Over the last few years, new technologies have transformed the way consumers pay for products online. Alongside established methods such as debit, credit and pre-paid cards, many other payment options are now available and transactions have soared. The increase has been driven by mobile payments via smartphones, such as those provided by technology giants including Google, PayPal and Apple.
Online retailers have no doubt welcomed the payment technology boom, as more ways to pay means more sales and hopefully greater profits. For British shoppers – who lead the world in terms of per capita shopping online – being given a growing number of options to buy goods and services on the Internet is also a boon.
It’s not all good news however.
The increasing number of transactions online is a magnet for fraudsters and criminals. Last Christmas alone the UK lost £16 million to cybercrime. Over the course of last year, the UK was victim to over 1.3 million instances of payment fraud. An astonishing £268 million was lost to cybercrime, with the average victim being left £738 out of pocket.
And the situation is only likely to get worse in the coming years according to the UK Cards Association with the upward trend clear. The organisation reports a 48 per cent increase in online fraud in 2014 when compared to the previous year.
So who then should take responsibility for stopping fraud and preventing consumers from becoming victims of crime?
Certainly the banks have an important role to play. As the providers of our bank accounts, credit and debit cards, banks need to take measures to ensure fraud is kept to a minimum. But many are still somewhat confused as to the extent of their responsibility. According to the Global IT Security Risks Survey 2015, only 67 per cent of banks said that providing a secure connection was mandatory. This lack of awareness of their remit is a major concern. If banks are not fully aware of their responsibilities, is it any surprise that online fraud is on the rise?
There is also the issue of how much fraud prevention costs. Some experts in the banking industry suggest that it is cheaper just to pick up the pieces after the damage is already done. The study confirms this suspicion, with some 48 per cent of financial institutions stating that the measures they take are aimed to mitigate rather than solve the problem.
A significant minority of the respondents (29 per cent) claimed it was cheaper to deal with fraudulent activity after it had already occurred. This strategy seemingly is preferred by some in place of taking measures to prevent fraud from happening in the first place. This is a dangerous message to send to would be fraudsters, however, as it gives them encouragement to try their luck and increase losses in the future.
A behind-the-scenes policy by banks of dealing with the problem when it happens, rather than preventing it, would suggest that they are subtly passing the responsibility onto other parties. As mobile payment providers continue the battle to provide their services and gain market share in Europe, consumers are left more susceptible to fraud in the vacuum, with payment technology advances outpacing improvements in security provision. As a reaction to the rapidly changing nature of European citizens’ shopping habits and preference for purchasing goods online, the European Union has proposed to amend the Directive on Payment Services. The purpose of this is to improve the security of payments and facilitate the emergence of innovative new mobile and Internet payment methods.
Payment service providers must also address this problem. They could be considered liable for the losses of customers if they fail to prevent fraud or do not implement a strong customer authentication and verification process. However, strengthening these aspects of an online transaction must not come at the expense of user experience, as this would almost inevitably lead to shoppers abandoning their transactions. Security is important but certainly not at the expense of convenience. Middle ground must be found in the fight against online fraud.
Perhaps then this allows for a risk-based authentication scheme which will allow service providers to implement One Time Passwords (OTP). In this way - even if the banks have not implemented an OTP - the service provider can easily confirm that the user is who they say they are by deploying appropriate risk indicators. These could be whatever is deemed as appropriate for the provider and the customer – for instance, one that considers the size, location or the speed of transactions.
The challenge to individuals, banks and payment providers by online fraudsters is a significant and growing one. Undoubtedly, the responsibility for preventing and mitigating fraud is shared between these parties, along with national governments, industry bodies and regulators. It is crucial that the industry works together to develop new measures to ensure that online fraud does not spiral out of control and to ensure consumers and merchants are protected.
Srivatsan Srinivasan, Product Marketing at Nexmo
Image Credit: Gustavo Frazao / Shutterstock