One-time passcodes, or OTPs, sent to mobile phones are the cornerstone of many organizations’ customer authentication strategies.

This is in large part due to the positive reputation it has with consumers: it’s convenient and assumed that these codes are secure. But with the increasing prevalence of mobile malware, man-in-the-middle attacks, phishing, SIM card swaps, call forwarding and other fraud techniques, mobile OTPs are becoming a progressively less reliable means of protecting customer accounts.

Fraudsters are using an increasing number of ways to compromise consumer phones, and businesses are feeling the impact. A recent Forrester survey of 300 North American fraud prevention decision-makers indicates that phone-related fraud is rife: almost every respondent reported that their organization had experienced mobile fraud in the past year. SMS OTP fraud attacks were among the most commonplace, even though one of the main reported challenges from these companies was that they lack the tools to accurately detect OTP fraud. It’s a near certainty that the true extent of the problem is severely under measured.

The high cost of fraud…

Customer authentication fraud loss rates exceeded 5% last year for nearly half of survey respondents, indicating that they lost more than 5 cents of every dollar earned. And, as mobile transactions gain ground, the share of fraud costs from the mobile channel is rising, jumping from 5% to 39% of fraud costs in U.S. e-commerce between 2020 and 2021, according to the LexisNexis True Cost of Fraud Study.

Direct fraud losses balloon with the addition of related costs such as chargeback fees, interest, and merchandise replacement and redistribution. LexisNexis calculates that in 2021, every $1 of fraud cost U.S. retail and e-commerce merchants $3.60 — up from $3.36 in 2020 and $3.13 in 2019.

And even these figures are dwarfed by the indirect costs of false declines, negative customer experience, loss of customers and damage to brand reputation.

…and fraud prevention

Fraud prevention is always a balancing act, with merchants attempting to verify buyers’ identities and block fraudulent purchases while at the same time trying to avoid rejecting legitimate orders or creating so much friction that customers are driven away. This is especially true across digital channels where customers can take their business elsewhere with just one click.

Many industry analysts believe that the majority of declined transactions are actually legitimate orders, representing a massive loss of potential revenue to merchants. A report by Sapio Research suggests that for every $1 in credit card fraud, e-commerce merchants lose $13 in false declines. But other sources estimate that false-decline losses are actually up to 70 times the fraud losses.

What’s more, 39% of consumers say they will never go back to a merchant that declines a transaction — leading to a significant loss in lifetime customer value. And 28% say they will report their negative experience on social media, potentially influencing other prospective customers as well.

A precise, low-friction approach

Unfortunately, the vulnerability of the mobile channel has weakened OTP effectiveness. The significant rise of SMS OTP fraud puts both the organization and the customer at risk. New strategies are needed that complement the ease and convenience of authentication via SMS text messaging or callbacks. The question becomes, how do you flag potential fraudsters before sending that one-time passcode to a customer device?

The majority of survey respondents are looking to answer that question with technology partners who can enhance OTP authentication security while maintaining a user-friendly experience for consumers. Just three in 10 decision-makers surveyed by Forrester believe that their companies’ ability to prevent authentication fraud is optimized, and nearly seven in 10 have already begun investing in technology to help prevent OTP incidents. Respondents identified the following capabilities as either mission-critical or important: identifying high-risk phone numbers, detecting if a phone scam is active before sending an OTP, using a decision engine to determine the lowest-risk channel (mobile app vs. SMS, for instance) and then sending the OTP via that channel, and obtaining a low-risk phone number when the initial phone number is identified as high risk.

The above trends are leading to the increased adoption of phone takeover risk solutions. These tools provide companies with real-time intelligence to determine whether sending an OTP to a phone number presents a high or low risk. It signals if common fraud tactics, such as SIM swaps, call forwards and reauthorized assignments, may have recently occurred. Understanding if a device or interaction is at high risk for these types of fraud allows the vast majority of one-time passcodes to be safely sent and received while stopping fraudsters from receiving these same passcodes after hijacking consumer phones.

Protecting the Customer Experience

As more consumers embrace mobile transactions, organizations need tools that help make the use of one-time passcodes, one of the most universal and widely adopted authentication processes, safer from bad actors. These solutions will ensure a difficult experience for fraudsters while maintaining a positive authentication experience for customers — thus laying the foundation for greater trust, enhanced brand value and market share growth.

