Fraud and Security: Bracing for the Changing Nature of Risk in Payments

With innovation in payments and the ability to pay online and in real-time, also comes risk. How should merchants, payments platforms and issuers be thinking about trust, security and the heightened risk, around processing and accepting payments. Hear from two innovators in this space. Before Google, where he's part of their Security and Identity teams, Christiaan Brand co-founded financial services security firm, Entersekt, and more than 600 global merchants rely on Segpay, where Cathy Beardsley is CEO, for high-risk internet payments.

Transcription:

Daniel Wolfe: (00:07)

All right. Let's get started. So, Christiaan refuses to leave the stage, so we're just gonna keep him on for this one and Kathy's probably getting sick of me at this point in the conference.But I welcome you all to our next session about, actually, is that right? Bracing for the changing nature of risk and yeah, that's right. Bracing for the changing nature. And I thought they changed that thing on me. All right. Anyway, bracing for the changing nature of risk and payments. And so we're gonna kick it off with a big crystal ball sort of question here each of you. What is the... Actually, do you want to introduce yourselves first before we dive right in or you may have already done that, Chris cause you've been on stage for like an hour.

Christiaan Brand: (00:49)

Sure. Okay. Hi folks. I'm Christian. I work on various security initiatives at Google.

Kathy Beardsley: (00:57)

Hi everyone. I'm Kathy Beardsley. I'm the president of Segpay. We're an online payment facilitator. We focus on the US market EU and UK markets.

Daniel Wolfe: (01:06)

I'm Daniel Wolf with the American banker. That's all you need to know about me. That's probably not all you will know about me, but it's all you need to know about me for now. So the big question I wanted to open up with is, in terms of payments risk, what is the biggest factor that you see driving change right now? And what is it on the horizon that we should be prepared for? Either one of you?

Kathy Beardsley: (01:29)

Me to go?

Christiaan Brand: (01:29)

Sure. Go ahead. Dive right in.

Kathy Beardsley: (01:30)

So I would say the biggest factor changing risk and payments is consumer protection and the associated regulation that comes from it. And for those of you that sat through the last presentation, the lady from MasterCard talked about PSD 2 in Europe. And since we focused on that market, that was a regulation that went into place. It was supposed to go into place at the beginning of 2020 and what we soon found out that making this big change of customer authentication for any consumer initiated transaction was a difficult one. It was a heavy lift for every player in the space. So not only was a company like Segpay involved in it, but gateways, acquires, issuers and it took a full year for it to fully be rolled out. And there are a lot of kinks along the way. And now as the lady from MasterCard referenced that really made a big difference in improving transactional security on the web. And I would say the other one really is just keeping consumers, identity, safe, everywhere you go and you buy something, you're leaving a bit of your personal data around, that's open for some type of compromise. So those would be the two big ones that I see.

Christiaan Brand: (02:45)

Yeah. I can just add to that. We end up looking at things through the length that we know about. And from my perspective, it's all about authentication, right? How can we be sure that the person behind the computer or the phone really is right person we wanna be interacting with? This started out 50 years ago where we had the zip zap machine, right? You actually give a credit card and then someone basically proved that you had that card at the point of sale because they took the imprint. That's why we had that, right. That's why you didn't just write it down. You had the machine because I mean, that was hard to forge. And then we moved on and we said, well, we'll have card present transactions. We'll do it with a max strip.

Christiaan Brand: (03:21)

And then we moved into basically EMV type transactions in chip which all is there to prove physical possession. Like there is someone standing in front of me, they only payment instrument and therefore the transaction must be legitimate. What we've seen over the last two, two and a half years is a lot more transactions moved online. And at the same time, a lot more transactions move to contactless. Right? And I think one of the risks that we see is users are now able to legitimately mint their own credit cards. How do you ask, well, by putting them in their phone, that's what they're doing. I take a picture of my credit card and then I make a legitimate say forgery, but I make a legitimate copy of that card in my phone, which can now be used.

Christiaan Brand: (04:02)

We need to be very very careful and very sure that the end or the entity that's doing that, it's very hard to figure out whether the card is legitimate. But, so we're kind of like pushing that you to the process where that is turned into another legitimate payment instrument, we need to be sure that that is really the rightful owner of the card which again gets pushed back into protocols like 3d secure and other types of rails that we've created to really try and authenticate that cardholder. So for me, it all comes back to user authentication. We're moving to a world where we're using the issued piece of plastic from the bank less and less, and we're using either card not present or in the case of like the mobile phone tokenized version of that payment. And really to be absolutely sure at the point of tokenization and at the point of use that we're dealing with legitimate customer. And I think technology like FIDO really plays a role there as well.

