By Andy Renshaw, SVP product management at Feedzai
The pandemic without a doubt sped up the adoption of contactless payments, but the popularity was on the up even before many shops made it a requirement. The quick implementation, however, has left vulnerabilities within the security infrastructure designed to protect it. While contactless payments – where personal payment information is stored on cards or on devices – are convenient, quick, and clean, it is also new, and newly adopted on a wide scale. And new tech always has its weaknesses.
In the early stages of a new piece of technology, there will always be threat actors jumping on the opportunity to steal and to profit from the initial gaps (or, in some cases, gaping holes) in its security. Utilising RFID (Radio-Frequency Identification) technology that has become commonplace in our culture since the onset of the Covid-19 pandemic and the shift toward digitalisation, fraudsters can easily take advantage of everyday consumers and their contactless, yet critical, information.
According to Feedzai’s Financial Crime report from 2019 to 2021, there was a 65% increase in the number of online transactions, and a 75% decrease in the number of cash withdrawals in the US. During the same period, there was a 233% increase in fraud attack rate and a 794% increase in fraud for digital entertainment transactions. What a difference!
Like in many sectors affected by cybercrime, the threat actors are seemingly one (or in this case, many) steps ahead of the rest of us. With only a basic understanding of code and a willingness to venture into the dark side of the internet, a fraudster has ample opportunity to attack banking customers on a large scale. And because of the instantaneous nature of real-time digital payments, customers may not be aware of suspicious transactions until it is much too late. The fraudsters are just that quick, and banks can struggle to keep up
What can banks do, then, to protect their customers against these fraudsters? Traditional fraud detection is all well and good, but it is just not enough anymore to keep up with the swift attacks that are now easily occurring through transactions of the contactless variety. Besides, despite the quick adoption of this technology, customers are still approaching this wave of digitalisation in the marketplace in a range of ways.
For example, some customers are uncomfortable with contactless methods of payment, and so provide their own protection by either refraining from using it, or by setting low contactless limits for themselves, meaning that fraudsters are limited in the amount they can steal. Other customers value efficiency and therefore have higher limits and use contactless payments more casually. This second group is the one banks might need to focus more of their fraud protection efforts on.
Limiting contactless payment fraud
Two-factor authentication (2FA) is one method banks can use to limit fraud and it has been shown by Google Security research to be quite effective at stopping 100% of automated bot account takeover attacks, but there is still a concern that 2FA implemented into contactless payment processes might also negatively affect the customer experience. If each time a customer goes to use a contactless payment, he/she must also validate the purchase, this may then negate the whole purpose of using contactless payment as an efficiency in the first place. While two-factor authentication will appeal to more conservative and cautious users of contactless pay, it will conversely repel those who want a quick and easy transaction. Of course, it is possible for 2FA and payment both to be consolidated onto a single device, but a layer of friction for the user is still added. And friction for that second group of customers is unwanted.
The line between security and efficiency is one that banks must toe carefully. If some customers prefer one thing, and others another, how do banks decide where to divert their efforts, as well as their funds? One suggestion here is that customers can and should create their own limits and set their own safe-guarding preferences. This makes it more complicated for banks, to be sure, but with the implementation of machine learning software, it would be beneficial overall for everyone involved.
Both flexible and protective, machine learning fraud prevention and detection can concentrate on those customers who are at higher risk for fraud while still maintaining preventative monitoring for those who are less so. Instead of the traditional fraud-detection model that exists in a 3-to-6-month cycle behind malicious activity, a machine learning fraud-prevention model can leverage safeguards immediately and react instantly to protect its customers, and this is all based on individually preferred limits and validators for customers. It would save money, too, removing the need for manual-heavy detection efforts which take up nearly 25% of the total cost of fraud prevention expenses.
Contactless payment is, on the whole, more beneficial than it is harmful, bringing efficiency, ease, and even protection against germs to the hectic lives of the consuming populace, but still threat actors persist. Using a tech-driven and customer-centric approach to improve back-end fraud detection as well as prevention, banks can ensure a safe and streamlined payment approach in the modern era of contactless everything.