MYPINPAD, an enabler of multi-factor authentication for touchscreen devices such as mobile phones and tablets, is being asked whether the digital commerce industry has compromised consumer security in favour of user experience.
Recent news reports about increased levels of fraud across the likes of Amazon Prime, Uber, eBay and Vodafone have opened up the debate. Are the rising fraud levels attributable to the ‘fragmented’ approach that the fintech industry takes in dealing with fraud? Have we reached a tipping point? Would consumers feel more positive about a brand that proactively seeks to protect them, adding multi-factor, transaction appropriate security for online transactions?
MYPINPAD will aim to answer these critical questions during a campaign set to investigate consumer attitudes towards security and asses the biggest threats to consumer trust.
David Poole, Business Development Director of MYPINPAD said: “Since the start of the digital commerce revolution, the onus has been on making the checkout, authentication and payment processes as swift and easy as possible. But how would consumers feel about their online transactions if there was a clear proactive element of security protection – even if it created some and perhaps small degree of friction? Have rising fraud rates and headline stories about scammed customers made the public rethink their payment security?”
In April this year, MYPINPAD released exclusive consumer research [1] which showed that 85% of consumers would value the opportunity to authenticate large financial transactions with their mobile. Now, using this research, the mobile authentication pioneers are delving deeper into consumer attitudes.
Looking at how the payments industry needs to respond to these demands, David Poole pointed towards the need for universal ID and verification methods to cultivate consumer trust:
“’Segmented’ is a good way to describe the payments industry but ‘fragmented’ might be even better. It is fantastic that we are working in an industry so innovative and forward looking, however innovation can often lead to new security risks. Another way to pay or another method of ID&V can be another potential open door to fraudsters.”
The industry wide acceptance and deployment of Chip&PIN in 2006 serves to demonstrate the positive impact such an initiative can achieve, reducing fraud in face-to-face transactions by 70%. We have the same opportunity again – to deliver familiar, strong multi-factor authentication via our mobiles.
“Instead of divergence, we should be concentrating more on convergence to achieve this unification. For example, the FIDO Alliance, of which MYPINPAD is an active member, is endeavouring to provide a single framework to standardise the on-line authentication process.
We see a future when consumer trust is co-dependent on the action of the banks and the brands, but also a consumer’s own active ability to responsibly secure personal data. Our digital profiles are growing, our individual consumer ‘avatars’ are constantly active online making purchases, banking, and socialising. This is where consumer empowering ID&V technology becomes vital.”
Commenting on this, Robert Capps, VP at NuData Security said “First and foremost, it’s entirely reasonable that consumers are demanding that merchants and FIs beef up their security in light of an escalating volume of financial fraud and cybercrime. Breaches continue, seemingly unabated, and who can really blame the average consumer for believing that merchants and FIs have lost control of their data, and their financial security.
Meanwhile, it’s true that consumers have little patience for the constant intrusion of additional friction that has been introduced to protect them. The introduction of this friction is deemed necessary because, and here’s the kicker, most merchants and the FIs haven’t yet adopted better ways to know when the legitimate consumer is transacting. Instead, more friction is added and becomes layers and layers of wallpaper over a cracked wall. Or, if you prefer, the “Security Theatre” starring 2FA and Your Mother’s Maiden Name. And, we all know, or have guessed, that something’s gone badly amiss.
Fact is, it’s not the best we can do. Most security companies promise to remove friction while keeping the same level of security. Very few solutions on the market can add security and assurance without changing the flow or add extra friction to customer.
eCommerce card-not-present merchants aren’t going to jump on any additional friction in the checkout flow no matter how much they want to satiate appetites for greater control, because they know that, at core, customers value ease of use more than security which they see as the merchant’s problem and cost. They often aren’t aware that fraud costs are passed back to them in higher prices.
For FIs it’s a bit different, in that customers do expect “Military Grade” security but prefer it to be seen and not heard. Just like kids back in the old days.
Stay in line of sight, but safely out of the way of the important business. Again, the dilemma for FIs and security providers is to convey trust, actual security, and smooth experience.
Account take over, and new account or application fraud, are clear and present risks to the consumer. Having their account taken over and having their data stolen is in many ways far more dangerous to consumers in direct costs than having a credit card being used fraudulently in a CNP transaction.
What is key to understand, is that friction is best saved for the marginally authenticated, and the cyber criminals. If you truly know who your consumer is, you don’t need layers and layers of go-faster 2FA, fingerprint scanners or any other whiz-bang authentication technology you can dream up. Sadly, no amount of pretty wall paper will cover over the fundamental flaws in the underlying structure of modern authentication systems, which fail to authenticate the actual human in a non-spoofable way.”
[1] MYPINPAD, 2016