SCA is a new requirement of the second Payment Services Directive (PSD2), designed to add extra layers of security to electronic payments. It stipulates the customer must provide at least two independent factors when confirming online card transactions – a knowledge-based factor, like a password; a possession factor, such as their mobile device or one-time password; and an inherence factor, such as behavioural biometric data.
Since coming into force, PSD2 already appears to have had a positive effect on fraud prevention with the 2022 UK Finance Half Year Fraud Report, sponsored by LexisNexis® Risk Solutions, reporting a 15 per cent year on year reduction in CNP (Card Not Present) e-commerce card fraud.
Yet, we can already see fraudsters adapting their attacks to bypass the controls applied by SCA. Inevitably they’re now targeting the weakest link – consumers themselves – with social engineering tactics more often seen in digital bank impersonation scams. In the card channel these manifest as fraudsters duping customers to authenticate fraudulent e-commerce card transactions, either by tricking them into divulging the One Time Passcodes (OTPs) sent to them by the card issuer, or by persuading them to authenticate card transactions via their mobile device.
The attacks are particularly problematic because the transaction is fully authenticated, therefore the card issuer is fully liable for the loss and has no chargeback rights on the merchant, resulting in millions of pounds of fraud added to their loss lines.
In approaching the problem for NatWest Bank in the UK, the team at LexisNexis® Risk Solutions had to think outside the box. The goal was to build a reliable picture of an individual’s circumstances based on available online, mobile, and open banking intelligence that could help build context and help confidently determine the potential risk associated with the CNP transaction request – a truly single customer view of a scam risk assessment.
This was achieved by combining global, crowd-sourced entity intelligence from the LexisNexis® Digital Identity Network® with a range of other fraud signals and device intelligence. One example, Active Call Detection, determines whether a customer is on a live call on their mobile device at the same time that a transaction is taking place – a common factor linked to APP scams. Another, Remote desktop functionality, can detect if a customer’s device is being controlled by remote access software. In isolation this could simply mean that the individual is having their PC fixed by an engineer remotely, but combined with a situation where they are making an ecommerce purchase (combined with other risk factors) could strongly indicate social engineering is taking place.
To bring these disparate insights together into actionable insights, the team at LexisNexis Risk Solutions built an advanced machine learning model capable of analysing the data quickly enough as to not interrupt the customer journey. The models draw on past instances of confirmed fraudulent behaviour to producing an output in near real-time, that can confidently predict when a scam is underway.
The results were highly encouraging: our enhanced model was able to successfully detect and flag 36 in every 100 confirmed scams, resulting in a 71 per cent uplift in scam detection. Moreover, when assessing fraud value, the model successfully detected £48 in every £100 of confirmed scams – effectively detecting nearly half of the scam value, despite working with a very small intervention rate of just 0.04%. What is more, these results were achieved with a False Positive Rate of four, meaning one fraud was detected for every four transactions challenged.
To put this into context, the enhanced fraud prediction capabilities of this model detected over £500,000 of fraud attempts in just 20 days.
Looking at the DNA of a 3DS scam case, such as the example provided below, really highlights both the complexity and highly organised nature of scams and scammers, who are often well-syndicated and technologically capable individuals.
The following illustrates multiple attempts to defraud a banking customer over a period of just 45 minutes across multiple devices, channels and attack vectors. In this example, the various components of the single customer view are successful in detecting and preventing harm, but this brings to life the size of the challenge facing banks and other financial services.
In this scenario, thanks to advanced AI modelling and rich data sources, the Bank was able to break the cycle of social engineering and offer support to the customer via specially-trained agents. Without this, the scam would likely have been successful, resulting in financial losses for the customer and potentially the bank, as well as significant emotional stress for the customer, as is the case when anyone loses a large amount of money.
"Our partnership with LexisNexis Risk Solutions gave us a unique opportunity to leverage our existing intelligence from our customer’s online, mobile, telephony and open banking journeys and apply this to our e-commerce channel. As a result, we’ve created a truly customer level view of scam risk assessment."
– Peter Tully,
Plastic Fraud Chapter Lead,
NatWest Group
In addition to cutting-edge enhancements in scam detection, the single customer view also allows the Bank to make better trust decisions and reduce false positives by having a fuller picture of the customer activity and profile.This can ultimately only lead to better outcomes from all customers, through faster more accurate decisions offering a greater customer experience, remaining top of wallet and ultimately, increasing card revenue.
This initiative has enabled NatWest Bank to protect customers where there is a clear risk of social engineering, resulting in a reduction in 3DS (authenticated) fraud of up to 55% and landing a severe blow to fraudsters.
Peter Tully, Plastic Fraud Chapter Lead at NatWest Group comments, “The increasing prevalence of social engineering on e-commerce transactions and the detrimental impact this is having on our customers is stark. Whilst effective warnings within the authentication journey are useful, they are not deterring criminals. Using smarter data and analytics to protect our customers is vital to turn the tide.
“Our partnership with LexisNexis Risk Solutions gave us a unique opportunity to leverage our existing intelligence from our customer’s online, mobile, telephony and open banking journeys and apply this to our e-commerce channel. As a result, we’ve created a truly customer level view of scam risk assessment.
“Through this work, NatWest Group has taken back the decision on authentication attempts where there is a clear risk of social engineering based on the combined evaluation. As a result, social engineering of our customers is no longer a guaranteed route to success for fraudsters.”
Joey Bajela, Senior Engagement Manager, Fraud & Identity | LexisNexis® Risk Solutions, January 2023