The safety of online payments
With an annual turnover of 903 million euro in 2010, up 28% from 2009, online purchases represent one of the most important distribution channels in Belgium . Ogone, the biggest player offering online payment services in Belgium, estimates online sales through Belgian e-commerce sites to exceed the threshold of one billion euro in 2011. However, a dark force continues to harass this sales channel: online fraud. Despite the constant improvements in encoding technologies, fraud continues to progress, damaging the image of online sales. Who is impacted by the fraud? How can the banks protect their selves against it? Are there any opportunities to seize for other industry players?
Online fraud is increasing
According to the latest annual report of the Belgian Federal Police, no less than 4869 cases of internet fraud were reported last year, representing approximately 29,2 million euro of damage. This is a considerable increase compared to 3 years ago, where the number of cases only amounted 3250 with a total loss of 13 million euro . What's more, this report revealed that only a fifth of online fraud cases are actually reported, which suggests that in 2010 the real total damage caused by online fraud was of 146 million euro in Belgium.
Internet fraud is closely linked with bank card fraud since, when it comes to online transactions; the bank card is clearly the preferred payment method. A study performed by BeCommerce, showed that the share of online orders performed with bank cards represents 47,7 % of total online orders for pure players, and 35% for multichannel players. However, compared to other online payment methods, these cards suffer from an increasing threat of fraud. In fact, the Belgian Federal Computer Crime Unit (FCCU) has revealed that the fraud with bank cards on the net has tripled throughout the last 3 years.
These finding, which aren't new, had already induced banks and sellers to propose more protected systems throughout the years 2000. In fact, the generalization of SSL encoding (Secure Socket Layer) has allowed limiting the theft of card numbers during the transfers of banking data between the purchaser, the salesman, and their respective banks. Furthermore, the advent of an "arbitrary" safety cryptogram has made it possible to counter the proliferation of fraudulent generators of 16-digit valid card numbers (which follow a precise algorithm). As another measure of safety against financial identity theft, many vendors have restricted the storage of this type of information in their databases to avoid massive attempts at intrusion in their e-commerce platforms. Finally, the use and configuration of payment terminals has been adapted in order to combat fraud: Customers can nowadays introduce their card without the intervention of a cash clerk, avoiding the recovery of data via this distribution channel; and most payment terminals only display the last four digits of a card number on small invoices, masking the first 12 digits of the card number and its expiration date, which limits information accessible to thieves.
Despite the implementation of these protection measures, other techniques of fraud have come to the surface lately.
The major risk still comes from the failure of identifying the buyer as the legitimate card holder, i.e. strong authentication. This inability leaves the door open for other techniques aiming at recovering buyer coordinates, such as "phishing" , which have become very popular in recent years.
Of course, if the buyer is not identified, the law allows him/her to challenge the transaction and to be fully refunded free of transaction costs. Nevertheless, this type of corrective operations leads to increased costs for banks and continues to raise psychological barriers among potential e-commerce users.
Strong authentication tools: 3D secure, e-card
In order to identify the true owner of a certain card, but especially in order to strengthen the safety of online payments, several banks introduced the system of one-time-use bank cards in 2002 (such as the e-credit card). These disposable cards can be regarded as electronic clones of real bank cards through which the user can generate a single-use code on the site of his bank and with the use of his real card. Once a payment is made with this code, it is no longer usable for any other purchase. However, this solution lengthens the act of buying which makes it ill-suited for repetitive small amount payments (e.g. purchase of a news paper article, an MP3 song, etc.) and it also represents a significant cost for both the bank, as well as the user. Not surprisingly, this technology was not well received by the public.
More recently, some banks have decided to adopt the "3D Secure" technology in 2008. With this system, every buyer is obliged to surf to a secured webpage which is connected with the bank, where he has to enter a secret code only known to him, i.e. the IPIN code. This way it is possible to authenticate the buyer as the true owner of the card, which ensures that even in the case the card is lost or stolen, it cannot be misused online without the knowledge of the IPIN code. Nevertheless, controversies have been raised concerning the nature of this code as, especially in the beginning of the 3DS technology, users often chose their password without much care (e.g. names, birthdays, and other PINS as IPIN code). Nowadays, however, a password policy has been established and, what's more, the self-chosen user PIN is gradually being set aside in favour of an SMS sent by the bank, the most popular solution among the Internet users, or a code transmitted by a "token". It remains to be seen whether the cost of these solutions, ranging from 0.5 to more than € 10 per owner per year, will match the willingness to pay of the consumers.
Unfortunately, in practice this system has proven to be much more confusing for Internet users than expected. In fact, because both banks as well as online shopping sites provided very little communication to card holders, most buyers were confused and even frightened at the appearance of a separate page asking them for private information such as their date of birth, and this at the most critical moment of the purchase: the payment . Many of them have therefore preferred to abandon their purchases out of fear for an attempt at fraud or phishing. As a result; a large number of online selling sites immediately contacted their banks to exit the 3D Secure system, after having observed a reduction in sales volume up to 20%.
The challenge is thus to adequately secure payments in order to deter fraudsters without complicating the payment process and negatively impacting the sales volume.
Alternatives to the bank card
The banks are not the only ones offering new payment solutions. Take for instance "Weneo", a version adapted to online payments inherited from "Moneo", which offers a USB key storing units of electronic money allowing to make secure small amount purchases on the internet (below 30 €) without disclosing any bank details.
When thinking about the safety of online payments, the market for trusted third party should equally be taken into consideration. Within this field the historical actor Paypal (credit institution licensed in Luxembourg for its European operations) is now competing with Google Checkout (electronic money institution registered in the UK). In France, there are also some payment facilities such as Limonetik or Cards-Off who are in charge of handling credit card transactions which originally were realized through the merchant's site. Thanks to their services, buyers don't have to enter their confidential bank details on the merchant's site anymore. Another emerging player within the market for trusted third party is the Belgium based Payfair group, which challenges Mastercard and Visa in offering a single European payment scheme. Payfair proposes safe and innovative payment solutions by card, mobile phone and through the internet. All of these options rely on strong authentication principles and have been developed in such a way that no data is exposed to potential hackers throughout the transaction. Furthermore its solutions are very convenient to consumers who just need a mobile phone and a secret code to complete the transaction.
In addition, there are companies like Secuvad offering integrated solutions to secure payments (real-time fraud detection with the use of scoring and historical bases), however, these solutions aimed at protecting the merchants do not necessarily provide protection to the buyers.
Finally, the surprise could come from Buyster, an authorized payment institution recently created by Orange, SFR, Bouygues Telecom and Atos Origin, which is based on the development of the Smartphone and offers to secure both the m-commerce and ecommerce payments via mobile phone.
It remains to be seen whether these new entrants will give a hard time to the major banks in the field of online payments. Nevertheless, these alternative players should be regarded as innovation laboratories on which traditional banks should definitely keep an eye.
Estimations from the Federal Computer Crime Unit (FCCU) published in the annual report of the Federal Police.
Making a cardholder believe he is addressing a trustworthy counterpart by mail or via a fake website.
For credit cards the following details need to be entered : Expiry Date, Date Of Birth, and CVV.
For instance, for its mobile payments Payfair uses the double authentication technology which not only requires a secret code, but also a secret sound transmitted through the phone's audio channel.