Daniel Wolfe: (04:50)

So that, that was a call back to your last presentation. Right? Okay. Yes. So those of you who were following along, it's like binge watching these sessions, you get a little benefit of the full narrative. So, you're reminding me also, I think like the earliest days of the mobile wallets, enrollment was an issue. Like when it just rolled out, there was a concern that people were signing up with cards that weren't their own. And that was something that was quickly addressed I hope, but it still feels like almost like too easy when I do it. Right? It just, like it says on my screen. Okay. Spinning, checking with your bank. Oh yeah. You're good. You're good. So, all right. So, but that brings us to a question about friction then anything having to do with risk and addressing risk, it runs the risk of introducing friction. And that's what a payment is, payment is friction. It's something that stands between you and what you're paying for. So as we're trying to make sure that we are improving security and we are making things as strict and seamless, and also getting away from just, Hey, you have the card in your hand, that's all the proof you need. What can we do to make sure that we are not introducing so much friction that we undermine what we're doing?

Christiaan Brand: (06:07)

I'm happy to jump in just because I want to tie back to the comments you lost made which is, It's almost too easy. Now, you just take a picture of the card, then Hey, something spins and you get your car tokenized. That is a great example of utilizing additional data that we didn't have originally in this process. What we're doing in the backend is we're checking to make sure your iCloud account, your Google account is in good standing. Like there is a lot of signals in additional things that we can now use in the background that to the user almost feels like magic, right? I'm just doing something and it works, how can this possibly be secure? But in the background, because we have all of these additional pieces of information now, which we can link in, we can actually create a very powerful, very secure, very easy experience because all of that data is there and it underpins that whole transaction.

Daniel Wolfe: (06:57)

So on the question though, so that's how we address the friction is just, it's all we move it behind the scenes.

Christiaan Brand: (07:04)

We try and move it behind the scenes as much as we can. Now, there are some cases where we cannot, like, you've also probably seen the experience where you have a card, you take a picture of it and suddenly you're being sent to go check an email account for a code. That's not necessarily the greatest experience. What we're trying to do is figuring out in those cases, what can we utilize? What other mechanisms can we use in order to have the sufficient level of proof, but not have the user break out of the flow completely. I mean, we all know the abysmal conversion rates of 3DS one, which is why most merchants pushed back against that, technologies again like FIDO and others based on technologies users are familiar with biometrics. Knowing how to unlock your phone, those are things users deal with on a daily basis. If we can find a way to merge these, you know, have at the same time secure experiences, but give users technology that they're already familiar with. That's I think how we solve this problem, we're using something that's more secure, but at the same time, actually giving a better user experience than some of the technologies that we're used to.

Kathy Beardsley: (08:12)

So I guess I'm gonna take it down to a more day to day practical level, because we don't have a lot of this biometric tools in place to help us with our merchants. And as a payment service provider, we become a target a lot of time for fraudsters to begin running cards, to see if they're good cards and then they can move on and go somewhere else and use them. So there's tools that we put in within the network that help us identify, is that a real person or is it a bot. There's fingerprinting or device ID that helps identify is that a real person or not, but then if you actually get all the way through, we're gonna have some friction. And I think about myself, if I really wanna buy something, I go through the process and fill things out and go through the transaction flow.

Kathy Beardsley: (08:56)

So the same thing with our merchant center and their customers, at least with that initial signup, we're asking for full information. And then as we get to know that customer and they're buying patterns and we see them coming back we can start easing that friction and move to, you know, one click checkout. So it becomes more of identifying patterns getting to know the consumer. And then from there easing up the friction component and I think even 3D Secure 2.0, It's the same thing that we're passing an additional information through the payment network. So that ther begins to know their buying patterns. And then the challenge stops being presented to the consumer, easing the friction. So that's where we are today. I think we're hoping to move to where Christiaans' going. But that's our day to day.

Daniel Wolfe: (09:46)

I will say that it does confuse me whenever I'm trying to buy something or a little something in a mobile wallet and it asks me what the make and model of my car is. Yeah. I don't know. It's red. I have to like look up my insurance and then of course I need the password for that. It's a whole goose chase.

Kathy Beardsley: (10:01)

Right. And I will say some friction is good. If anyone shops on Amazon, you can just look at the screen and suddenly you've bought something. I've viewed Shopify and they'll pop up. Is this the last four digits of your cell? Okay, good. You bought it.