About the Author

Shai Cohen leads TransUnion‘s Global Fraud Solutions Group. Cohen has spent decades in the IT and cybersecurity industries leading business units and software engineering and product management teams. He joined TransUnion from RSA, where he was the general manager of its Fraud and Risk Intelligence business. Previously, Cohen served in leadership roles at EMC and Intel.

With online fraud on the increase, companies must take action to make sure they meet the updated version of the Payment Services Directive, PSD2, which will mandate Strong Customer Authentication (SCA), later this year. Adam Bromage-Hughes, Technical Director at Encoded, takes a closer look at the directive and discusses why SCA is so important for companies and customers.

The first Payment Services Directive (2007) levelled the playing field for payment institutions in the EU. It increased competition and set out common payment standards that benefited both customers and participators in the industry. The later revised PSD2, introduced in 2015, has resulted in an even more integrated and efficient payments market, with the key addition of Strong Customer Authentication (SCA). Over the last five years SCA has helped to reduce online fraud by making payments safer and more secure for customers. The Financial Conduct Authority (FCA) has announced the deadline for implementing full SCA compliance for e-commerce transactions is now 14 March 2022. Any firm that fails to comply with the requirements will be subject to FCA supervisory and enforcement action.

What has changed and why is SCA so important now? Here are three important things to know:

1. SCA protects businesses and the customer from online fraud

Strong Customer Authentication (SCA), often referred to as multi-factor authentication, assures the card issuer and acquirer that the transaction is genuine. Now with non-cardholder present transactions (online) at least two criteria need to be met to confirm the customer’s identity, whether in the form of something they know, (PIN) have (card) or biometric (fingerprint or voice recognition).

SCA protects both the merchant/company and the customer. If a customer pays online for goods using an SCA process, but later claims it was a fraudulent transaction, the bank or card issuer accepts liability. Previously a fraudulent transaction meant that the merchant had to refund the money and incurred additional chargeback costs. With debit cards the merchant was even more vulnerable to fraud, as the money could only be credited back if there was still cash in the bank account.

The latest version of Visa’s 3-D Secure is an example of the SCA process, where customer details are used by the bank or card issuer to assess the risk of the transaction. More robust than the earlier version that simply required a password, the details are confirmed and then a one-time password or code is sent to the customer as authorisation. 3-D Secure (often referred to as ‘Verified by Visa’) provides confidence from the card issuer and bank that the transaction is genuine. If a purchase is considered low risk by the bank or card issuer, then the transaction is processed immediately with no authentication required. This is often termed ‘frictionless flow’ since it provides a smooth customer journey. 

2. SCA will become mandatory on 14 March 2022

For companies selling online the initial deadline to meet the new PSD2 with SCA requirements was September 2019. However, with the UK leaving the EU and the recent COVID pandemic, the UK’s Financial Conduct Authority (FCA) has delayed the deadline until March next year. This means that any UK company that is performing transactions online (over the value of 50 euros or approx. £45) must have SCA in place by this date.

Transactions that do not meet the SCA requirements could be declined by the card issuer. The FCA will oversee and enforce the directive and repeat offenders of such transactions may be fined for non-compliance. Companies with high numbers of declined transactions could also see increased complaints, reduced customer confidence and suffer possible irreversible, reputational damage. Some transactions will be considered SCA exemptions, which include recurring payments (such as subscriptions) where the security checks are carried out in the initial set-up and ‘whitelisting’ where the recipient is a ‘trusted beneficiary’.

3. Working with the right Payment Services Provider helps achieve compliance

It can be costly and complex to implement secure online processes for transactions. With some acquirers, secure checks are carried out separately from the transaction processing. In this case the merchants must handle all of the secure online checks themselves, obtaining an authorisation code from the card issuer, and then passing it onto to the payment services provider to proceed with the transaction. Expensive to set up, the secure checks require resources and expertise to manage the mandatory technical and operational interfaces with third parties.

Working with an established payment services provider like Encoded means the transaction process and administration is managed from start to finish. The merchant captures the customer transaction and Encoded carries out all of the secure checks required by the acquirer to verify the card with the card issuer behind the scenes. With checks authorised, Encoded issues a secure link that takes the customer through the online process to complete the transaction.

Choosing the right payment service provider early on is an investment for the future. Encoded’s payment gateway is acquirer agnostic, which means that merchants can easily change banks without implementation costs.

With the next deadline of 14 March 2022 for SCA looming, now is the time to start thinking about how to protect your business from fraudulent transactions and how to comply with the new regulations.

Contact Encoded to find out how we can help you make the change.

