Enhancing Authentication as Cashless Transactions SpikeSecurity Experts Offer Insights on How to Prevent Digital Transaction Fraud
Organizations in India need to ramp up their authentication efforts in light of a 40% increase in cashless transactions since the start of the COVID-19 pandemic, which has led to increases in attempted fraud, security experts say.
See Also: 2021: A Cybersecurity Odyssey
For example, they recommend strengthening the multifactor authentication by adding biometrics; implementing dynamic authentication technologies, such as 3-D Secure; and using artificial intelligence and machine learning to help detect and contain fraud.
One major fraud threat in the current work-from-home environment is that hackers are use phishing and other social engineering methods to trick users into providing confidential data, such as credit card numbers, social security numbers, account numbers or password, says Nitin Bhatnagar, associate director at PCI Security Standards Council. With many workers using their own devices, which lack adequate security protections, the risk of falling victim to a socially engineered attack is higher than usual, Bhatnagar says.
The Reserve Bank of India asked banks to encourage customers to shift to digital payments and stay away from cash transactions because the use of cash can potentially lead to the spread of the COVID-19 virus.
"In the context of the efforts to limit the fallout of the coronavirus pandemic by avoiding social contact and visits to public places, the public can use these modes of digital payments from the convenience of their homes through online channels like mobile banking, internet banking, cards, etc. and avoid using cash, which may require going to crowded places for sending money or paying bills," the RBI said in a note to banks.
An April survey showed that digital payments have increased by about 40% in the last six weeks, Statistica.com reports.
The movement to cashless transactions and the surge in e-commerce have led to new fraud patterns, including growth in digital skimming of payment information from online checkout functions and an increase in fraud perpetrated through creating fake UPI real-time payment IDs.
More fraudsters are waging scams that involve creating fake charity sites and soliciting donations, says Mumbai-based Sujay Vasudevan, vice president of cyber and intelligence solutions for South Asia at Mastercard.
To encourage contactless transactions, some card companies are raising their $300 limit on these transactions.
Meanwhile, ICICI Bank has begun offering banking services through WhatsApp to discourage branch visits for basic banking services.
And the National Payments Corp. of India has started a campaign called "India pay safe: in an attempt to boost digital payments. It's designed to guide users toward routinely using the UPI real-time payment system. Digital payment players, such as Pine Labs, Ongo, PhonePe and Amazon Payments, are supporting the effort.
Increasing Volumes and Risks
Because working from home has become the new normal, third-party service providers are being granted permission to control user access. That means some threat actors to target these providers, says S.N. Panda, chief vigilance officer at PayTM Payment Bank.
To manage the increase in the volume of transactions from at-home workers, organizations need to have a disaster recovery plan in place with data stored in two data centers, he adds.
Key Risk Mitigation Steps
Security experts recommend several key security steps in light of the movement to digital transactions. They include:
- Use Multifactor Authentication: Enhancing authentication will make it more difficult for hackers to access an account, Panda says. One key step, he argues, is to move from two-factor authentication to a true multifactor approach that adds a biometrics layer.
Manikant Singh R, CISO of DM Finance Pvt. Ltd., a non-banking financial company, says: "The new formula for stronger authentication is the use of mobile-based transaction verification, digital fingerprints, one-time session cookies, dynamic device authentication, along with a strong risk assessment program to mitigate the risk of increasing fraud."
Vasudevan of Mastercard cautions that it's critical to pay attention to new merchant accounts and ensure adequate authentication processes are deployed.
"It is critical to work with the third-party fintech players in the ecosystem to ensure they have good authentication and security framework in place, which can help predict, detect and mitigate cybersecurity risks,' he emphasizes.
- Implement 3-D Secure: Troy Leach, senior vice president and engagement officer for the PCI Security Standards Council, say dynamic authentication technology, such as 3-D Secure, can help improve authentication for e-commerce and m-commerce environments
3-D secure can enable users to authenticate themselves with their card issuer when making card-not-present e-commerce and m-commerce purchases, he points out. The additional security layer helps prevent unauthorized transactions, he adds.
The adoption of 3D Secure and real-time risk scores on the digital attribute will enable "intelligent authentication" on "trusted devices", Vasudevan adds.
- Use AI and ML to Reduce Risk: New forms of authentication are based on risk models powered by machine learning algorithms that can proactively pick up an aberration in the payment flow and can alert a bank in real-time, Vasudevan says.
"Through AI and ML-enabled systems, anomalies in the system are being predicted in seconds to reduce response time and contain threats that otherwise could lead to loss of money and/or brand reputation," he says. "Additionally, AI at the backend is enhancing biometric authentication for digital interface."
Singh says AI and ML help in understanding patterns of user behavior and employ multiple authentication steps to establish the credentials of the user before enabling a transaction.
Sriram Natarajan, president of Quinte Financial Technologies, a global fintech company, notes: "The higher risk created can be mitigated through compensating controls like transaction monitoring combined with behavioral analytics for authorization decisions."