WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS The MRC observed a tremendous shift in e-fraud and e-security trends Building this year. It is therefore important for our merchant members to carry-out a Better Commerce Fraud & Payments Professionals constant review of the techniques, solutions and tools available in the market. We welcome The Web Fraud Prevention, Security & Digital Identity Market Guide 2013 that supports this objective. Nicolas Vedrenne - Managing Director - MRC Europe WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS Authors Mirela Amariei Tiberiu Avram Ionela Barbuta Simona Cristea Mihaela Mihaila Adriana Screpnic RELEASE | VERSION 1.0 | DECEMBER 2013 | COPYRIGHT © THE PAYPERS BV | ALL RIGHTS RESERVED 2 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 INTRODUCTION Introduction You are reading the second edition of the Web Fraud Prevention, where people can buy products and services without ever leaving Security & Digital Identity Market Guide, put together by The their homes, credit cards, with their designs and black stripe on Paypers, the industry-leading provider of news and analyses for the back, have become outmoded (the essence is that the seller the global payments community. does not know the buyer and vice versa not so much that you do not have to leave your home) Web fraud prevention & digital identity – pressing issues for the payments community Furthermore, the key to the future growth of ecommerce and Given the ever increasing importance of ecommerce for the e-business lies in more collaboration between the players in this global economy, online fraud and digital identity have emerged as feld, as improving trust on the web is not something one party can pressing issues for the business community and individuals alike - do on its own. Therefore, it is imperative that all parties involved in treatable but not curable yet, if ever. the payments industry (including consumers) start reconsidering their approach to preventing fraud. Instead of adopting individual With the fast growing digital economy, digital identity becomes measures, they should realise that coordinated efforts on indispensable for organisations offering digital services. But given preventing, detecting and responding to fraud can be benefcial to that fraud prevention, online security, risk management, digital all parties involved. identity and e-authentication have emerged as pivotal elements in the payments process, special attention must be paid to these Web Fraud Prevention, Security & Digital Identity aspects, all the more so since they have a vital role in ensuring Market Guide customer trust and in boosting ecommerce transaction volumes. Within a context where new players, technologies, business models and rivalries emerge every day, the Web Fraud Prevention, As fraud is hindering both economic and ecommerce growth, Security & Digital Identity Market Guide 2013 aims to serve a the need to build trust online becomes critical, especially at a twofold purpose. On the one hand, it aims to provide an arena cross-border level. In order to maximise cross-border growth where voices from all across the industry – regulators, technology opportunities, the industry needs to come up with more effcient companies, banks, payments processors and fraud prevention solutions, both payments and fraud-related. Cybercrime causes and risk management services providers – can interact. This guide more damage to society than the worldwide trade in soft drugs, allows them to expose their vision, discuss topics such as fraud cocaine and heroin together. EU estimates that more than 1 million management and cross-industry collaboration, the digital identity people a day fall victim to online fraud. Losses due to these kinds ecosystem and identity management schemes, as well as argue of criminal activities are estimated at EUR 290 billion a year only the case for what they consider to be the way forward in online in Europe. In this context, fraud and cybercrime will definitely fraud mitigation and digital identity theft prevention. remain an increasingly important concern for policy-makers, businesses and citizens alike. In order to address this, various On the other hand, the Web Fraud Prevention, Security & Digital developments focused on a single aspect of the payment process Identity Market Guide 2013 aims to be a comprehensive source or those driving the harmonization of specifcations in the identity of information for industry professionals, who gain access to an all- space and the web fraud detection market are a constant in the in-one reference material which lists in-depth company companies payments market equation. in the web fraud prevention and digital identity ecosystem as well as thought leadership articles, providing information and food for If we want in an ideal world with smooth payments and fraud thought. limitation and risk reduction, we need to rethink the transactional