In a world where consumers regularly use mobile devices to make purchases and take advantage of online banking options, financial institutions are working harder than ever to verify cardholder identities and prevent fraudulent transactions, said Visa, Inc., Head of Risk and Authentication Products Mark Nelsen, speaking on a panel at the Visa Global Security Summit 2013 in Washington, D.C. last week.
Traditionally, banks have only seen “what happens through the payment network, which means we see the data elements within the authorization message and to be honest, there’s not a lot in there about the person,” he says. “There’s no name, there’s no address, and no cellphone. We don’t get a picture. We really just see the account number.”
In the old days, where a person was usually buying in person, there was a clerk who could check a card signature, and see the buyer face to face. As phone and online purchases have become more common, Visa and other financial organizations have turned to behavior analytics to detect fraud. That’s where they try to build a profile around that number that describes “normal behavior” and as transactions occur, they try to determine whether a transaction follows the pattern of normal behavior for that account number or whether it could be fraud, Nelsen explains.
But banks are looking for ways to refine that tool. At the D.C. summit, Visa announced that it is adding more transactional history data and is using more advanced neural networks to analyze that data. “The result is more robust performance and improvement of as much as 130 percent in detecting fraud in debit transactions and 175 percent for credit transactions,” said a Visa press release on the issue.
The new model also includes additional risk indicators targeted to Automated Fuel Dispensers (AFD) transactions allowing Visa’s network to pinpoint suspicious activity at a gas station and apply that to all transactions processed at that particular station, potentially increasing the effectiveness of fraud detection in this segment considerably.
Another tool Visa is using to keep cardholders protected is to keep track of the devices that consumers are using to make those purchases. “Now we can start to come up with a profile that says for this particular consumer’s device – like a laptop or tablet – we’ve seen this credit card used at this laptop before and the history in the past has been good, so we’re going to kind of take that as a proxy for card verification saying this is a good transaction,” Nelsen explains.
Visa is also exploring whether dynamic cryptograms and dynamic one-time passwords can help verify identity before transactions are approved. Card companies are also looking to move the U.S. toward cards with embedded chips, as are commonly used throughout Europe, Canada, and Australia. Currently, magnetic stripe technology is still widely in use in the United States, but it is much more vulnerable to fraud.
“What we will likely see is a handful of markets experimenting with a number of different ways so you can improve verification and identity management,” Nelsen says, adding that with different markets some may value the convenience factor of different verification methods more while other markets will value security more.
However, there is one general consensus for all markets: static passwords and knowledge-based questions need to be replaced with something more robust.