Author: Bhavin Mody, Director, e-Billing Solutions Pvt Ltd.
The transaction environment in recent years has witnessed immense development in terms of size and complexity. Consequently, the payment industry today is faced with an increasing variety of security challenges. The digital payment industry ecosystem has more stakeholders, payment channels and people driving the use of payment cards. This makes it essential for the industry as a whole to enhance the integrity of an increasingly dynamic system while ensuring global acceptance which is becoming more important than ever.
Globally, the digital payment frauds continue to migrate from more secure to less secure regions and channels. This transferal is fast-tracked by a community of frauds that is more skillful and organized and intends to exploit the security vulnerabilities and commit fraud. These communities today not just eye the unmonitored, stand-alone, point-of-interaction devices, but are also launching sophisticated attacks on the private networks of well-known entities, such as major data processors and top-tier merchants. All these elements together could lead to fraud attacks that can cause erosion in confidence and global acceptance as financial institutions seeking to avoid risk may move to block transactions at a country or regional level.
Such instances of fraud not only adversely impact the confidence of the financial institutions but also add considerably to the direct cost to the company. This can happen through the investments and ongoing expenses for preventing, detecting, monitoring and responding to payment frauds. The security weaknesses and frauds can also have added indirect costs, if the concerned consumer and businesses choose less efficient forms of payment. Broadly, the public loses confidence in digital payments which leads to significantly negative economic consequences. The constant stream of news reports on data breaches, phishing attacks, spoofed websites, payment card skimmers, fraudulent ATM withdrawals, computer malware, and infiltrated retail point-of-sale systems should concern policymakers because it indicates weak payment security and undermines reliability of payments.
The fraud risk in the recent years has been increasing at an alarming rate of more than 20% every year of which card payment risk comprises a big chunk. Credit card payment fraud comprises Card-Present and Card-Not-Present (CNP) Fraud. Some of the major ways which give way to the credit card information and subsequent usage in POS terminals or online, are Stolen cards, Compromised accounts, Identity theft and Skimming. However, CNP fraud is thrice as much as Card Present situation. Card Issuer losses occur mainly from the Card Present scenario while merchant losses occur mainly on the CNP front. Overall, Credit card fraud is costing APAC financial institutions at least $420 million each year. This number is expected to increase in line with the fraud growth.
Additionally, the frauds have gone beyond manual fraud. Bot IP based frauds have also been identified. In a nutshell, 2.1 Million € worth BOT net fraud hits have been successfully identified and rated as high risk by Fraud experts. These kinds of frauds have mostly been targeting Airlines and Miscellaneous.
The strategies adopted for the attack and defense in the computer network security have evolved over time and have led to changes in targeted data, methods of attack, and types of data stolen. The network security has been through few changes. The primary models of network security focused on points of significant vulnerabilities on a network. Therefore, the preferences and efforts towards safety and security among payment participants always differed from each other. When overall security depends on the security of each element of a network, differences in participant security efforts may create weak links. Furthermore, these weak links can change as the security preferences or makeup of payment participant changes over time.
The recent models have identified various components of the internet viz. computers, communication, channels, software and users and each of them are subject to attack and requiring defense. The weaknesses of each of these components will be different and attackers will attack on vulnerabilities with the highest expected payoff. Engineers who protect these components access these vulnerabilities and prioritize each component to determine which weakness to correct. These assessments are mostly tough, expensive and undefined, and despite every effort; some weakness will always remain due to unobserved vulnerabilities or vague assessments.
Studies conducted on the rounds of attack and defense depict that attackers search for vulnerabilities and move on to other bumps in the network with the same vulnerability if the attack is successful. Usually, defenders respond to a successful attack by fixing that particular vulnerability. In this scenario, information sharing would be useful to allow organizations to learn from one another so that they can deter attacks.
Mitigating the risks of fraud completely would require both public and private effort. Although there are options available in the market today, they are not being utilized to their true potential. The right way to go about this situation would be to prioritize where to direct efforts and resources in the security improvements and adopt the right payment solutions with minimum threats.
Disclaimer: This is a guest post. The statements, opinions and data contained in these publications are solely those of the individual authors and contributors and not of iamWire and the editor(s).