Card Not Present (CNP) fraud is constantly evolving; starting with the computerisation of payment networks in the 70s, we have seen this type of fraud shift and transform from the early days whereby fraudsters had to go ‘trashing’, through the dot com boom, to today’s cybercrime landscape populated with bots, VPNs and sophisticated human-initiated attacks. However, with all the various attack typologies available to fraudsters, what’s the draw when it comes to CNP fraud?
Put simply, payments is big business. So big in fact that UK Finance’s Fraud the Facts 2021 report shows that in 2020 Card Not Present fraud constituted 85.3% of all card fraud reported – a staggering number. It should come as no surprise therefore, that an estimated $200 billion will be lost to online payment fraud by 2025.
Fraudsters understand that CNP presents a weakness for both businesses and consumers – and they are investing in their criminal trade – the risk is worth the reward when it comes to CNP fraud.
Source
Source Source Source
The lucrative nature of CNP fraud means that fraudulent attacks are becoming increasingly sophisticated and complex, and the style of attack is evolving on a daily basis. Essentially, CNP fraud is getting harder to detect and more difficult to prevent.
The key to combating this rising level of fraud is to better verify the digital identity of customers during the transaction process. However, the challenge facing the financial services industry is how to do this effectively without creating excessive friction in the sales process.
Understanding the CNP Journey requires an appreciation for the role that each member in the ecosystem plays:
Merchant: The website offering a product or service
Acquirer: The merchant’s bank
Issuer: Bank of the cardholder who is making the transaction
In low-risk scenarios, merchants can choose to accept liability of a payment transaction, and reduce any unnecessary friction. However, when the level of risk is high, they will send the transaction for additional card issuer authentication checks through 3-D Secure; delegating the liability to the card issuer, which may create more friction. This makes it critical that the merchant, acquirer and issuer work together to reduce friction in the checkout process, while maintaining tight fraud controls.
Merchants, payments processors, acquirers and issuers are all faced with competing demands of balancing escalating fraud with a low-friction checkout experience to:
Minimise card abandonment
Accept more orders
Protect good customer accounts
Our market-leading digital identity intelligence comes with an intuitive risk engine enabling flexible rule management, behavioural analytics and machine learning, in addition to providing a wide range of authentication solutions.
Networked fraud
Cross-border, cross-industry
Differentiate between human and machine
High-risk patterns of behaviour
Identify changes to behaviour
Differentiate between unusual and high-risk behaviour
Use intelligence from every core touchpoint in the customer journey to make better risk decisions
Card not present
Split payments
Digital wallets
Reduce false positives
Better recognise trusted customers
Low-friction authentication strategies can be integrated into existing workflows
Card testing
Fake listings
Scams / account takeovers
Detect data compromised due to data breach or identities created from multiple pieces of fraudulent data
White box data management for a flexible and tailored approach
Digital identity intelligence from 50B+ global yearly transactions for crowdsourced reputational risk decisions on devices, behaviours, shipping addresses, global merchants and more
Device recognition, persistency and trust with multiple device fingerprinting technologies
A tokenised global digital identity trust score with LexID® Digital, leveraging global intelligence from issuers and merchants
Industry leading risk assessment of email and associated identity details
Utilises the user’s email address as a unique risk identifier and returns easy-to-digest intelligence to provide an enhanced view of trust and risk
Full behavioural biometrics data collection, models and scores to further enhance trusted versus high-risk decision making
As well as leveraging our digital identity intelligence, banks can use the LexisNexis ThreatMetrix Risk Engine to combine thousands of data points, and make better risk decisions
Real-time decision analytics uniting market leading behavioural analytics with clear-box machine learning for modelling current and future customer behaviours, with integrated case management for exception handling and high-risk reviews
ThreatMetrix Strong ID creates a cryptographic bind between an end user’s web / mobile browser / app and ThreatMetrix for persistent and secure device recognition. This is currently being used by several organisations as part of an SCA workflow.
Silent and low friction following the first bind
Cost effective for high volume transactions
An out-of-band authentication method delivering a time-sensitive, unique random passcode via SMS, email or phone call. This is assured by SIM swap / redirect and porting data.
Secure
Can be used for customers who don’t have a mobile app registered
Ability to include dynamic linking
Built with intelligent algorithms and accessing billions of consumer records, KBA dynamically develops personal questions and multiple answers to authenticate a user’s identity.
Something you know without having to recall a password
Utilises an end user’s mobile device, specifically the mobile app, as a form of out of-band authentication during browser-based transactions. It uses the standard iOS or android secure push notification services.
Low friction for customers who have a mobile app registered
User’s identity information is checked and instantly validated against a comprehensive range of authoritative sources to verify genuine customers.
Authentication of physical entities
Identity documents scanned and verified
Utilise the behavioural biometrics data collected upon input of the SMS One-Time Password to provide a second factor of cardholder authentication in a 3DS 2.x workflow.
Silent and low friction approach to layer with another compliant authentication strategy
The range of intelligence available, linked to the extensive coverage of our shared Digital Identity network, means that LexisNexis® ThreatMetrix® can deliver a much more comprehensive CNP fraud defence than other solutions. This ensures stakeholders in the remote purchase ecosystem can create a dynamic authentication strategy that will enable them to get ahead of CNP fraud while ensuring payment friction is kept to an absolute minimum:
LexisNexis® ThreatMetrix® digital identity intelligence provides a unified view of trust and risk across the entire customer journey, from account creation, to login, change of details, and payments.
End users can be risk-assessed in near real time: low-risk users can transact with minimal friction.
Market-leading digital identity intelligence comes with an intuitive risk engine enabling flexible rule management, behavioural analytics and machine learning.
Integrated authentication strategies for delegated authentication workflows.
Issuers, acquirers and merchants do not – and must not – operate in isolation. Although regulation compels them to implement layers of protection, the decisions relating to those layers must have the interests of merchants and consumers in mind. To truly be diligent when it comes to fraud prevention, financial services providers must adopt a multi-layered approach at the same time as being mindful of not putting obstacles in the path of genuine customers looking to complete transactions.
The most robust solution to this growing problem is a layered defence of fraud, identity and authentication capabilities, executable in near real time, and across the entire customer journey. This relies on uniting market leading digital identity intelligence, physical identity and authentication capabilities that can help businesses meet regulatory requirements, streamline the customer experience and detect complex and evolving CNP fraud. With an increasingly competitive market, those that are able to balance fraud prevention with customer experience will see greater success.