10^th January, 2020

Ai Editorial: The PSD2 Strong Customer Authentication (SCA) migration completion deadline for online payments in Europe continues to be a weighty issue, with concerns about the preparedness and compliance still coming to the fore, writes Ai’s Ritesh Gupta

The SCA requirements were originally planned for the 14th of September last year (with new migration completion deadline being 31st December 2020), but still concerns pertaining to PSD2 making online shopping more difficult and the same negatively impacting cart abandonment rates in the initial years of implementation are being highlighted.

As for the travel sector, a study by Amadeus in September had indicated that only one in three travel merchants were expected to be SCA-ready for the September-2019 deadline. The report featured 50 large travel firms (€1billion+ revenue).  

Concerns

All the stakeholders acknowledge the complexity of the payments markets across the EU and the hurdles resulting from the amendments that are needed.

As per the findings of a survey in December last year, (commissioned by Riskified, featuring 2,000 consumers and 200 retailers evenly split across the UK, Germany, France, and Spain):

• A third of shoppers would leave a site/app when asked to verify their identity.

• 80% of European retailers expect that PSD2 will negatively impact cart abandonment rates. Nearly 50% expect a significant increase (of 20% or more) in shopping cart abandonment rates.

• Almost 40% of European merchants are pessimistic about PSD2’s ability to curb fraud.

The top three authentication methods being studied by issuers include; One Time Passwords (OTP) (SMS to a mobile device), authentication within a mobile banking app, and 3DS. Among these, OTP and 3DS authentication are expected to adversely impact the user experience. Specialists recommend that merchants should use exemptions where possible. Also, by using fingerprints or facial recognition, one can combat fraud while also increasing convenience for consumers.  

PSD2 SCA 2020 plan   

Even as the European Banking Authority asserted that the definition of SCA had been set out in PSD2 when it was published in 2015, a section of the industry states that the authority has failed with PSD2 at least in the short-term.  Moving on the industry clearly needs to make fraud prevention and compliance efforts a priority. In terms of how the roadmap is going to shape up this year, the extension offers various players (issuers, acquirers, PSPs and merchants) extra time to entirely support EMV 3DS 2.1 and 2.2 by the end of this year. One can expect an incremental EMV 3DS execution with the new deadline.

Merchants need to test, preferably a flexible offering that can set up both 3D Secure 1 and 2 authentication protocols. This way if a specific issuer isn’t ready to support 3DS2, then the offering will by default redirect transactions to 3DS1.

Ingenico ePayments recommends following steps to prepare for the authority’s deadline:

By March 2020: integrate 3DS in your payment flow

• For merchants who have not implemented 3D yet, recommendation is to go straight to EMV 3DS 2.1 (skipping the implementation of version 1).
• For merchants who already have 3DS version 1, recommendation is to start implementing EMV 3DS 2.1.

By July 2020: use EMV 3DS 2.1 in your payment flow or be ready to do Step Up with EMV 3DS 2.1

By September 2020: SCA exemptions are available with EMV 3DS 2.2, if exemptions are not supported than all transactions will require 3D.

With this incremental approach, merchants will fully support EMV 3DS 2.2 by the 31st of December 2020.

Keen on exploring fraud prevention and payment-related issues?

Check-out Ai’s conferences scheduled for 2020: https://lnkd.in/fE7UK_T

6th January, 2020

It is imperative for travel merchants to focus on dynamic friction, a fraud prevention approach which focuses on behavioral and situational attributes to apply right friction to the right person at the right time, writes Ai's Ritesh Gupta

For any entity that is looking at balancing customer experience and fraud prevention, doing away with legacy fraud-fighting solutions is must as it tends to apply friction in a blanket, indiscriminate way to all users, customers and fraudsters alike. With dynamic friction, risk level is assessed in real-time so that merchants can offer safe, convenient, and customized user journeys that only become more accurate and appropriate over time.

Sift Trust and Safety Architect, Kevin Lee, shared that while 99% of users on a website are legitimate, there still needs to be protection from the ~1% of users that are attempting abuse.

Keen on exploring fraud prevention and payment-related issues? Check-out Ai’s conferences scheduled for 2020:

https://lnkd.in/fE7UK_T

29th November, 2019

Travel merchants can't apply the so-called "airport security" approach for screening every transaction.

