Omnichannel's digital journey leaves lots of holes for crime
The equation is no mystery to those in payments or financial services: Expand your digital footprint, and you expand the opportunities for hackers to damage your network.
What to do about that is less apparent, other than the desire for most banks and retailers to assure their infrastructure is safe without hampering the customer experience. But most experts agree the time is now to fortify security in all layers of all channels along the multi-channel digital roadmap.
"The biggest trend in payments is the massive investment in the digital customer journey, and it is creating hundreds of combinations of customer interactions along what were once legacy rails — and it is all powered by the mobile device," said Rich Stuppy, chief customer experience officer at fraud prevention provider Kount.
While digital interaction is mostly positive for both merchant and consumer, it does create far more gaps for fraudsters to commit fraud, damage brand image or plant seeds for future fraud.
"This is not something that just happens at quick-service restaurants or gas stations," Stuppy said at the recent Mobile Payments Conference in Chicago. "Our doctors, dentists, banks and insurance companies all have apps to advance digital experiences."
Account creation, payments fraud and account takeovers accelerate in digital settings, Stuppy added. "It has created the exploitation cycle, as a business person has a great idea to solve customer problems and make money, the fraudster is thinking the same way, making money illegally off the hard work someone else did."
Merchants and banks are turning to machine learning, advanced analytics, neuroscience and far more collaboration between merchants and banks to try to fight back.
But security technology doesn't always come in one piece at one time. And that's not always a bad thing, considering having layers of security has long been the golden rule and is even more critical considering the various channels that retailers and financial services providers have to protect. But the security tools have to communicate and work together to be most effective.
"Protection is changing and, when you look at the number of breaches, there is no choice but to change," said Michelle DuPre, group vice president at Verizon. "The surface has expanded, so there is more risk because there is more data sitting out there."
Verizon's 2018 data breach report indicated denial-of-service attacks were on the rise, in which hackers overload and disable a merchant website if they can't get at the data in the merchant network. That's not even considered a breach, because no data is stolen, but it illustrates the need for expanded protections.
Even though tokenization has been a strong security measure for payment credentials in e-commerce, the method is not yet in place for personal information like Social Security numbers and other data that fraudsters parlay into fake accounts or account takeovers, said Sam Shawki, founder and CEO of security vendor MagicCube, which specializes in protecting data input through a touchscreen.
Tokenization replaces payment card numbers with a random sequence of characters when that data is in storage.
"There are different stacks of protection for different channels," Shawki said. "Any kind of stitched solutions leaves some seams in security, and there needs to be a collective analytics approach in which all groups are covered."
That type of defense is at the core of new security measures, such as the General Data Protection Regulation in Europe in which consumers have far more authority in determining if their personal data should be stored within a company database and for what purpose that data can be used.
It is also driving the Strong Customer Authentication provision in Europe's new Payment Services Directive (PSD2) in which regulators are seeking layers of transaction authorization tools, including biometrics.
"You have organizations with data scientists using Excel spreadsheets and you have organizations with data scientists doing deep learning through advanced analytics, differentiating between human behavior and a bot," said Ian Campbell, vice president of product management at Feedzai, which focuses on preventing omnichannel fraud.
"It's part of the defensive depth that can be combined with machine learning technology, knowledge of customer transaction history and additional third-party data," Campbell said.
That sort of security fortress can go a long way toward thwarting fraudsters, who will attack weak spots relentlessly with humans or automated bots, Campbell added.
"A common thread is that we are gathering data, whether it is consumer behavior data or just data in general across the network and we absolutely are at the point where we can tell, by behaviors, what is going to happen next," Verizon's DuPre added.
In the past, Verizon might have to wait for a fraud attempt to occur, but the company can now anticipate a problem brewing and address it before it impacts the customer, she said.
Because mobile commerce and digital technology is not going to standstill, nor are the growing number of younger consumers relying on mobile devices to perform nearly every task related to shopping or payments, it is becoming essential for security teams to have all bases covered.
"Basically, you have to get ready to gather all of your data and be sure it is in a good state to be able to do some advanced fraud protection techniques, and adding a data science layer to do that," Feedzai's Campbell said.