About the Author

Adam Bromage-Hughes is Technical Director at Encoded

Encoded is a leading Payment Service Provider and pioneer of new and innovative secure payment solutions for contact centres.  Encoded offers a range of card payment solutions designed to help organisations comply with PCI DSS, GDPR and the newly introduced Payment Services Directive (PSD2).

Encoded’s solutions are trusted by many of the world’s leading brands including Samsung, Mercedes-Benz, BMW, Műller and Virgin, as well as a host of UK utility companies such as Green Star Energy and Severn Trent Water.  Solutions include:  Agent Assisted Card Payments, E-Commerce Payments, IVR Payments, Mobile Apps, PayByLink Mobile Payments and Encoded Gateway Services.  For further information please visit www.encoded.co.uk

The aim of a call centre is to deliver fast, direct, and effective customer service, but I’m willing to wager that most of us have never had this type of experience – most of our experiences have probably been of the frustrating, time-consuming kind.

This is a problem for banks because, according to Forrester, most adults feel that valuing their time is the most important thing a company can do to provide them with a good experience.

According to industry insights, it is the time taken for call centre agents to authenticate incoming calls, together with other legacy systems, that generally lead to a poor customer experience. However, authenticating callers has become a priority for banks, and other industries that rely on call centres.

The mammoth profitability of cybercrime is attracting a much more sophisticated breed of fraudster; one who can pragmatically assess an organisation’s weak point and exploit it. This weakest link is more often than not the phone channel – an organisation’s call centre.

By exploiting the phone channel, fraudsters are using an omnichannel strategy to commit data breaches. For example, a fraudster could use social engineering to reset a password on a victim’s account. Then, they can use that password to commit online fraud.

This example gives an insight into how difficult it can be to identify the transactions that lead to fraud. Many cross-channel steps can seem like a legitimate transaction and make fraud harder to spot.

Stuck between a rock and a hard place

So far, call centres have found it tricky to hit the right mix between security and customer service. Putting strong, traditional security measures in place generally impact customers’ experience – often to an organisation’s detriment – meaning that an organisation might be tempted to slack on data privacy and security. But, this then puts an organisation at risk of a more painfully expensive data breach.

So, what’s an organization to do? Consumers want a speedy, frictionless process, and competition can drive this as a priority over security. Consumers themselves often choose convenience over security – as evidenced by weaker and multiple-use passwords – which reduces the effect of an organisation’s security methods anyway.

Rescue attempts

Authentication measures at a call centre can help to keep fraudsters from resetting passwords, and then using these credentials on web and mobile apps. Currently, call centre identification still relies on those easily accessible knowledge-based authentication (KBA) questions such as your mother’s maiden name and your favourite food. However, any cybercriminal worth his weight in stolen data will be able to find this information more easily than you will probably remember it!

Some organisations have tried to move on from this comfortable habit of KBA, and have implemented some form of authentication using voice biometrics or one-time passwords (and you can read our views about those here).

However, as the technology to trap fraudsters evolves, so too do the fraudsters’ skills, and they always seem to be one step ahead. They can now beat single-factor authentication security methods, and fool traditional single-factor voice biometrics. It’s not a higher-grade achievement for a fraudster to find their victim’s voice on the internet or use voice modification synthesis software.

A way out?

The importance of call centres is not going to go away any time soon. There is a demographic –generally more tech averse – that prefer using call centres. And at the same time, the rise in omnichannel is making human interaction invaluable. This need forces organisations to staff call centres with people who provide a customized service. So how are organizations going to handle this dilemma of security?

What if you could, with a high degree of certainty, know who was on the other side of the line? What if you could reduce the average time of calls, and hence the cost of each call? Call centre authentication and fraud prevention can work hand-in-hand to achieve a positive customer experience without sacrificing identity assurance.

What if you could identify someone using something they have with them all the time – their mobile phone? Using an out-of-band, strong customer authentication solution, you can make the mobile phone a possession factor.

And if you combine that possession factor with a knowledge factor or an inherence factor, you ensure the legitimate owner of that phone, and can continue transacting with peace of mind.

In every industry, organisations will be aiming to improve operational efficiency. But any gains made will all be lost if security is not factored into the equation.

About the Author

Simon Rodway is an experienced software solutions architect and software developer and has worked on a wide variety of technical and business driven projects. As pre-sales solution consultant at Entersekt, Simon is tasked with supporting their European team in business development across the region. His extensive work experience in the information technology and software development industries, at global companies such as IBM, ensures that he can leverage a refined industry perspective in growing Entersekt’s presence in the European market.