Rather there is a need to identify astute options to ensure the booking flow isn't unduly disrupted for legitimate shoppers. Companies have to leverage a shopper's fraud and risk score in order to ensure UX and fraud prevention aren't at odds with each other.   

This way they can take a vital step towards seamless plus secure ecommerce.

25^th November, 2019

The significance of hiring the right people as organizations try to curb various forms of e-commerce fraud must not be undermined.

“Diversity (while recruiting people), specialized knowledge/ skills, and training and support (is key to curbing fraud,” said Tina Burgess, Senior Manager of Risk and ePayments, Points.

Ai’s new 2020 conference dates:

http://www.airlineinformation.org/upcoming-events2/370-2020-conference-dates.html

15^th November, 2019

Ai Editorial: Deepfakes supported by AI techniques today are considered to be a growing problem. It is vital to build AI systems that can automated deepfake detection so that risks such as identity fraud can be tackled, writes Ai’s Ritesh Gupta

Artificial intelligence (AI)-based identity fraud is emerging as a serious issue. Recognition of one’s voices and face as a way to validate a person’s identity is under scrutiny with the rise of synthetic media and deepfakes. Be it for security-related risks, user privacy concerns or fraudulent transactions, repercussions are being probed at this juncture.

Technology to manipulate images, videos and audio files is progressing faster than one’s ability to tell what’s real from what’s been faked. According to the findings of a study released last month, the number of deepfake videos almost doubling over the last seven months to 14,678.

The level of sophistication with which fraudsters are moving ahead is exemplified by the recent case in which an executive was duped into transferring $243,000 to a bank account, or even the news of top AI-researchers in the U. S. struggling to cope up with computer-generated fake videos that could undermine candidates and mislead voters during the 2020 presidential campaign. Such cases of fake phone call or a video file show how deepfake techniques are encroaching in the lives of the people in a wrong way.

Deepfakes are powered by deep learning AI. The algorithms behind this AI are fed large amounts of data. Eventually, by capitalizing on such data, “deepfake” videos manipulate audio and video using AI to make it appear as though someone did or said something they didn’t. It does pose a challenge to validating the legitimacy of information presented online.

The case in China

Zao, a free deepfake face-swapping app, not only exemplified how quickly deepfakes have gone mainstream but also triggered a privacy backlash amid concerns about identity theft. The Chinese app allows a user to use their photographs and then its AI engine changes their faces with those of celebrities featuring in video clips. Zao amended its policies, and stated that the app will not store the biometric information of users and transferring of data wouldn’t be done without consent.

This privacy storm was mainly in China, but the threat of this trend was acknowledged everywhere since the app indicated how the technology is now available for smartphone users. In no time, questions were raised about the possibility of payment-related fraud, too. With biometric technologies such as Alipay’s ‘Smile to Pay’ being increasingly adopted as a form of payment across China, the concerns were valid. Alipay currently serves over 1 billion users. Ant Financial Services Group, which operates Alipay, stated that its facial recognition capabilities were safe and its facial payment system won’t be breached. It also emphasized that the team has implemented rigorous, best-in-class privacy, security and risk control processes.  

What is coming under inspection is the efficacy of biometric security measures such as the voice and facial recognition. Can it be compromised by deepfakes that can almost perfectly imitate these features of a person?

Combatting threats

Initiatives are in the pipeline, focusing on automated deepfake detection.

Identity verification specialist, Jumio highlighted that it is “vitally important to embed 3D liveness detection into identity verification and authentication processes”. The company is working on plans to combat advanced spoofing attacks including deepfakes. Its offering was recently introduced as a beta.   

Facebook was recently in news for working on a ‘de-identification’ technology to morph a person’s face so that they remain unrecognisable to facial recognition technology.

