Consumers give out personal information every day: a mother’s maiden name, the last four digits of a social security number; these are common security questions that allow financial institutions, online shopping websites and other businesses to authenticate users.
But therein lies the fundamental problem – these authentication methods are so common that the information is easily obtained and sold to criminals. And when a criminal is authenticated using stolen information, the real customer’s card number is compromised.
Financial institutions must understand that digital payment security has transitioned from a point-of-sale problem to one of customer authentication. Here are four tactics your institution can use to halt this trend:
1. Prioritize Trusted Channels
EMV chips on cards and tokenization for digital wallets make it nearly impossible for useful data to be stolen at the point of sale. Tokenization is a growing threat to fraudsters, as the technology creates unique tokens—which are useless to steal—instead of static card credentials.
To compensate, criminals are now attempting to authenticate using the static consumer card credentials they’ve illegally obtained. So, when authenticating legitimate users—especially via digital means—your bank should prioritize, or encourage the use of, trusted channels. For instance, sending a text message to a customer’s phone or using password verification via an app are considered trustworthy methods. Phishing and social engineering schemes are much less effective within these channels, and your payments processor should block these fraudsters automatically when they detect foul play.
Consider incentivizing customers to use these channels by highlighting their security benefits.
2. Prep the Call Centers!
Despite all the attempts your institution has made to secure the authentication process via text, email, app, etc., there will always be customers who want to speak directly to a representative via phone. Call centers are the main target for modern data-phishing schemes. Fraudsters will use social engineering tactics to trick representatives into thinking they are speaking to the real customer since they possess all of the necessary information.
Train your call center staff with social engineering testing to help them recognize and deal with these schemes.
3. Use Out-of-Wallet Info
The underlying problem with current verification methods is that they use static, unchanging data to authenticate users. A mother’s maiden name will never change, nor will the last four digits of a social security number. This information is easily obtainable today and is likely already in the hands of criminals looking to exploit it. Your institution must instead employ out-of-wallet questions to generate dynamic, behavior-based credentials when validating a customer over the phone.
Out-of-wallet information is based on behavior that has no traceable profile. For example, consider replacing “mother’s maiden name” with “where was your last local transaction” and “at which branch did you last deposit money?” These answers are much harder for fraudsters to obtain, and give a more realistic insight into the legitimacy of the person on the other end of the line.
4. Incorporate 3D Secure 2.0
Tokenization and other modern payment authentication methods will take time to implement, but institutions can take related steps to fight fraud in the short term. For example, banks can opt-in to new secure payment technologies, like 3D Secure 2.0. This technology, which focuses primarily on card-not-present transactions, enhances the communication of data between merchants and issuers to create a unique risk profile for each transaction. This type of risk-based authentication not only promotes a more secure payment environment, but also enhances the customer experience.
Join Our Webinar
Financial institutions must rethink digital payment risk. Yes, payment security is evolving, but criminals are evolving with it, and will do whatever it takes to get around any security measures put in place to thwart them. Register for CSI’s Take Control of your Card-Not-Present Payment Security webinar to learn more about new technologies like 3D Secure 2.0 and other methods to fight digital payment fraud.
In his role, Matt Herren has employed advanced analytics and data analysis to not only react to fraud, but also to prevent it. As the product manager for Payment Analytics, Matt has expanded CSI’s ability to address fraud through early identification of merchant breaches and fraudulent testing techniques. His work helps to increase bank profitability through fraud mitigation and card portfolio analysis, allowing customers to realize industry-leading results and maximize program performance.