Visa predicts passwords will endure for five more years

Register now

Even consumers are fed up with passwords, which seem to do little to deter hackers, but Visa says there's still some life left in the dated authentication method.

“Unfortunately, I’d say it will be about five years before we fully eliminate passwords,” Ellen Richey, Visa’s vice chairman of risk and public policy.

Data breaches exposing personal information have undermined the integrity of knowledge-based authentication and passwords, but no viable alternative is immediately available, because the payments industry is still in “an era of experimentation” with various biometrics and other solutions in development, Richey said in a one-on-one discussion about card fraud trends with Julie Conroy, senior analyst at Aite Group, at Money20/20 in Las Vegas on Monday.

Many banks and tech companies use one-time passwords, often distributed by text message or an app, to improve security.

“We thought the one-time password would help, but it seems like people hate them just as much and now fraudsters have found ways to intercept one-time passwords,” Richey said.

Biometric authentication is definitely coming, but it will be used in conjunction with other methods of ensuring customers’ identities; and Europe’s PSD2 may go a long way toward driving the solutions North America ultimately adopts, she noted.

“In Europe and other parts of the world they’re requiring two-factor authentication, and although it’s early days for this approach from a global perspective, it’s well on its way,” Richey said.

The spread of tokenization across payment methods is helping to block card fraud, and Visa’s recent move to sign 20 new partners to be token requesters is helping to lower fraud risk in more purchasing environments, she added.

But banks and merchants continue to make mistakes exposing consumers and their accounts to fraud, Richey said.

As EMV has pushed more fraud out of the point of sale environment, fraudsters are finding new holes to exploit from merchants’ sloppy practices in protecting card data to banks being too lax with their own security policies.

For example, many banks fail to ensure their EMV chip cards’ cryptograms are performing correctly, creating new fraud opportunities, Richey said.

“There are banks issuing chip cards that aren’t checking the cryptogram when it comes through on each transaction, and fraudsters are probing for this, identifying the weak issuers and attacking,” she said.

Visa has tools to spot these types of attacks, and its response rate has vastly improved from 24 hours to less than two hours, but fraudsters are always working to outrun defenses, Richey said.

“As an industry we’re doing pretty well despite this level of fraud pressure — we’re still holding fraud at under 10 basis points,” Richey said. She reiterated Visa’s claim that introducing EMV to block counterfeit card fraud didn’t cause a direct spike of card-not-present fraud online.

“The fraud rate for Visa’s card-not-present transaction hasn’t increased, it’s stayed flat. But as payments volume grows, so does fraud, and we need to get ahead of it as electronic payments continue to comprise a larger proportion of all transactions,” she said.

For reprint and licensing requests for this article, click here.
Cyber security Online payments EMV CNP Visa