Amazon Web Services (AWS), Facebook, Microsoft and other organizations have recently committed to initiatives that encourage work on technology that can be deployed to better detect when artificial intelligence has been used to alter a video in order to mislead the viewer. AWS has indicated that building deepfake detectors will require novel algorithms which can process a vast library of data (more than 4 petabytes). Established organizations have chosen to collaborate as it is being widely acknowledged that it is important to have data that is freely available for the community to use. For instance, Facebook is commissioning a realistic data set that will use paid actors, with the required consent obtained, to contribute to a challenge. No Facebook user data will be used in this data set, according to the company. Concrete results, especially better detection tools, are being awaited as the likes of Facebook and Amazon admit that identifying manipulated content and deepfakes is a technically demanding and rapidly evolving challenge. 

Deepfakes aren’t fading away, and their consequences are being felt on a global scale.

Hear from fraud prevention and cybersecurity experts at Ai’s next ATPS –

http://www.airlineinformation.org/upcoming-events2/370-2020-conference-dates.html

13^th November, 2019

Ai Editorial: Authentication of risky shoppers shouldn’t hamper the digital experience of all. Rather merchants must focus on finding ways to applying the right friction to right person at the right time, writes Ai’s Ritesh Gupta

Filling a form, verifying a payment method, registering for an account…when a shopper is presented with such options in the booking flow, it evokes resentment. No one likes to spend extra time or make that additional effort to verify their identity knowing that they are legitimate shoppers.

But travel merchants have to ensure that the least number of fraudulent transaction slip through. Key then lies in identifying that anomalous shopping behaviour in a more shrewd way that doesn’t screen every shopper!

As Sift’s Trust and Safety Architect, Kevin Lee points out; merchants can’t get away with their airport screening approach. Travel e-commerce players have to ensure trusted shoppers or consumers can sidestep added authentication, while potentially risky users undergo that further screening.

“They (merchants) need to focus on dynamic friction,” said Lee. “The concept means having the ability to apply the right friction to right person at the right time.”

The team at Sift describes it as the optimal application of friction to user journeys based on behavioural and situational attributes, applying it to the right person at the right time.

Many companies have this airport security approach where everybody has to go to two-factor authentication (2FA), enter CAPTCHA etc.

“Honestly that’s a terrible experience because 99% plus of consumers on a platform tend to be legitimate. They just want to move from A to B (or shop legitimately with any retailer),” said Lee.

So how to apply dynamic friction and what sort of signals can be used? Since there is so much of data from customers via the app usage, device usage etc. there is a need to use behavioural fiction or behavioural dynamics looking at the signals to identify normal behaviour for an authentic shopper on an app or an online platform. And then being in a position to spot an anomaly where certain behaviour doesn’t seem to be normal. Then only there is a need to introduce certain friction or additional check in the shopping process. 

For example, looking at a certain security measures for a particular fraud, MFA is deemed to be an astute way of shielding user accounts, since hackers or fraudsters don’t often have access to the additional factor required to authenticate. But merchants fear that the introduction of MFA would cause friction. The way to go forward then is to capitalize on dynamic friction, because the judicious use of this authentication method doesn’t disturb the experience of authentic users and only those go through the MFA that fall in the category of risky users.

Also, the specialists ensure that as a shopper moves from the discovery process to the completion of the transaction, all interactions are assessed for risk. In case a risk touches a given threshold, extra verification comes it play. If the interactions come across as reliable, that extra authentication is eradicated, providing the shopper a more rationalized experience.

So in case of account takeover protection, the real-time risk evaluation suggests the level of authentication a particular shopper/ consumer should go through. Riskier actions with more red flags trigger MFA, while suitable actions pave way for a smooth interaction.

Dynamic friction in the travel sector

The application of dynamic friction in the travel sector, especially among airlines, is poor at this juncture, said Lee.

What tends to happen is that there are lots of legacy systems and rules in place to stop illegitimate shopping from happening. But 100% rules-based fraud prevention isn’t proving to be an ideal solution today. It’s not dynamic enough, it’s not fluid enough, said Lee. All of this is important since consumer today are very demanding when it comes to what they purchase, when, how and where they purchase. And that’s where machine running has contributed in terms of responding not only to new types of fraud but also to better recognising legitimate shopping behaviour. 

Sift recommends an apt blend of risk and revenue decisions:

• Rather only looking at shielding the bottom line, also evaluate how to deliver a superlative UX while mitigating risk.

• Embrace a growth mindset - Customer data is leveraged across all teams to make decisions that balance growth initiatives with risk policies.