Kathy Beardsley: (10:16)

So yeah, it might save me a little bit of money.

Speaker 1: (10:17)

I mean talking about like lack of friction, the Amazon go stores that they have, there's like two that I can walk to from our office where you just walk in, you scan in on the app and you can scan in your friends on the app and it'll still say it as you just like with two different bodies, three different bodies, and it'll follow you around the store and it'll, you can pick stuff off the shelves and walk out with it and it somehow gets it right. I've never seen it get it wrong, at least with my boring habits of just buying like a seltzer and an oatmeal every day. Maybe it's knowing the habits that it knows, and it's a pretty good chance you're still gonna eat that oatmeal. So, that brings us to just the question of everything getting so digital, everything we're talking about, biometrics pins, mobile wallets and everything.

Daniel Wolfe: (11:00)

Like just to use my phone. I remember way back when, before you could do any fingerprint authentication, you know, for payments, there were folks who were trying to do this at the point of sale. And one of the big criticisms that I heard was, no consumer is gonna want to give their fingerprints to buy something. That's that's the only time everybody's ever asked to give their fingerprints is when they're getting arrested. That's not the experience you want when people are making a payment or at the point of sale, but we've gotten so used to it with our phones and everything else, our computers. And so now I just know that like, if I want to send like a P2P payment through, you know, Zelle, Venmo, what have you, I use my face or my fingerprints unlock my phone. I use it again to unlock my banking app. And then I'm prompted, are you sure you wanna send this to this person? They're not a total stranger. And there's all these steps, these points of friction that I just have internalized that may or may not be actually validating what I'm doing. And so my question for both of you is in this world, what can go wrong?

Kathy Beardsley: (12:02)

So you have to answer this one. This is your question.

Christiaan Brand: (12:05)

That's a great question. What can go wrong?

Daniel Wolfe: (12:07)

In this process where we're showing everybody's biometric, we are prompting them to like affirmatively say, this is what I want to do. Where are the pain points? Where are the frauds are still getting in? What do the banks still need to worry about?

Christiaan Brand: (12:23)

That's a really good question. And I think through the design of the system, we have designed some issues that can arise out. Right? One of the things we've designed out, as I said in the previous presentation as well is, biometrics are never kept centrally, right? It's not like my biometric or my fingerprint is sent to some server and that can get breached. And now my fingerprint is breached and I can't change my fingerprints. And now I'm, stuck for the rest of my life. The design originally kind of like took privacy security in mind. We said, all right, we're gonna store biometric templates on a device itself. That is tradeoffs, right? The positive part of that is once my phone is discarded or it stops working or even if someone gets hold of my phone, the templates can never get out.

Christiaan Brand: (13:04)

They can get in, but they cannot get out. That's the way that these devices are designed for, like, we can validate against them, but we can never actually reproduce a fingerprint from what's in the device. So that's really great. The negative part of that is, well, if I then move to another device, I have to do this all over again. And that's where the risk comes in, right? That's where the fraudsters are getting in. There is simply pretending to have new devices because they know it's very very hard to mess with the biometric sensor and get someone's fingerprint. That's not that easy. Although we've seen some kind of like nice YouTube videos about someone taking a glass and like building something off. But to be quite honest, if we've reduced all fraud to having someone physically follow you around and get your glass and tried to make a rubber finger. I mean, we've solved fraud to a certain extent, then we left maybe friendly fraud and kind of like a different clause.

Christiaan Brand: (13:50)

But I mean, then we've really solved the problem. That's the way that we think about this at least is like remote attacks is the primary thing that we only try and guard again. So I think what we're seeing right now is it's the fallback type of attack. It's not the primary authentication mechanism. That's the issue, it's the fallbacks. We need to address the fallbacks. We need to make it very very hard at the point in time when you tokenize that new card at the point in time, when you're setting up the new device, that is where the holes are, and that's where we need to address. And that's what we're trying to do with some other proposals I spoke about earlier is how do we get that continuity, right? How do we get you into a system that's secure and keep you there?

Christiaan Brand: (14:25)

And then kind of like close the other gaps down. And that's not an easy problem to solve. Someone has to basically stand at the back of this and say, okay, I'm gonna vouch for this user. And as we saw with the payment example earlier, that's in a lot of cases what Google pay and apple pay does, right? Because we know this user and we know the account is in good standing, we can allow that tokenization to complete without any friction. And we're saying, let's do that for credentials as well, because we know the user, we know their account is in good standing. Maybe we can vouch for this as a good user that's information today that is not being reflected when I'm typing a password. No one knows what account and what Google account and what phone I'm on. Maybe using more of this information can help us to have a more frictionless and a more secure experience at the same time.

