Credit card fraud is commonplace in the online world and particularly among fintechs. Indeed, crooks are becoming more and more ingenious when it comes to scamming Internet users by various means, whether it is a hacking or a phishing campaign.
This phenomenon has been significantly curbed by the gradual deployment of PSD2 in the European Union.
However, when you have a fintech web platform that allows you to store funds and withdraw them at any time, such as a neo-banking platform or a crowdfunding platform, it is not enough to rely on PSD2 and its strong authentication to limit the risk of fraud for the following 3 reasons:
PSD2 has only been in force since September 2019 and many banks or states are still lagging behind.
The strong authentication imposed by PSD2 is a European standard and is therefore not applicable to countries outside Europe.
Even with strong authentication, there is always a risk of fraud: an example is given below.
Example of fraud despite the 3DS
As a web user and with the Christmas holidays approaching, I am desperate to get a PS5 as a gift for a loved one. However, as you may know, PS5 stocks are very limited. I came across a new website that just had a new stock of PS5 (strangely enough it only sells them).
I do my usual checks before proceeding with the payment by credit card, we are talking about 500 €:
The small padlock is present in the address bar: the site is HTTPS
Typing "<The name of the site> Scam" into Google, I can't find any results
So I make my payment, the payment also asks me for the 3DS, it's reassuring even if strangely my banking application takes almost 1min30 to ask me to validate the payment... I validate the payment, it's perfect, I'm told I'll receive my PS5 within 1 week.
I've just been robbed of £500 and I'll never get a PS5.
How is this possible?
The merchant site on which I just entered my credit card details was in fact a fraudulent site (phishing) and its owner directly retrieved the credit card details that I provided and made a payment of the same amount to an account created with a usurped identity on an online bank! This set-up seems convoluted but it is very quick and simple to set up.
Note: this example is a real case that we encountered at one of our clients at Capsens, the great web and mobile development agency specialised in fintech that hosts this blog.
What can be done in this case to eliminate the risk?
You can't. In IT, there is no such thing as zero risk. New vulnerabilities will be discovered all the time (hello Log4j).
Ok, what solutions to reduce the risk?
Solution 1: Protecting against identity theft: KYC video
This is really where the fundamental problem lies. Nowadays, it is very easy to obtain stolen identity documents on the Internet (especially thanks to the dark web).
Then the user can create an account and pass the identity verification measures (KYC) required by the platform without any problems.
One of the best ways to ensure that it is not identity theft is to add a video KYC check. That is, the face of the person using the account is verified to match the photographs of the identity documents provided for that same account.
Various checks are carried out on the document:
Verification of authenticity: this is the expected identity document
Checking that the document has not been modified with DTP software (Photoshop etc)
However, this solution has some significant drawbacks:
It adds a step to our registration process and therefore slightly reduces your conversion rate
It is expensive: it generally costs between 2 and 3 € per user.
Despite these drawbacks, this solution is becoming more and more widespread because it is currently the most reliable verification system for combating identity theft.
Solution 2: Manually validate certain debit requests
Whatever the type of fraud and the means used, there are certain signals that are systematically found:
The user makes several credits to his account by bank card, often using different bank cards.
The user has recently registered (this can be up to a few months) and has not performed any traditional transactions on your platform.
The user requests an account debit to withdraw money that they have recently credited.
A simple way to reduce the risk of fraud is to apply a manual verification of debit requests by an administrator when the user is not considered reliable. That is, as long as the user has not performed a minimum number of standard transactions or has not been manually identified as such by an administrator.
Once the debit request has been made, the administrator can choose to approve or reject it based on all the information at his disposal provided by your payment provider (account credits made, geography, amounts ...).
If it considers the procedures to be suspicious, then it can report the account to its payment provider, which will take over in accordance with its anti-fraud and money laundering commitments.
This solution also has disadvantages for obvious reasons:
It can be time consuming for administrators
The human risk is always present: the administrator may make a mistake
It extends the time before the user can debit his account
In conclusion, there are unfortunately no miracle solutions. The two solutions mentioned above each have significant disadvantages in terms of additional costs and human time. Nevertheless, fraud will continue to exist and grow. If your platform seems to be more susceptible to them than the average, then you will quickly become a prime target for fraudsters. It is therefore highly recommended to be proactive in addressing these vulnerabilities.