Niranjan Upadhye, General Manager, Fraud Risk Management division, Worldline India

Niranjan Upadhye has over two decades of experience in banking and payment companies like NeoCredit, Axis Bank and HSBC and will now take charge to further strengthen the Fraud Risk Management team at Worldline. An expert in the domain of risk and fraud management, Niranjan also liaises with regulatory bodies & industry partners to ensure that the company meets the latest security and compliance standards, risk exposure is minimal and the integrity of the payments ecosystem remains unharmed. Over the years, Niranjan has been an active member of the India Payment Risk Council and has been witness to the Security & Fraud Control challenges that the payment cards industry faces. Niranjan has been involved keenly in acceptance &infrastructure development, merchant &law enforcement training and judiciary training all over India.

 

As the pace of digital payments is picking up in India, we keep learning about the instances of intrusions, cyber-attacksand other such malicious acts that Merchants & Service Providers are targeted with. Transactional Frauds targeting the cardholding or banking Customers keep happening, either through misuse of their account data or access credentials, wherever the same gets exposed in the clear or gets teased out of the banking customer through different methodologies deployed by Fraudsters (Vishing/Smishing/Phishing, Person-in-The-Middle attacks, Malware implantation on their mobile devices etc) . Corporations and businesses are worried about the so-called ransomware attacks that can bring their operations to a grinding halt. From the Consumer standpoint, the failures and declines of their transactions despite usage of correct authentication credentials at the point of purchase also remains a pain point, when all they are expecting is a smooth & friction-free transactional experience.

It is a multi-pronged problem, when on the one hand the digital payment ecosystem players, the regulatory authorities and the government on their part are creating awareness and adopting ways to prevent frauds and are trying to even out the bumps in the transaction process  , but on the other hand, the bad actors are targeting any weak link in the entire ecosystem – using methodologies & selecting their toolsets carefully to exploit any weakness. Again, ecosystem players like banks, processors, merchants & businesses do not want to lose out on volumes and have customers abandon their transactions.

A network or an ecosystem that will be able to take the load of the ever-increasing volumes of online payments is the obvious answer, but the challenge remains the infrastructural investments to ensure that scalability. Again, the challenge remains that of the so-called pipeline constrictions. It is no use one or some parts of the ecosystem scaling up to meet the increased volume or spurt of transactions (peak demands) , unless the whole ecosystem is expanding to be robust and agile enough to synchronously handle the increased traffic of transactions or the peak volumes that can happen during the week-ends  or around festivals and events. 

Customers hate too many intrusive transactional validations done by the banks & service providers who admittedly do it only when the transactions appear to be out-of-pattern or outright risky. As regards the repeated failures of transactions, one oft-missed point is that of a transaction being tried continuously by the same customer multiple times, because their initial transactions has failed. This burdens the system. A simple way to ensure a customer is not inadvertently entering an incorrect 16-digit card number on the payment gateway page, is to ensure building of a small check called the Luhn Algorithm for that field and warn the customer to check and correct the card number input, if wrong. 

In these days of Multi-Factor Authentication (MFA), usually, it is the Consumers themselves who input wrong authentication credentials that they need to remember. The classic two-factor authentication approach involves two things: What you have (e.g. Card details), and what you know (e.g. the Authentication Password). This password could be static or dynamic. In case of adynamic password such as an SMS OTP, the dependency is extrinsic—that on the mobile carrier network. These OTPs are typically on the bottom priority in their transmission hierarchy, and often consumers receive these late by which time the transaction times out. Again, if you have no mobile or Wi-Fi network coverage, you will not receive the SMS OTP or even Email OTP. Thus, typically happens when you are travelling abroad, and may not have access to your Home Country Carrier Network (unless you have opted for the costly International roaming), so the SMS-based incoming OTP sent to your Registered Mobile Number (RMN) is not available to you. There are other ways of authentication such as through hardware key-fob sized tokens or mobile authenticators, but these being somewhat pricier options, most consumers do not opt for the same. Another strategy that can curtail transaction failures and reduce friction in payments is the usage of person-specific authentication as part of the 2FA approach. This takes into account “who you are”, instead of “what you know”. Examples of such authentication is the biometric such as a fingerprint or facial recognition that you use to unlock your mobile device or laptop.

The key from a banker’s or a service provider’s perspective to ensure the least friction and the most successful yet safe transactions is to have risk-based authentication. This considers contextual or behavioral analysis of a series of risk indicators including your device attributes, geolocation or user behavior or even the value of the transaction in question. If beyond a permissible or acceptable score that separates the “normal” transaction for a consumer from an “apparently abnormal” one, then “Step-Up Authentication” gets triggered for the said transaction. 

To prevent their systems getting “frozen” or locked-out by malicious actors through implantation of malware or “ransomware” that can shut-down critical systems or encrypt/wipe out important data unless a huge ransom is paid out to them, systems and security administrators need to define a Standard Operating Procedure about who has access to critical systems, and how these are updated/maintained. Sufficient firewalls, and Network Intrusion Prevention protocols must be built. Alerts and response mechanism should be defined, and adequate back-up and redundancy plans must be in place, so that even if some component of the network is impacted, the same gets isolated and a redundant/back-up system ensures that the transaction success and customer experience do not get impacted. Conditional access and threat-aware authentication should be an integral part of the network & system architecture / infrastructure of any business or organization. This eliminates threats such as data breaches and system infectionsposed by both insiders and external malicious actors.

Related Articles