Daniel Wolfe: (15:08)

I just have to say that reducing all fraud to somebody following me around to steal my fingerprints and such is not as reassuring as you may want to think. If I have gotten to the point where, if somebody's raided my bank account and I know it's like James Bond, then I am something has gone way wrong with that.

Christiaan Brand: (15:25)

It's a different problem though.

Daniel Wolfe: (15:27)

But different problem. Do you re remember, I think when Apple Face ID was first announced, they acknowledged kind of the evil twin problem, right? That the likelihood of somebody having a similar enough face was like so much smaller, except if you have an identical twin. So it's just, do you trust your twin? If you don't trust your twin, don't use face ID. That's the lesson we all have to take away from that. So Kathy, did you wanna add anything to that?

Kathy Beardsley: (15:57)

So I'm gonna show you my notes. So this is when I went actually to our team that manages all the transactional risks and they really didn't even have a good answer other than no system is Bulletproof. That at one point AVS and CVV was the end all and now you can go get a list of cards with CVV. So I do think what Christiaan is focused on is where we're gonna go. And then the bigger question, I don't know if you can answer is, how you move that into the payments network when it's kind of an older system to get it to be smart enough to utilize all this information.

Christiaan Brand: (16:38)

And I think that's a great question. And I think that's what we're trying to do with 3DS that was taking the old payment rails and bolting on essentially web-based transaction flow on the side of it. And I think we've become a lot better, like 3DS one had a shortcomings, but it was actually before its time in terms of what he's trying to do. And now with 3DS 2.0, we have, as you said earlier, we have these informational flows which helps the issuer also learn about the user spending patterns, where they are, what they're doing, which allows more frictionless transaction flows, where we don't have to challenge users. So I think figuring out how to bold this newer system onto the older one is a real challenge, but luckily we have things like 3DSQ And other protocols out there that tries to work in that space. Yeah.

Daniel Wolfe: (17:23)

So that's a good point about these legacy systems. And I'm wondering, is there any way, either just, there's a constant theme that comes up in payments that the expectations that consumers have with everything being instant on their devices and voice controlled and biometric and that is what they bring to every banking and commerce experience as well. So is there anything the payments industry still can learn from that where it hasn't caught up, or is there any way that we can fill a gap in these legacy systems by looking at consumer technology and learning from that? Or is there a totally different path we need to go on to properly address risk?

Kathy Beardsley: (18:03)

That's a good question. I don't really know if I have a good answer for that one. I think the legacy systems can be used, but it's, retrofitting the newer technology, just like what you said through 3D secure. Everything's gotta be a standard, so it's very hard to kind of plug and play some outside technology into what we already have. So that's the best I can give you there.

Daniel Wolfe: (18:34)

Okay. Yeah, I mean in fairness, like we already discussed 3D secure at that point. So that the answer came out before the question. So unless you wanted to ask that.

Christiaan Brand: (18:44)

I mean, the only thing I'd really add to that is, we have a lot of investment in these technologies and the way that chargebacks work and the way that liability shift work in a lot of systems that's there and entrenched and has been there for the last 30 years and they work rather well. We have fraud detection, product that work on these existing legacy systems. Everything is there. I think, even when we had a conversation earlier today about not just Bitcoin in particular, but kind of cryptocurrency and other things. And it's like, even with, I guess not technologies, but other types of payment instruments, thinking that we're gonna move completely away overnight of these other types of like legacy systems is kind of a vibe dream, right? We have to really figure out how these things leverage and how we can build on top of that really the last 30 years of innovation and work that's been done. Not only in making sure the transactions go through, but then also making sure that all of these fraud and analysis products that we have invested in as an industry can actually be used and put into good practice. So I think it's a balancing act where some of this legacy will be around for a long time, but it's actually a good thing because we've invested so much and these things have gotten to a point where they're actually working remarkably well.

Daniel Wolfe: (19:55)

Yeah, that's a good point that any new payment system has the competition of just the tried and true that we're all comfortable with. I still carry around a physical wallet despite covering payment technology for years and years. I still carry cash. I'm not, I should be ashamed. So data, all of this boils down to what data we have. And like I said, you may know what type of car I drive better than I know what type of car I drive, because that's part of the security question, but everything we do, or certainly everything I do, I'm like leaking data all over the place. I have a Amazon device in my home that hears everything I say, whether I wanted to or not, I have everything I type. I take a picture of, it has all the metadata and everything really comes in handy when I'm looking for a picture of something that I can't remember the name of, but at the same time this is all out there. How do we use this for good and avoid the villains, the fraudsters from using that same data to undermine what we're doing.

