importantly, the risk team or the one that is looking into the acceptance rate, they need to evaluate how that transaction came to be, from which channel and also the related user data, recommends Lee.
In this video, Lee spoke about mobile authentication and ensuring the acceptance rate doesn’t take a beating.
14th September, 2019
Ai Editorial: The behaviour of consumers when they shop via mobile and what makes such devices risky has to be ascertained. It is must to focus on the right data points to keep a tab on fraudulent transactions originating via mobile devices, writes Ai’s Ritesh Gupta
E-commerce players, including ones from the travel sector, are evaluating ways to keep a tab on fraudulent transactions emanating from mobile devices.
It is being acknowledged that merchants must drift away from those data points that aren’t astute pointers in identifying such type of fraud. The behaviour of consumers when they shop via mobile and what makes such devices risky has to be ascertained. When specialists point out that mobile fraud is different from traditional e-commerce fraud, it is owing to the fact that unlike browsing and accessing via a PC, mobile devices result in novel characteristics that obscure the user verification process.
Security measures for a mobile device
E-commerce players must dwell on ways to validate and authorize a purchase as quickly as possible.
For this, there has to be a mechanism for real-time mobile device detection and the journey for mobile orders. All of this isn’t easy. As Riskified points out, the aspects that make mobile commerce attractive and convenient for consumers also result in complex hurdles for merchants when it comes to keeping a tab and authentication mobile orders. Citing an example, the fraud prevention specialist shared that its team ended up unearthing a major botnet fraud ring by evaluating data garnered from consumers’ interaction with merchants’ e-commerce sites and mobile apps. For this, the team delved deep into the journey, starting from whether the order was placed on a mobile device or elsewhere. The team further explained: If mobile, note what type of device — was it an Android device or an iPhone? From here on, assess the starting point for mobile-related orders. Did the shopping originate on a PC and eventually finished the transaction via a mobile device? And was it via a mobile site or an app? Or did the shopper finish it via a traditional site only? If checkout was on a mobile device, it’s vital to identify whether the shopper was accessing the site through a mobile web browser, or the mobile app. By following these steps, a travel retailer can effectively spot the origin, and then plan and executive precise safety measures to combat fraud.
Riskified also asserts that merchants “need to discern what is relevant for analysis”. The team refers to few crucial areas:
It all boils to verification of the legitimacy of the user, but considering the usage of today’s devices for shopping and the tricks of fraudsters, merchants need to evolve as well.
For Ai’s upcoming events: click here
9th September, 2019
The travel industry at large isn’t ready for the implementation of Strong Customer Authentication (SCA), required for all online transactions in Europe from 14 September 2019.
A study initiated by Amadeus has indicated that only one in three travel merchants are expected to be SCA-ready by the deadline. The report featured 50 large travel firms (€1billion+ revenue).
Merchants will have to adapt to SCA, which aims to increase payment security and protect sensitive consumer payment data. The preparedness of the travel e-commerce sector in dealing with the anticipated negative impact is being assessed since SCA poses risks for travel merchants, not to mention implementation challenges. This requirement is being introduced as part of the second Payment Services Directive (PSD2).
A couple of issues that have been highlighted in Amadeus’ report, ‘Strong Customer Authentication in travel payments: preparing for two-factor authentication’ are:
The SCA requirements are going to impact the speed of consumer transactions and the number of steps to be completed when paying. One of the major concerns has been the inclusion of additional authentication into the checkout flow, since it introduces an extra step that can add friction and increase customer drop-off.
If one considers the growing prowess of mobile devices for shopping in general, it means that there could be even larger customer drop-off. So is the impact of SCA likely to be even higher on mobile devices?
“…requiring travellers to undergo additional checks, such as providing a one-time passcode sent to their mobile device, introduces some friction to the digital experience. This may sound like a small price to pay but our research shows the industry expects this additional friction to increase abandonment rates by 10-20%,” mentioned Jean-Christophe Lacour, Head of Merchant Services, Payments, Amadeus. The company expects any drop in abandonment rates to be a short-lived phenomenon as travellers get accustomed to the new steps needed, which they’re actually already performing for mobile banking for example.
Much to the relief of the industry, many local regulators across Europe have introduced a grace period for SCA compliance for e-commerce transactions over recent weeks.
According to the report: “…with 65% of airlines and agents expecting SCA to negatively impact sales, how travel companies prepare has implications for the bottom line. There are steps firms can take to mitigate the impact of SCA, with 70% of respondents to our research intending to work with their acquirer and payments partners to apply the various exemptions provided for within the regulation and more than half signalling a move to the latest authentication technology (3D Secure 2.X).”
Specialists recommend that merchants should use exemptions where possible.
Also, by using fingerprints or facial recognition, one can combat fraud while also increasing convenience for consumers.
Amadeus surveyed payments leaders from 50 large travel merchants regarding their approach to achieving SCA readiness. The majority of responding organizations generate more than €1 billion in annual revenue with respondents drawn from airlines (60%) travel sellers (30%) and hotels (10%). The survey was carried out in August 2019 with industry conference and media company ‘Airline Information’ providing support with respondent recruitment.
26th August, 2019
Airlines need to proactively monitor their loyal shoppers’ membership accounts since the problem of loyalty fraud is on the rise. If on one hand airlines are offering more earning and redemption choices than ever, it also means that the overall loyalty earning and burning lifecycle has opened new avenues for fraud.
“From a loyalty fraud standpoint, there is a lot of demand (for stolen loyalty currency among the fraudsters or in a marketplace on the dark web),” says Kevin Lee, Trust & Safety Architect, Sift.
This is because over a period of time, prices for such items (stolen credentials, miles, points etc.) even though they fluctuate a bit still they are going up in value. Data breaches are a big issue, and a lot of sensitive information is being sold.
There is a motivated seller out there plus there is a motivated buyer there too to cash in on the stuff, said Lee, who added that airlines or the originators of miles or the loyalty currency tend to suffer a lot in such cases.
A risk-averse mindset for controlling fraud, be it for fraudulent transactions or loyalty fraud, is commonly associated with rule-based systems. Machine learning technologies are emerging as an astute option to secure accounts. The efficacy of machine learning, especially real-time machine learning, can be explored for account protection. Rely on both supervised and unsupervised machine learning to comprehend both the historical patterns of use, as well as identify anomalies.
It is vital to keep a vigil on accounts for anomalies to effectively notice the behavior of genuine and fraudulent customers. Airlines should analyze user behavior throughout the entire journey- including account creation and login, any account activity and also at the point of transaction such as redemption of points.