Distributed Ledger & Friendly Fraud

Why Fraud Went Online

To give this question its due consideration, we have to take a few steps back and look at the history of credit card fraud and the payments industry’s attempts to fight it. When the EMV chip was introduced, it struck a major blow to the use of stolen cards in card-present environments, making it much harder for fraudsters to spend other people’s money at retail stores and other brick-and-mortar locations.

When physical credit cards became more secure, credit card fraud shifted heavily toward the card-not-present environment: The world of eCommerce.

Unable to rely on physical EMV chips to screen out fraudulent transactions, online merchants and consumers were faced with a growing problem of low-risk, high-reward credit card fraud carried out over the internet.

It's easier for fraudsters to avoid leaving a trail online, and it's also easier to obtain stolen credit cards. Instead of having to physically steal someone's wallet, online fraudsters can compromise the customer database of an eCommerce site with poor security, obtaining thousands of credit card numbers all at once. These stolen credit card numbers are then sold on the dark web to fraudsters who will attempt small purchases with each one to find out which numbers work.

In some cases, even compromising the databases of non-commercial sites can lead to eCommerce fraud. Most people reuse the same one or two passwords for every account they make, so when emails and passwords are obtained from a compromised database, fraudsters can try to use that same login information on bank websites, online payment platforms, and eCommerce websites to try to obtain payment information and make fraudulent purchases.

The industry can see that eCommerce needs its own equivalent to the EMV chip, but turning an obvious idea into a usable product isn’t always a simple or straightforward process.

Where Does Anti-Fraud Technology Fall Short?

To stop card-not-present fraud in eCommerce, anti-fraud software was created that inserts itself into the checkout process and asks for additional verifying information from the consumer, such as a PIN or password or some other authenticating information that wouldn’t be stored with card and customer data. Verified by Visa and 3-D Secure were two of the most notable anti-fraud tools in this category, and they worked quite well at stopping low-effort fraudsters.

The problem was that consumers hated them. They slowed down the checkout process, demanded additional information from the consumer that they didn’t always have at hand, and they led to complaints, confusion, and abandoned shopping carts.

Faced with a choice between losing real customers and stopping hypothetical fraudsters, many merchants sided with their customers and disabled these anti-fraud tools.

Banks and card networks haven’t been quite so willing to give up on anti-fraud technology, and these tools have undergone improvements and revisions that make them less obnoxious to consumers. They’re also making them mandatory in some cases, or at least incentivizing their use.

In some regions, they have the power of the state behind them. In the EU, the revised Payments Services Directive is taking effect, and it requires merchants to use “strong customer authentication” for online payments, which means implementing two-factor authentication in some form. For most merchants, the easiest way to comply with this mandate is to use tools like 3-D Secure 2.0.

Two-factor authentication in general is seeing rapid adoption across many online spaces. Most use a simple text message to confirm a user's identity, and allow the user to save a particular device so that they don't have to authenticate every time they log in. Some sites instead take advantage of the Google Authenticator app, which generates codes according to an algorithm rather than sending them via SMS, which is vulnerable to interception.

Most sites that allow transactions of any kind now employ two-factor authentication, from banks, to eCommerce, to video games. Unfortunately, two-factor authentication is far from a perfect solution, since sites with lower security can still be easily compromised, and fraudsters who already have a stolen credit card number can simply make a new account rather than taking over an existing one.

So, the solution may be less elegant and less universal than a single embedded chip, but eCommerce may have found its answer to EMV, at least in part. Does that mean the fraudsters are out of options and will wither up and vanish? Not a chance, unfortunately.

Where Will the Fraudsters Turn?

We don’t like to pay compliments to fraudsters, but let’s face facts: They are resilient, they are persistent, and some of them are very clever. When one pathway to fraud is closed off to them, they find an alternate route. If online card-not-present fraud becomes too difficult to be worth their efforts, they’ll turn to a target that’s less regulated and less well-understood. Merchants are already dealing with this kind of fraud, some of it intentional, some not: Chargeback fraud, better known by the deceptively innocuous term “friendly fraud.”

Chargebacks are easy to request, and most banks aren’t doing enough to screen customer disputes and verify that the customer has thoroughly investigated the transaction and contacted the merchant about it directly before pushing a claim through to the chargeback stage. Some consumers with otherwise good intentions engage in friendly fraud out of impatience, frustration, or confusion, but others do it on purpose, knowing how much easier it is to obtain a chargeback than it is for merchants to fight back and succeed in representing the charge.

Right now, friendly fraud isn’t the quickest, easiest, or most lucrative scheme for ambitious fraudsters, but as purchasing security improves, that may change, and we may begin to see much more organized and elaborate schemes for stealing money by manipulating the chargeback process.

How Can Distributed Ledger Technology Prevent Fraud?

And now we’re back to the big idea that launched this history lesson: The potential for DLT to prevent friendly fraud.

When cryptocurrencies were first introduced, users needed a way to record and validate transactions without having to rely on a centralized authority. The solution they came up with was the blockchain, an encrypted ledger of every transaction made with its associated cryptocurrency, updated in real time, with every user retaining their own copy. Unwieldy, perhaps, but it worked.

What some security experts are envisioning is a distributed ledger of “friendly” fraudsters who have abused the chargeback process. In this scenario, the blockchain effectively becomes a blacklist that merchants could refer to in order to preemptively stop known fraudsters from purchasing from them.

In order to be effective, widespread adoption of the ledger would be required, and to protect individual privacy it might be necessary to have a trusted entity involved in anonymizing and tokenizing customer data.

Is DLT a Practical Solution for Fighting Fraud?

The hurdles to implementing this idea are not insignificant, but in order to make any real progress against reducing chargeback fraud, nothing less than big, bold ideas like this will suffice. Any merchant that has taken the time to analyze their chargebacks (and we strongly advise that every merchant do so) will know what a pervasive and costly problem friendly fraud has become, and right now there is little merchants can do about it but assiduously fight every friendly fraud chargeback that comes their way.

We would love to see a solution like this emerge and drive away the friendly fraudsters, but for now we’re still very much in the conceptual phase. In the meantime, merchants should adopt the underlying premise and create their own in-house blacklist of friendly fraudsters. Most of them will repeatedly target the same merchants over and over until their schemes stop working, so there is absolutely no reason to ever accept their business a second time.

FAQ

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com