model for ecommerce. Credit cards were not designed for the internet. As the online channel emerged as a global marketplace INTRODUCTION WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 3 Guide quick overview Part 2 also features an article by Gunnar Nordseth, CEO, Signicat, Our partner in putting together the Web Fraud Prevention, Security a provider of eID services, who speaks about electronic identity & Digital Identity Market Guide 2013 is a powerful industry organi- being deployed in more and more European countries and sation: The MRC, a global not-for-profit organization that fully 'Know your customer' (KYC), as one of many areas where the supports and promotes operational excellence for fraud, payments use of eIDs is becoming widely accepted. In his editorial, David and risk professionals within ecommerce. Pope, European Marketing Director at credentials management company Jumio, provides insights on identity theft, by examining The Guide has a three-part structure, with Part 1 dedicated to how fraudsters steal identities and then go on to conduct acts of insights from industry stakeholders and associations. Nicolas fraud against businesses. Emma Lindley, Director at independent Vedrenne, Managing Director, Europe, MRC discusses the top consultancy Innovate Identity, focuses on the main tactics into the three fraud trends in ecommerce, with a particular focus on clean decision-making process within a business which make it easier fraud, reshipping and account takeover. In his article, Simon when choosing the right identity system. Lelieveldt, Senior Advisor at the Electronic Money Association (the European trade body representing electronic money issuers, Finally, David Birch, Director at consulting company Consult payment institutions, banks and payment schemes) discusses the Hyperion, discusses tokenization as the way forward for wallets, need for a balanced approach for strong authentication. while Neira Jones, Partner at consultancy company Accourt, speaks about 21st century payments and the industry`s security- Also featured is an article by two representatives of Fido Alliance, a related concerns while striving for innovation. non-proft organisation which addresses the lack of interoperability among strong authentication devices, which focuses around the Most complete market overview need to identify the next big thing in secure mobility and pay- Part 3 presents in-depth company profles mapping out key players ments. In order to encompass the diversity and complexity of the in the global digital identity transactional ecosystem and web ecosystem, special attention has also been given to industry and fraud detection space. Also, an enhanced online company government initiatives, among which The National Strategy for profiles database with advanced search functionality will Trusted Identities in Cyberspace (NSTIC) and Scoping the Single complement the PDF version of the guide, allowing readers European Digital Identity Community (SSEDIC). unprecedented access to and visibility into the global web fraud prevention and digital identity market. Part 2 is a section dedicated to exposing expert views, opinion pieces and exposés on key aspects of the global digital identity The Web Fraud Prevention, Security & Digital Identity Market transactional and web fraud detection ecosystem from web fraud Guide 2013 is a great means to stay informed and keep up to date detection services providers, technology vendors, as well as with the latest industry perspectives, trends and developments, a digital identity services providers. It features insights from thought highly useful document that should be kept at hand at all times. leaders, including ReD, a global provider of fraud prevention and Finally, this document has been put together with the utmost care. payment services, and Threatmetrix, an US provider of integrated If you discover that, despite our efforts, it features information that cybercrime prevention solutions, whose contributions deal with is unclear or erroneous, we very much appreciate your feedback. cross-channel fraud strategies. Part 2 also includes exclusive Please feel free to drop us a line at any time at: contributions from Ogone, Wirecard, DataCash and Device Ident, 4 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 TABLE OF CONTENT Table of contents 2 Introduction 5 VOICE OF THE INDUSTRY SECTION 6 Fraud 2.0 - A Look at the Top Three Fraud Trends in Ecommerce | Nicolas Vedrenne, Managing Director – Europe, MRC 10 Strong Authentication: The Search for a Balanced Approach | Simon Lelieveldt, Senior advisor, Electronic Money Association 12 How to Secure Mobile Users and their Transactions | Michael Barrett and Sebastien Taveau, FIDO Alliance 14 T he Proliferation of Shopping Channels and Online Services Has Resulted In a Proliferation of Authentication Methods; Can Natural Security Help Reduce the Clutter? | André Delaforge, Institutional Relationships & Brand Strategy Manager, Natural Security 18 D ifference between Innovation and the Wild West: How to Ensure the Security of Bank Customers’ Funds and Data with Payment Account Access Services | x Javier Santamaría, Chairman, European Payments Council 22 Progress Towards a Digital Europe Continues | Jon Shamah, Thematic Network Coordinator, SSEDIC 24 Trusted Identities and Privacy Go Hand-in-Hand | Naomi Lefkovitz, Senior Privacy Policy Advisor, NIST 12 THOUGHT LEADERSHIP SECTION 28 ReD | Fraud Monitoring and Mitigation Strategies by Channel 32 T hreatMetrix | Cybercrooks Use Multiple Channels to Take Over an Online Account - Sophisticated Cross-Channel Fraud Can Crack Tough Security 36 DataCash | Fraud data analysis - are you optimising the information available to you? 38 Device Ident | Data Privacy Topics to Consider Using Fraud Prevention Tools in Europe 40 Wirecard | Fraud Prevention Tools in Accordance With the New Consumer Behaviour 42 Ogone | Cross-Border Expansion – Resolving Local Issues 46 Innovate Identity | Anyone for Identipedia? - How To Make Sense of the Identity and Fraud Market Place 48 Jumio | Preview of the Fraudster’s Playbook: Insights on Identity Theft 50 Signicat | Know Your Customers and Contract Them Online with Electronic IDs 54 Consult Hyperion | Tokenization – the way forward for wallets 56 Neira Jones | 21st Century Payments: When Innovation Meets Trust 58 Innopay | The Broader Scope of Payment Risk 74 COMPANY PROFILES VOICE OF THE INDUSTRY 6 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 VOICE OF THE INDUSTRY Building Better Commerce MRC Fraud & Payments Professionals Fraud 2.0 Acc o r d i n g t o a n MRC m e r c h a n t p o l l, t h e m o s t c o m m o n f r a u d A Look at the Top Three Fraud Trends in ter n d i s c l e a n f r a u d . Dyn a m i c a n d e -v c e h r a n g i n g, t h e er i s n o er a l E-commerce pat t e r n, t o s p e a k o f, t h a t m e r c h a n t s c a n l o o k o u t f o r o r m o n .i t o r Clea n fr a u d is th e puc r h a s e of go o d s or se r v i c e s wi t h at le a s t on e Mecr h a n t s w h o a c c e p t c a dr - n o t - p e r s e n t t r a n s a c t i o n s, fr a,n k l y d o s t o l e n ce rd i t c ad r . Ofte n, pa t i e n t f r a u d s t e r s w i l l s t a r t w i t h a ha n d f u l n o t h a v e i t e .a s y Yes, t h e t r a n s a c t i o n h i g h l i g h t s a n e w a n d m o r e o f s m a l l e r USD/EUR odre r s a n d o v e r t i m e b u i l d u p to lg ae r r od re r s . m o d e r n w a y of do i n g b u s i n e s s, bu t at wh a t c o s t ? Acod r i n g t o th e Th i s a l l o w s t h e f r a u d s t e r t o b u i l d a re p u t a b l e o r d e r h i s t o r y a n d 2013 Lexi sNexi s True Cost of Frau d S,tud y fo r ev e r y USD 1 / EUR allows them to fy under the merchant’s order threshold, spiking 74 i n f r a u d, t h e t r u e c o s t t o m e r c h a n t s i s USD 2.7 9 / EUR 2.05 . n o a l a r m s o r r e d f l a g s . Onl y w h e n a d i l i g e n t c o n s u m e r n o t i c e s Th i s i n c l u d e s l o s s o f g o o d s, p a y m e n t, b a n k f i n e s a n d s t a f f i n g . t h e s e c h a g r e s o r w h e n m e r c h a n t s i d e n t i f y i n d i v i d u a l c o n s u m e r s Yet a l a r m i n g, wh a t ' s m o er d i s t u r b i n g, is t h a t d e s p i t e t h e i n c e r a s e b e y o n d IP adde r s s e s is th e fr a u d s t e r sh u t do w n . i n f r a u d m i t i g a t i o n t o o l s o v e r t h e l a s t f i v e y e a r s, t h e v o l u m e o f f r a u d i s i n c r e a s i n g . Fr a u d s t e r s a r e m o r e d e t e r m i n e d t h a n e v,e r The ne x t t y p e o f fr a u d t h a t w e ae r s e e i n g i s ers h i p p i n g . Resh i p p i n g u s i n g n e w b l a c k - m a r k e t t e c h n o l o g i e s a n d n a i v e c o n s u m e r s t o h a s b e e n o n t h e r i s e i n t h e l a s t t w o y e a r s a n d i s c h a r a c t e r i s t i c o f i l l e g i t i m a t e l y g e t w h a t t h e y w a n t . I n l i g h t o f t h e s e m e t r i c s, w e s a v v y f r a u d s t e r s t a k i n g a d v a n t a g e o f n a i v e c o n s u m e r s a n d l u r i n g e n c o u r a g e m e r c h a n t s t o b e a w a r e o f w h a t o t h e r s a r e s e e i n g i n t h e m i n b y w a y o f l e g i t i m a t e l o o k i n g w o r k f ro m h o m e j o b a d v e r - t h e fr a u d i.n du s t r y We hav e po rv i d e d the r e of th e to p fr a u d te rn d s t i s e m e n t s . Once co n n e c t e d, th e fr a u d s t e r us e s st o l e n ce rd i t sd rac c u r r e n t l y b e i n g a d d r e s s e d b y MRC me r c h a n t m e m b e r s, s o t h a t to chasp eu r go o d s and has the ,cons u m e r oth e r w i s e kno w n as th e y o u ca n st a y ah e a d of fr a u d 2.0 in 2014 an d be y o n d . m u l e, erc e i v e an d ers h i p th e s e go o d s — o f t e n to foe r i g n co u n t r i e s . VOICE OF THE INDUSTRY WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 