When fraud and identity theft get in the way of e-commerce
Although e-commerce has become an important buying and selling channel in many countries, it is more complicated than equivalent face-to-face transactions. The main cause of problems for e-commerce is also its strength: buyers and sellers are normally distant from each other. The challenge of transparent and efficient e-commerce is how to transform (rather than replicate) a physical transaction into an online environment, which challenges some of the assumptions underpinning face-to-face payments and explains why the e-commerce ecosystem exists: to facilitate trust and increase trust. This article describes my personal opinions accumulated over twenty years of working in e-commerce.
Who are we dealing with
One of the new issues is knowing who we are dealing with. When we as consumers want to make a payment, it is almost always to a person or entity we know and for a specific purpose, for example, to settle a debt. Ordinary users are not interested in the sequence of letters and/or numbers specifying destination or source accounts. But the modern systems we’ve built rely on numbers rather than a nebulous “identity.” This is a difference between clearing checks, which are routed to a named recipient, and wire transfers, which are routed based on bank codes and account numbers. There is therefore a gap between what the user hears and what the system supports.
This is made more difficult in an e-commerce environment: it is widely recognized that establishing identity on the internet is complicated, but we are also advised not to share our payment details. For this reason, proxies – identifiers that can be used instead of account numbers processed by payment systems – may be preferred for usability; these include mobile phone numbers and email addresses, but governments may prefer to use their own identifiers, for example for payment of benefits.
It is essential to ensure that payments are made by and to the affected party. Social engineering methods can be used to take control of accounts and trick payers into transferring funds to fraudsters. Criminals are becoming more adept at obtaining or intercepting security credentials to facilitate this. Being sure of who is receiving funds is an important capability, but today, as payers, we cannot always know who owns a bank account.
In the UK, authorized push payment (APP) scams have increased when criminals attempt to redirect payments to seemingly valid recipients. The Payments Systems Regulator (PSR) has pushed the biggest banks to adopt the payee confirmation service to counter this by matching name to account details.
Assessing Danger with Authentication Methods
The adoption of strong methods to authenticate customers is widespread across banking channels and growing in online card transactions. For some payment mechanisms, authentication is built-in. For mobile banking payments, for example, the mobile banking app performs authentication at login or at the point of transaction using the phone’s security features. Apple Pay and other systems allow online payments to be made primarily through apps or websites integrated with them. This is particularly useful for allowing access to biometric authentication factors that can verify the individual themselves, not just the information or items they possess, such as a security token.
For some sellers, it is difficult to confirm the identity of their buyer. In an online environment, the seller and buyer may have just met, so it may be difficult to ask for proof of identity. This is where authentication comes into play: a card issuer confirming that it is their customer, again, is a real step forward in trust and potentially the customer experience.
In addition to technologies such as 3-D Secure 2.0, which allows a card issuer to send and receive an online authentication request to their cardholder, other services have been developed to reduce a variety of risks like checking the history of an email address or identifying malware on the payer’s device. Each of them tackles a specific type of risk and it is only by using them in concert that a payment service provider can truly assess the danger of fraud.
What else is in store?
But it’s not just about transferring physical interactions; the ecosystem exists to ensure reliable and efficient use of payment systems. This may include electronic invoicing or payment request services, due diligence, and security and risk management capabilities. It should be remembered that payment service users have a choice in how they make and receive payments. It is important to offer them options that effectively meet their needs. While various transactions are processed using payment cards, many others, especially B2B, use wire transfers such as Faster Payments in the UK. Additionally, Open Banking offers new methods for initiating payments through authorized third parties who can work closely with sellers.
In summary, e-commerce can be hampered by the lack of trust: in the identity of the payer and the beneficiary, in the payment data – amount, date, references, etc. – and in the integrity of how payment is made. Payments users should be free to choose payment methods that they trust and that are easy to use. This is important in e-commerce for payers and payees. It is therefore vital that the industry continues to innovate in the ecosystem to ensure that users achieve these goals while giving all parties, including PSPs, confidence every time.
Jonathan Williams is a payments expert who has worked in the industry for twenty years. He is currently working at the Payment Systems Regulator as a Technical Specialist. The contents of this article are the views of the author and do not necessarily represent those of PSR.
This editorial is part of the E-Commerce Fraud Prevention Report 2021/2022, the ultimate source of knowledge that dives into the evolution of the payment fraud ecosystem, revealing the most effective security methods to that companies win the battle against bad actors.
About Jonathan Williams
Jonathan is a Payments Technical Specialist for PSR for card and interbank payments. He has led strategy and product management at successful startups in the cybersecurity, telecommunications, and enterprise software industries.
About the Payment Systems Regulator
Every time someone uses an ATM, transfers money, uses contactless, or gets paid, they are using a payment system. Payment systems are constantly evolving and PSR is there to make sure they work well for everyone.