Okay LogoOkay Logo

SCA to fight fraud - A real life example

19/06/2020

artifact

Okay’s raison d’être is to fight fraud and financial crime, with a particular focus on protecting card-not-present fraud. Quite ironically, I was victim to such a fraud during lockdown - I couldn’t resist sharing. But more importantly, this sheds light on the very importance of SCA to protect all of us as eCommerce is accelerating

Fraudsters have no limits

There was, of course, a surge in all sorts of digital frauds during the lockdown. I.e. some fraudsters decided to exploit people’s fear by defrauding small businesses under a lot of stress and in need of loans. Fraudsters are always full of innovative ideas when they see an opportunity to deceit people. 

With all things going digital, we can expect more innovative frauds. 

And, with more people thrown into unemployment and unfortunately poverty, we can expect a surge in the volume of “simple” frauds as well. 

Nobody is safe from the fraud headache

Yes, I was ironically a victim of a card-non-present fraud in March and personally added to fraud stats. 

All the “extra” expenses were reimbursed by my bank, but there must have been chargebacks, of course, the cost of managing my claim, issuing a new card, let alone the stress I was in. Only “small” amounts went through and went undetected. The fraudsters attempted to buy other more expensive things (a holiday, a pair of fancy shoes?) but the controls worked. 

The amounts were small, but what happens when the fraudster manages to make larger money transfers? With instant payment, the money will be gone in seconds.  

Second-factor authentication works

PSD1 was all about protecting us, as consumers, introducing One Time Passwords (OTPs) via SMSes. The forthcoming PSD2 SCA is just about the same, just taking into account that fraudsters will up their games in a more digitalised and sophisticated world. With an increase in security comes added friction, but that can be reduced by advances in facial or fingerprint recognition for instance. Although OTPs via SMSs may remain valid as an authentication method - under certain conditions set by the EBA - they are not a fully secure way to authenticate as they can be intercepted, rerouted or listened to. 

There will be friction introduced by the implementation of PSD2 SCA, but it is to protect all of us as consumers. 

The key to SCA acceptance

There is a lot of discussion in our industry about friction, although there are many rules for exemption. And a lot of fear from merchants that friction in the buying process will lead people to drop out of the buying process. I don’t mind the friction because it creates trust. Of course, like everyone else, I want an easy way to authenticate, not a cumbersome process.  

The key is that people need to see the value of SCA and that they will shop safely online. And this can only happen through education. This is our responsibility as an industry (issuers, acquirers, merchants, tech vendors etc.) to explain the concept and the value.