• Machine learning fraud prevention leverages customer data to assess risk in real time and route users to the appropriate experience based on that risk.

Ai’s new 2020 conference dates: http://www.airlineinformation.org/upcoming-events2/370-2020-conference-dates.html

26^th February, 2020

Ai Editorial: Law enforcement agencies are looking at several areas – private and public sector partnership, capitalizing on data and high-tech crimes to curb fraudulent transactions, writes Ai’s Ritesh Gupta

The role of law enforcement agencies in combating a variety of cyberattacks is being tracked closely. Be it for private security and fraud prevention specialists or state-run agencies, no one organization is enough to deal with instances of cross-border cyber-attacks. But the role of law enforcement agencies in countering payment-related fraud and other ecommerce fraudulent can’t be undermined.

For instance, only a couple of months ago, Europol announced that its multidisciplinary initiative to derail illegal online transactions featuring flight tickets with compromised credit card data resulted in arrest of around 80 persons. These were suspected of traveling with airline tickets bought using stolen, compromised credit cards etc. Importantly, as also stated by Europol, some of the individuals were associated with unlawful immigration. For instance, some of the detained travelers had forged documents or IDs. At the time of this announcement, Europol also indicated that the airline industry’s losses hovered around $ 1 billion on annual, as a result of the fraudulent online purchases of flight tickets. Such illegitimate transactions are on top of the agenda of fraudsters/ online criminals and are often associated with more serious criminal activities including irregular immigration, trafficking in human beings, drug smuggling and terrorism.

Internet-enabled crimes and scams show no signs of letting up, according to data released by the FBI’s Internet Crime Complaint Center (IC3) in its 2019 Internet Crime Report. IC3 received 467,361 complaints in 2019—an average of nearly 1,300 every day—and recorded more than $3.5 billion in losses to individual and business victims.

Concerted effort

• Collaborative route:  Travel merchants, including airlines, need to take a collaborative route to combat fraudulent activities.

“I believe in collaboration (for fighting fraud) at every level,” Jan-Jaap Kramer, Founder and CEO of FraudGuard told Ai during an edition of ATPS, held in the U. K. last year. He mentioned that fraud prevention as a discipline has come a long way, considering that a fraud analyst used to be isolated from other departments within an airline. And now various sectors have realized the significance of jointly fighting fraud since one fraudster can have access to a customer’s credentials. And these can be used across a variety of retail sites or in other ways to commit a fraudulent activity. “So it is imperative for merchants to cooperate and fight in unison,” Kramer had said.

Europol’s operations have been featuring participation of airlines. Other stakeholders that work with the law enforcement agency feature executives from online travel agencies, payment card companies, the International Air Transport Association (IATA), Perseuss etc. This is in addition to law enforcement, and judiciary and border agencies. They work in unison with Europol’s experts to spot dubious transactions and confirm the same with law enforcement officers deployed in the airports. 

• Counting on data: Law enforcement agencies are trying to ensure that their initiatives don’t compromise individual privacy for the sake of public security. They are looking at implementing privacy by design. The plan should be – to be in complete line with one’s fundamental rights. In addition to this, the focus is also on promotion of de-bureaucratised and efficient processes.

• Keeping pace with cybercrime: Law enforcement agencies acknowledge that cybercrime is more confrontational than ever. Considering the use of botnets, setting up back doors on compromised devices, social engineering etc., there is a need to keep pace with such attacks.

• Preparing for the dark web: Europol, in its Internet Organised Crime Threat Assessment 2019, asserted that more synchronized investigation and hindrance-related initiatives for the dark web are needed. This would send a strong signal from law enforcement entities. Plus, even better real-time assessment is required to respond to the activities on the dark web.  The capability “will enable the identification, categorization and analysis through advanced techniques including machine learning and artificial intelligence.”

It was also mentioned that an EU-wide framework is “required to enable judicial authorities to take the first steps to attribute a case to a country where no initial link is apparent due to anonymity issues, thereby preventing any country from assuming jurisdiction initiating an investigation”.

Keen on exploring fraud prevention, data privacy and protection issues?

Check-out Ai’s conferences scheduled for 2020: https://lnkd.in/fE7UK_T