The Evolving Landscape of CNP Fraud
DJ Murphy is the editor-in-chief and co-founder of CardNotPresent.com, which he co-founded with CEO Steve Casco in 2011. Murphy’s involvement in the world of card-not-present began in 2008 when he worked at Paybefore a trade publication for the prepaid card industry. About-fraud recently spoke with Murphy ahead of its annual CNP Expo event to discuss how fraud prevention has evolved since he founded CardNotPresent.com and what attendees can expect from the CNP Expo 2019.
RS: How has CardNotPresent.com evolved over your career in this industry?
DJM: The first time I became aware of card-not-present (CNP) fraud I was working at a publication that covered prepaid cards. E-gift cards had just been introduced at that point, and they were getting killed with fraud. It was one of the things that led I and Steve Casco, who was working with me at the time, to start CNP. We saw an opportunity back then to provide information that was educational, starting with e-gift cards and then we looked at e-commerce in general. We were just blown away with the level of need that companies were expressing at that time.
We started with the site and didn’t actually intend to start a show, but people just inundated us with suggestions that we do a show. It became very apparent early on that face-to-face information sharing between peers was something that people at these companies really wanted and needed. So, we put together an event very quickly. That first year was very, very small. We had 150-200 attendees. We started the conference in Orlando because we were East Coast and everybody that we had talked to at that time was East Coast.
RS: What is the highlight of CNP Expo for you every year?
DJM: The biggest thing is for me to have the chance to meet face-to-face with all the people who we cover all year long. To be able to get to know people on a personal level is fantastic. When people come to the show for the first time and finally understand that there are others out there with the problems they have and that they’re not alone, it’s almost like they have a sense of gratitude. They know they don’t have to be overwhelmed by the problems that they are facing. That is really enjoyable for me to see.
This year, there are a bunch of really great technical sessions from merchants. Two in particular that I’m really excited about are being done by Staples and Airbnb. They are both lifting the hoods on their analytics and data science, and they are going to attack it from different angles. They are two very different companies. One is a retailer who is very good in e-commerce but has their roots in traditional retail. The other one is a new, Silicon Valley, sharing-economy platform. I think it’s going to be interesting to see the different approaches.
RS: You are responsible now for ISC News as well as CardNotPresent.com. Do you see an overlap between the sort of stories you cover for both outlets?
DJM: God yes! Absolutely! It is one of the most interesting evolutions that I’ve seen since we started. We actually just got back from the ISC show. It’s been around 25 years and its enormous, but it started as a traditional physical security event. Literally, it used to be about armored trucks, locks, perimeter fences and things like that. I’m new to that side of things, but when I was there last week it was all about the convergence of cyber and physical security and how the Internet of Things (IoT) is touching everything in physical security.
That’s where security is coming from. The cyber side of that is becoming enormous. Then coming from the fraud side, since we started in 2011, there has been a complete shift in focus from the transaction level to the account level. Everything has sort of shifted. Account takeover along with account creation is such a huge issue that much of what we cover in our time and our energy is devoted to that. This is really the point where cybersecurity and fraud prevention overlap. When you start talking about credential stuffing and bot detection (to prevent credential stuffing), that is cybersecurity. It becomes a concern for CNP and it’s always been a concern for cyber.
A kind of a theme that runs throughout CardNotPresent.com’s coverage is to get different company departments to talk to each other, like getting IT and fraud prevention in the same room. If they’re not, they are going to be duplicating efforts and may implement systems that actively work against one another. There has to be recognition in these companies that there can’t be silos. Our coverage has led us to the fact that CNP is an authentication problem now, and authentication is all wrapped up in cybersecurity. There is absolutely a convergence of the two and it’s becoming tough to distinguish between them.
RS: What would you consider the major CNP news or trends so far in 2019?
DJM: Credential stuffing – the ability for fraudsters to use fast and scripted attacks to basically validate credentials at scale – has become a huge problem. Both the credential stuffing attacks themselves and all these validated accounts themselves that have been sold and monetized after the attacks have been successful.
The other thing that I’m finding is that cross-channel fraud has become a huge issue. Retailers are looking for ways to compete with Amazon. These companies have a physical presence and naturally look at that as one of the few competitive advantages that they have over Amazon. To compete they are trying to implement all of these options, like “buy online and pickup at store” and “buy online and ship to store” and you can throw call centers as well. All these channels are protected by different systems. It’s leaving gaps and they’re not dealing with it well right now.
On the merchant side, I think a lot of this has to do with companies not being used to having to deal with the chargeback liability. Now they are liable when the sale comes in online, when they weren’t before for in-store fraud. It’s become a problem for which they don’t have a lot of great solutions right now.
RS: What fraud prevention methods or technology over the past two decades proved to be a real bust?
DJM: The one that immediately leaps to mind, especially from a U.S. perspective, is 3-D Secure. Merchants are shifting liability back to the issuer if they use it. 3-D Secure definitely makes things safer, but the amount of blowback from U.S. merchants who said there was no way they were going to introduce that much friction into their checkout process was amazing.
I don’t know how things are going to go with the evolution of it into 3DS 2.0 and a more risk-based system. The credit card networks have a lot of work to do just from a PR standpoint if that’s going to catch on. In the US, 3-D Secure just flopped. The end-user hates it. I know it was mandated in parts of Europe, but merchants there who didn’t have to use it, just wouldn’t do it despite how well it prevented fraud.
RS: What mistakes do you think were made in the early days of fraud in online and mobile commerce in the U.S. that merchants, FIs and fraud fighters in up-and-coming markets should learn from?
DJM: The single biggest mistake companies made and continue to make is that they view fraud prevention as a competitive advantage, so they didn’t share any information. That’s true if they solve one particular fraud problem, then yes, they do have a competitive advantage. However, as became apparent very quickly, the situation evolves rapidly and the types of fraud that they are facing change constantly. If you aren’t sharing information, there will be somebody who has information that could help you once your fraud changes that you are now not communicating with because you held things too close to the vest before about something else.
The whole rising tide lifts all boats is so true in this industry. It’s still an issue among companies. We hear it all the time from companies that we invite to speak, and their corporate policy won’t allow them to do it. In the end, I think that’s short-sighted.
We have a common enemy that does their own sharing. Fraudsters are very free with their information and methods, and they don’t care. They get on these forums all day-long. They buy and sell information, but they also share a ton of it. We have to be doing the same thing on the good guys’ side. More and more companies are coming around to the view that its advantageous to share.
RS: Where else is there still room for improvement in the fraud prevention industry?
DJM: There needs to be more grassroots meetings. Anytime fraud fighters gather and start talking to each other they learn things they didn’t know. That kind of interaction needs to keep happening. Fraud fighters are not as comfortable sharing things with media outlets even if they are informational and educational as when they are talking to their peers. That makes sense. These people as a rule are cautious and security-minded, so it’s not surprising that they operate with a sense of caution and circumspection.
More face-to-face interactions would always be a benefit, it’s just about how to go about doing it.
It would take leaders in the industry to get things going and look beyond their everyday existence for the good of an entire industry. I do know that in some places and geographies the level of the thirst for knowledge is at the same level it was in the U.S. when we started.