Christiaan Brand: (21:00)

Yeah. It very hard. I'll say that from where we're coming from the security side of things, like anything that remains static is just impossible at some level to tell the good guy from the bad guy, right? Anything that you're relying on which is static information, which is like your car, like what color car do you drive? What's the make and model like. A lot of these kind of knowledge based outta wallet knowledge questions. Unfortunately, because it's based on static information, it's a challenge. And that's the reason why we went from max strip cards to cryptograms right? Which varies, which has like a signature embedded in it. Like we have to move away from the static. We have to move to something dynamic, our minds isn't very good at like producing dynamic challenge data.

Christiaan Brand: (21:43)

That's why we stick with static passwords. We have to get away from that. We have to get to a world where we can prove it to us by means of something dynamic. And unfortunately, because our minds aren't good at that, we need some kind of augmentation, we need some other device. And luckily in the day and age where we're right now, there is a lot of good and bad things from phones being so prolific, but the good thing is everyone pretty much always has a device available with them that can produce that dynamic data. At the point of authentication, I think it's gonna become less and less prevalent where a user is being asked to authenticate out of their own relation on their own accord. And the device is gonna play a much stronger role. And then there needs to be a bond between me and my device. Well, it's my unlock or my biometric or whatever, but having the device as the thing that convinces someone else that it's me, that is gonna become more and more important because that's really the only way that you move from the static to the dynamic,

Daniel Wolfe: (22:40)

Kathy thoughts on data?

Kathy Beardsley: (22:41)

So data's important. A lot of this conference talked about crypto and the main challenge of crypto is it's anonymous. So today in payments, we need to gather information about that consumer and hold that data in a secure way and I don't see that going away. I mean, I think about it. Well, how do you handle a customer service question if I really don't know who you are? Can I just ask for your phone? So there's always gonna be data needed. And it's in today's practical environment, we need that data to determine buying patterns is that person really who they are? Sure there's information that we're gathering that kind of relates to what you're talking about when you just talk about the device ID that we collect and we store to help validate who that consumer is or allows us to make sure that they're not coming in through a VPN and from some strange country that isn't matching up. So data to me right now is key to us, making sure the transactions are secure and that we're not having rampant fraud through our system.

Daniel Wolfe: (23:49)

All right. We have a few minutes left for questions from the audience, not about my car but anything else should be fair game. Oh, we have a hand going up. Do we have a mic? You can scream really loud and we'll repeat your question. If that's, oh, we do have a mic. You can still scream really loud if you want.

Audience 1: (24:19)

I have a question about financial aggregations and in general risks that they present and how we solve this problem and you have one application that can access multiple accounts and a lot of times the restitution arise when you have one app that connect to another app. And how do we solve it with passkeys or I know some of the obligations they use user ID passwords have used some sort of tokens. And is there any systematic way we can think about financial aggregation and challenges they present?

Christiaan Brand: (24:58)

That's a great question. And I think the unfortunate reality is usually the regulation takes a while to catch up to many of these things. I think we are working with various regulatory bodies. I mean, PSD 2 is a great one that comes up. And depending also, if we're talking about like applications on the back end, that authenticates, or if it's like applications kind of like on the phone side, I'm gonna assume for a moment like we're talking about the backend stuff. There is a lot of conversations going on. It seems on the surface that a lot of what we're working on here will actually address what the regulation intends to try and do. However, in some cases, specifically in the US, we have these different levels of trust that MIS have defined.

Christiaan Brand: (25:46)

We're not quite meeting the letter of the law, so to say, but we are meeting the intent. So there is like a gap and what we're gonna be working on over the next couple of years is really to try and address that. PCI is another great example where in PCI, we have these requirements about password changes. Someone asked about that earlier every 90 days. I mean, these are things that technically don't really apply in the new world anymore, but they are still there and they are written down. So a lot of the work that I think we have to do as an industry is address these and get these updated and it'll take time.

Daniel Wolfe: (26:21)

Any further questions? So I'll let you in on something. We have kind of like a DVD extra sort of thing from this panel that you'll see on demand later on all of our sessions or most of our sessions. I believe are gonna be available on demand in couple weeks to anybody who attended. So look out for that extra conversation with these panelists on crypto as well. So, all right. Thank you very much for joining us. I believe we have a refreshment break now, so enjoy.