7 Nicolas Vedrenne, Managing Director – Europe, MRC For the merchant, it is hard to prevent reshipping as it is quite typical for a purchaser’s billing address to be different than the receiver’s address (i.e. gifts) and the owners of both the stolen credit cards ABOUT THE ORGANISATION: THE MRC IS and the addresses are usually associated with positive purchasing THE FOREMOST GLOBAL NOT-FOR-PROFIT histories. In addition, the mule/fraudster relationship is typically ORGANIZATION THAT FULLY SUPPORTS AND short-lived as the mule almost never receives payment, rendering PROMOTES OPERATIONAL EXCELLENCE FOR an addition to a negative list useless. However, merchants can use FRAUD, PAYMENTS AND RISK PROFESSIONALS systems that can provide more information on the shipping address W I T H I N E - C O M M E R C E . M E M B E R S H I P as well as look for established relationships between buyers and INCLUDES NEARLY 400 OF THE WORLD’S MOST recipients and in some cases can anonymously share negative PROMINENT MERCHANTS, TO INCLUDE 95% purchase data with fellow retailers in real time. OF THE TOP 20 E-COMMERCE COMPANIES IN THE WORLD, OVER 82% OF THE TOP 50 Finally, online merchants should be aware of account takeover. AND OVER 60% OF THE TOP 100 AND MORE This, too, is on the upward trend. The MRC has seen the rate THAN 60 CATEGORY LEADING SOLUTION of account takeover grow exponentially in the last year and it PROVIDERS. MRC MEMBERS REPORT 45% is expanding from digital companies such as gaming or digital LESS REVENUE LOSS DUE TO FRAUD THAN download to several large companies that ship physical products. NON-MEMBERS, EXPERIENCE MORE THAN 50% According to numerous studies, the average consumer has LESS MANUAL REVIEWS AND BOAST 50% LESS 27 online accounts, but only an average of five passwords. FRAUD RELATED CHARGEBACKS. **SOURCE: This makes it fairly simple for a fraudster to try a username/pass- CYBERSOURCE/MRC 2012 FRAUD SURVEY word combination that may have been discovered during a breach HEADQUARTERED IN SEATTLE, WASHINGTON, and use these on several large merchant websites to gain access THE MRC’S EUROPEAN OFFICE IS LOCATED to a consumer’s online account credentials that, often times, IN MADRID, SPAIN. LEARN MORE AT WWW. also contains a stored card on fle. Because the user account is MERCHANTRISKCOUNCIL.ORG legitimate and has an established history, the fraudster can place several orders either on the stored card or a new card without being detected. Likewise, since an existing account is being used, ABOUT THE AUTHOR: WITH A MASTER FROM typical fraud indicators and behaviour patterns provide little value in PARIS BUSINESS SCHOOL (ESG PARIS) , preventing, detecting and eliminating account takeovers. NICOLAS VEDRENNE DEVELOPED ITS CAREER IN FRANCE, UK, LATIN AMERICA AND SPAIN Whether merchants experience one of the above fraud attacks or WITH SOCIÉTÉ GÉNÉRALE, SEMA GROUP AND another form of fraud, it is important to stay ahead of fraudsters by MONEXT, SPECIALIZING IN PAYMENT SYSTEMS, working with solution providers and other e-commerce professio- FRAUD PREVENTION, RISK MANAGEMENT nals to understand current fraud trends and to learn about the AND CREDIT BUREAUX. IN 1999, HE TOOK latest tools and techniques to mitigate your net risk. The MRC THE RESPONSIBILITY OF SEVERAL EXPERIAN fosters these types of merchant to merchant in-person discussions BUSINESSES AS PRESIDENT HISPANO AMERICA four times per year, several virtual networking opportunities, as AND CEO SPAIN. well as monthly webinars resulting in 45 less revenue loss due to fraud for MRC members compared to non-members. www.merchantriskcouncil.org Payments and fraud are dynamic and ever-changing. MRC membership allows me to stay at the forefront of the industry by providing the latest informWation, trends and solutions. Danielle Nagao, VP, Financial Operations, Tickets.com Subscribing to the MRC is the fi rst expenditure I make annually to reduce Fraud and increase Payments for my company. Diarmuid Considine, Commerce Platform Manager, Skype Optimizing payments and protecting our investment is mission critical. The MRC provides the tools, resourcesand industry contacts for us to stay ahead of the curve. Pete Pouridis, VP, Loss Prevention, Neiman Marcus Group TS | MEN PAY COMPLIMENTARY PASSES & DISCOUNTS On all MRC conferences, products and services PROFESSIONAL DEVELOPMENT | NETWORKING 70+ Free webinars per year, 10 global roadshows and 4 annual conferences. Register up to 5 colleagues KNOWLEDGE SHARING Online forums and active committees dedicated to networking, payments, fraud, education, benchmarking, advocacy and law enforcement CRITICAL INFORMATION | INDUSTRY BENCHMARKING DATA Fraud, payments and security information, biweekly newsletter, white papers and case studies The MRC is the foremost organization that fully supports and promotes operational excellence for fraud, security, risk and payments professionals. For more information contact