The fraud-prevention solutions provider Riskified has launched its Dark Side Of PSD2 report, which closely examines the dark web whilst revealing fraudsters’ reaction to the new PSD2 regulation.
The report, which has been compiled in partnership with threat intelligence platform IntSights, takes a close look at how PSD2 impacts fraudulent activity and fraud prevention, as well as sharing insights gained from a deep dive into the dark web. This is against a backdrop of Europe rolling out Strong Customer Authentication (SCA) enforcement at speed, with fraudsters attempting to keep up.
With more than a dozen known ways to bypass SCA, the report focuses on the top three methods used by fraudsters to work around the new authentication requirements: malicious accessibility, social engineering, and SIM swapping – clearly indicating that SCA is far from being fraud-proof.
Examining real examples from Riskified’s trove of transactional data, the report highlights the risk of overreliance on the 3DS protocol as a fraud-protection tool, questioning the quality and effectiveness of fraud detection rules used by issuers.
Beyond the basic compliance and the more technical aspects of preparing for SCA, this lack of industry readiness is the official reason why the FCA introduced a six-month delay for the SCA enforcement deadline just last week in the UK, and why across Europe merchants are reporting a massive hit in their online transaction conversion rates.
The good news is that while fraudsters are busy finding ways to bypass SCA, forward-looking merchants are already working on updating their fraud prevention strategies in order to offset the impact of PSD2. By doing so, they stand to benefit from the clear incentives the regulation sets for merchants with low fraud rates.
Calling on PSD2 policy makers to react, Riskified’s proprietary analysis, indicates misalignment between the regulatory TRA exemption threshold values and the actual risk-profile pattern of eCommerce transactions. According to this policy memo, €12bn (~£10.4bn) worth of card-not-present transactions currently hang in the balance due to ‘excessive friction’, which is a result of stringent TRA thresholds set by regulators.
“SCA is unequivocally the single most disruptive event to impact European eCommerce, and many businesses have yet to fully grasp its extensive impact,” comments Doron Weitz, Head of PSD2 Product Marketing at Riskified. “Our report indicates that fraudsters are already hard at work looking for loopholes in the authentication and payment processes. So, to ensure eCommerce merchants are well-positioned to offset the impact of PSD2 on fraud and fraud prevention, they should do everything they can to continue to provide excellent customer experience, while also keeping transactions secure and fraud levels as low as possible.”
“Given the clear regulatory incentives under PSD2, a merchant’s fraud rate (high or low) suddenly becomes a crucial commercial factor,” Doron continues.
Christopher Strand, Chief Compliance Officer at IntSights Cyber Threat Intelligence, stresses the need for a more surgical approach for assessing risk to payment systems as the PSD2 is adopted and implemented by merchants “As a reaction to SCA, recent fraudster activity on the dark web this year has shown attack patterns looking for ways to either exploit or work around the payment process components.”
He continues “Techniques that target vulnerabilities within the core functions of the payment authentication process or ones that fall outside of the PSD2, such as targeting non-EU credit cards and then avoiding SCA, will continue to escalate throughout the year as merchants adapt to PSD2.”
“At the same time, this adds stress to the merchant’s environment as they balance their security rollouts with customer service level expectations. On the up-side, for merchants that want to implement a sanity check to the security of their payment process under PSD2, there are already many security baseline frameworks and retail-related regulations that can be employed to help measure and mitigate the threat to their systems.”
“eCommerce merchants whose systems fall under any of the standards of the PCI SSC (Payment Card Industry Security Standards Council) can take advantage of data that’s gleaned during the risk assessment phase and apply that along with other security solutions to help gain better clarity on their payment transaction posture.”