Old attitudes hurt new fraud-fighting strategies
In the fight against payment crimes, many advancements are out of reach because companies won't overcome their reluctance to communicate.
One promising advancement is an authentication hub and API that banks and third parties such as vendors would use to connect and reduce risk management overhead. These vendors could access other vendors and technology for added efficiency and intel sharing.
But a lack of cooperation is holding this back, according to Julie Conroy, a research director and fraud expert at Aite Group.
"Issuer and merchant collaboration is so important," Conroy said during the Chicago Payments Symposium. "The bad guys are going after all of the banks and merchants, and too many bank officials are telling me that their collaboration efforts with merchants are very low."
The authentication hub would route vendor information to banks while transaction information would be moved through a "scoring engine" that would be shared with issuers and merchants.
A major hangup is the liability involved in sharing data, Conroy said, adding that lawyers for the companies involved are pondering who would be responsible for data.
The payment industry can't afford hangups such as these, given the proliferation of fraud that accompanies digital commerce.
"What we are facing now is kind of this battle without an end," Conroy said. "It increasingly feels like we are playing this game of chess, and for every one move we get, the bad guys get three moves."
But, given the innovation of initiatives such as the authentication hub, there is hope — especially given the ability of advanced analytics to combat fraud while reducing friction for legitimate use.
"We are seeing some interesting use cases and results with artificial intelligence and machine learning that are helping institutions leverage their customer data," Conroy said. "You need advanced analytics to find the deviations of good users, rather than always searching for patterns of fraud."
Any advancements in data security can't come soon enough, considering Aite Group research has found that as many as 10.2 billion records have been lost or stolen since 2013, and that number doesn't include the recent Facebook hack.
There's a consensus that the endpoint of a network is the most vulnerable point in any payments system. That becomes a particular risk as voice assistant payments or Internet of Things transactions advance, contributing to the "chaos on the edge of payments," Conroy said. "It has no secure element involved or any of the other fortifications needed."
As technology advances, payments networks have numerous "endpoints," all of which can present security gaps that hackers eventually find.
"It is not the core processing systems that are generally under attack," said Kent Montgomery, first vice president and chief operating officer of the Federal Reserve Bank of Boston. "The rails of ACH and wire payments are relatively secure, but it is the people using the systems and some of the endpoint technology that basically present opportunities for fraud."
It is also misleading to view a payments system endpoint simply as the point of sale terminal at a merchant location, said Reed Luhtanen, senior director of payments strategy at Walmart.
"If you think about the merchant as an endpoint, then you are having a bank-centric view of the transaction. In reality, the transaction is a circle, going through many steps to get it into the merchant account," said Luhtanen, who advocated a guiding body for security strategy that would have the authority to push adherence.
While there are existing associations dedicated to payment security, such as Payment Card Industry security standards, EMVCo, American National Standards Institute and the Secure Payments Partnership, it's not easily coordinated or set up to ensure everyone is working together to find solutions that work, Luhtanen said.
Any advancement in security will also require companies to give consumers incentives to get more active in protecting their credentials and transactions, said Charlie Kahn, an economics professor at University of Illinois.
"If risk of loss is mild, as it is in the U.S. for consumers, then there is not going to be an incentive to avoid risky platforms or risky behavior," Kahn said. "That seems to be the message when talking about consumers, but it applies to all participants."