It’s 300 BC Greece, and a shipping merchant named Hegestratos is about to change the world. His attempt to con the insurers of a shipload of valuable goods – by sinking the boat but keeping the cargo, and claiming the loss anyway – is the first recorded instance of fraud in history. A trailblazing event in human society, and a harbinger of the financial arms race to come.
In some ways, it’s surprising that it took someone so long to come up with the idea of commercial fraud. Mechanisms for distributing risk in monetary economies have existed since at least the 3rd millennium BC, when Chinese merchants developed sophisticated ways of distributing goods across multiple vessels to minimise losses in case of accidents at sea. Such systems led to insurance schemes that protected the owners of the goods in some ways, but they also threatened them in others – not least in creating opportunities for unscrupulous merchants to fake losses. So, it seems unlikely that our man in Greece was actually the first person to commit commercial fraud. He was simply the first to get caught.*
He also set in stone one of the fundamental emergent properties of exchange-based economies. As soon as a new payments or currency-based instrument evolves, so too does a form of fraud to exploit it. Fraud is now so common, and so deeply ingrained in our collective experience, that consumers now take fraud for granted; they simply accept it as a fact of life.
Such acceptance hasn’t stopped us trying to solve the problem, of course. The latest smartphones now include face recognition algorithms that, in the case of Apple’s new iPhone X, have replaced conventional forms of biometric authentication. Much of this new technology works, at least within the limits of controlled test environments. But right now, it’s all addressing a problem that merchants are apparently not sufficiently addressing themselves. Evidence is growing that merchants are designing services primarily with convenience in mind, with security a secondary consideration; a fact that may be leading both to increased levels of fraudulent activity and increased levels of public acceptance of fraud.
This is a hard problem to fix. The global merchant community is so diverse, and its customers so individual in their preferred payments approaches, that covering every base is problematic. In fact, according to Lost in Transaction data, 71 per cent of merchants globally acknowledge fraud as a serious problem, but 36 per cent fear that introducing more robust security would drive customers away.
Even fraud in card-not-present (CNP), a remote transaction where the cardholder and the card are not present at the point-of-sale, e.g. online payments, and payments by mail and telephone – one of the oldest, most prevalent and best-understood varieties – remains problematic with fraud on the rise in some countries.
Against that background, the potential threat of brand-new fraud mechanisms come even more starkly into focus. Initiatives such as PSD2, an updated directive that has been enshrined in national law in EU states for a little over a month now, are designed to create many new opportunities for third parties as customer data becomes more widely accessible – not just for vendors and service providers, but (potentially) for fraudsters too. So PSD2 regulations will also force merchants and payment service providers to adopt new procedures and methodologies to keep their customers safe.
Exactly what this will entail remains shrouded in mystery for the time being – strong customer authentication (SCA) of some kind is a leading contender – but it seems likely that PSD2 will try to spread the regulatory burden across both issuers and merchants.
One thing that does seem certain is that some of the quick-fix proposals being touted in the industry, particularly dynamic CVV and SMS-based authentication, are too clunky for both merchants and consumers, and won’t meet PSD2 standards in the long term. Whatever we come up with in our war against fraudsters, it will have to be something new.
The good news is that some merchants such as Amazon and Apple are showing us that fraud reduction and friction reduction are not necessarily mutually exclusive. Their latest technologies – machine learning algorithms in the case of Amazon, facial recognition in Apple’s new iPhone X – illustrate that it really is possible for merchants to adopt technologies and strategies that defeat fraudsters without deterring shoppers.
Not everyone can afford new iPhone X’s, of course, and Amazon’s proprietary fraud reduction algorithms are unlikely to be made available to the industry as a whole. But elsewhere, Mastercard and Visa are working on next-generation versions of 3D Secure technologies that are less irritating for both merchants and consumers, requiring fewer redirects and thus less interruption of the still-fragile online shopping process. And in time, the relentless march of technology will find other newer, better ways to protect every party in the transaction.
Fraudsters will nonetheless find new ways to scam people. As one bubble is pushed down, so another will rise in response to the new tools and technologies. But as we march through 2018 and its hectic legislative agenda – PSD2, GDPR, and MiFID II, all within a few months of each other – it’s a good time to reflect on strategies that address the fine balance between safety and convenience.
Scammers may not be sinking so many ships these days, but they’re still busy working on their next targets; a fact that is never far from the minds on the board. Organisations are seeking to constantly protect themselves and their customers more effectively, and gain understanding of the real scope of the threats and opportunities that they face as the payment and fraud landscape evolves. Managing fraud and protection strategies effectively is important and organisations should ensure that they invest in the right measures, not just the popular ones based on received wisdom and old ideas.
The millennia-old fraud arms race will undoubtedly continue for years to come, but the advantage increasingly lies with ‘the good guys’.
* He may have been caught, but he was never convicted; Hegestratos drowned trying to evade the crew members who uncovered his cunning plan. A warning to scammers everywhere.
Daniel Kornitzer, Chief Product Officer, Paysafe
Image Credit: Gustavo Frazao / Shutterstock