Exclusive: ‘Lestweforget’ – Jukka Yliuntinen, Giesecke+Devrient in “The Fintech Magazine”
Widespread amnesia about which and how many organisations hold our account details is not only bad financial practice, it also leaves us wide open to fraud. Giesecke+Devrient’s Head of Digital Payment Solutions Jukka Yliuntinen says banks can give us a nudge.
The gradual drift from an ownership culture to a rental or subscription-based economy was, like many digital trends, boosted in 2020. Who hasn’t taken out an extra streaming service or signed up for monthly deliveries of loo rolls?
But the price we pay for such flexibility and convenience is a commensurate rise in cyberfraud, as we freely share our personal financial details across the web. In fact, we often forget which organisations we’ve granted access to our accounts, in many cases via tokenised transactions, despite many having unlimited rights to take repeat or renewal payments at will – not to mention the issue of validating whether companies are legitimate in the first place.
Payments security specialist Giesecke + Devrient (G+D) has sized up this risk, and made it the focus of its latest innovation, with a new white-label tool that gives consumers back control of their account details and, ultimately, their cash.
Convego Service Broker allows banks to offer consumers a Token Cockpit tool that tracks who they’ve given their card details to, and what for, via their banking apps, where they can also turn permissions on and off at will.
G+D has been a leader in technology that builds trust – from cash to cards and now digital and biometric transactions – since the 19th century, continually developing solutions to emerging threats and challenges on behalf of its customers, and, where necessary, acting strategically with other industry partners.
It’s little wonder G+D is giving this issue so much attention, considering the problem cyber fraud represents worldwide. As consumers turned to online purchases during the pandemic, ecommerce and fraud spiked in parallel, particularly during the annual ‘holiday spending’ periods.
A TransUnion survey of 2,620 US shoppers at the start of the 2020 holiday shopping season last October, found mobile was the preferred transaction method for 80 per cent, with many turning to payment options like Apple Pay (32 per cent) and Google and Samsung Pay (34 per cent). Yet, despite coveting ease and choice, 50 per cent were also concerned about fraud, identifying safeguards such as biometrics, including fingerprint (44 per cent) and facial recognition (37 per cent), checkout validation (58 per cent), and protecting their ID and password (22 per cent), as priorities.
Special, one-day shopping events accounted for most holiday season fraud (Cyber Monday, 26.03 per cent and Black Friday, 12.02 per cent), with mobile phones used by hackers in 50 per cent of instances.
The prevalence and cost of fraud is rising, while detection rates, worryingly, have fallen. Research by LexisNexis before and during the COVID shutdown, among 801 US and Canadian retail and ecommerce executives, found that every $1 of fraud costs retailers $3.36, a rise of 7.3 per cent from $3.13 in 2019. During 2020, on average, ecommerce merchants suffered 344 fraud attempts per month, up 24.2 per cent from 277 in 2019, and only 118, or 34.3 per cent, were prevented in 2020, compared with 156, or 56.3 per cent, in 2019. An ACI Worldwide analysis of hundreds of millions of ecommerce transactions throughout the pandemic, indicated that criminals were taking advantage of card-not-present payment methods like buy online, pick up in store (BOPIS) and click and collect in particular, which is concerning, given the increasing consumer reliance on them.
When you consider that, in the UK alone, cyber fraud accounts for 85 per cent of the £190billion annual fraud bill, it’s not a great leap to imagine what a threat to national security the nefarious activities that this theft could be funding, represent.
G+D’s answer to such challenges is its Convego CloudPay suite, which it describes as a safe payment ecosystem for enabling secure digital payments with full tokenisation. Convego Service Broker, which joins that suite, is designed to reduce the potential financial data risks posed by subscription services – unlike existing apps like Truebill and Bobby which focus on managing them. Thus, it enables banks to empower their customers while boosting confidence in online payment systems.
“It’s assumed that organisations in the banking ecosystem, including the issuing bank, the acquiring bank and all the intermediaries in the chain – payment service providers, processors and payment schemes – have much better means to detect whether a transaction is fraudulent, then block and trace it, than the customer does,” says G+D’s head of digital payment solutions, Jukka Yliuntinen. “The customer’s ability to detect whether a website is fraudulent, or a merchant is legitimate, is limited, especially in an online world, which is making this more and more difficult. Also, I think that if consumers were responsible for [shouldering the cost of fraud], they would probably use online payments much less than they do now.”
Given the huge shift to ecommerce prompted by the pandemic – particularly among less tech-savvy demographics not used to shopping online – there is, nonetheless, a pressing need to engender more awareness among consumers, believes Yliuntinen.
“Institutions should constantly communicate and make this information easy to access via their mobile banking apps, because it’s easy to forget, especially in the heat of the moment, when they just want to complete a transaction,” he says.
“This applies to issuing banks that are covered for their liability and already have warnings and guidance in their apps and wallets, and on their websites – and some merchants do the same. But merchants and authorities in every country need to repeat the message.”
The urgency around this is mounting, with new threats emerging all the time, and a risk that, if the industry doesn’t successfully curb fraud, consumer trust will be severely compromised.
“It’s always a running race between fraudsters and organisations like banks and governments,” acknowledges Yliuntinen. “And the more technology there is, the easier it is [for criminals] to implement different scams.
“I live in Finland. In the physical world, I might be robbed and lose my wallet or card. But when I’m in the world of the internet, it could be a guy from Brazil or South Africa stealing my details, and tracing them is much more difficult because it’s a jungle and they have sophisticated tools to hide away in. Whereas fraud used to be more manual, it is now fully-automated, making it harder to protect consumers.”
G+D supports tokenisation as a good first line of defence.
“For card-based payments, many banks have already started to apply so-called ‘network tokenisation’, with payment brands like Visa, Mastercard, Amex, Discover and China UnionPay, implementing technological tokenisation, where consumers can digitise their physical cards,” explains Yliuntinen. “Started by mobile wallets like Apple Pay and Google Pay, this is now quickly entering the ecommerce space.”
Tokenisation can remove much of the risk associated with cards on file. But identifying and, where appropriate, de-linking cards stored for recurring payments in particular, is good practice, given how forgetful we all can be – even those familiar with the risks.
“When the new General Data Protection Regulation (GDPR) came into effect in the EU in 2019, I was really puzzled when I received lots of emails from service providers telling me my data was registered with them,” says Yliuntinen. “Some of them I remembered, but there were quite a few I didn’t.
“Payments are much the same. There are lots of subscription services we sign up to, like Netflix or Disney+, where we have stored our card credentials. Do we remember them all? I would bet that, as we go forward and these kinds of models become more commonplace, we won’t.
“Token Cockpit enables banks to give consumers full visibility of where their card details have been provisioned. They can open their banking app or wallet, and click a button to see a list of all the merchants they have given access to, showing not just the names but also their logos and other information. Customers can then disable or enable payments. This helps the bank, too, as its customer care team can see all this and support its customer if they experience a problem.”
The new offering has already won the Platinum Award in the ‘Best Digital Wallet’ category of the Future Digital Awards from Juniper Research.
But as such tech makes payments increasingly secure, could the fault and responsibility now shift to the customer?
“That would be the end of ecommerce, in my opinion,” says Yliuntinen. “The banking and payment industry’s role is to operate a payment infrastructure and protect it.”
That said, he believes the industry should encourage responsible behaviour by offering consumers appropriate tools.
“I would never put my wallet in my back pocket as that’s an invitation for somebody to steal it. The same is true in the digital world – if you are careless, somebody will make use of that. So, it’s a combination of using technologies and services that enable us all to protect ourselves, and looking at how we behave.”