Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/12/2019
02:15 PM
50%
50%

More Focus on Security as Payment Technologies Proliferate

Banks and merchants are expanding their payment offerings but continue to be wary of the potential fraud risk.

More than three-quarters of companies are investing in new payment technologies, despite concerns about the security of specific implementations and the potential for transaction fraud, according to a Forrester Research report released on August 12. 

The report, "Understanding the Evolving Payments Landscape," says that retail merchants and online businesses expect the way that consumers pay for goods to change relatively quickly, with about half expecting to face increasing choices in payment offerings. At the same time, 61% of financial institutions and merchants believe that fraud will also increase.

This bifurcated outlook on the financial future is not all that surprising because many consumers are quick to adopt the latest technology, while companies often distrust new technologies until they prove themselves, says R.L. Prasad, senior vice president of payment system risk at Visa, which commissioned the Forrester report.

"Consumers are becoming more and more comfortable with carrying money on their phone, so mobile wallet expansion is an area that will see a lot of growth," he says. "Peer-to-peer payments are also here to stay. The convenience is unparalleled right now."

As merchants and credit-card issuers continue to suffer significant breaches, Visa and other payment technology companies are looking to improving analytics and deploy machine learning that can detect and prevent fraud. The Forrester report says that while digital payments have lower fraud rates, the impact of fraud in card-not-present transactions — the most common type of digital transaction —is much worse. Card-not-present fraud affected 28% of companies surveyed but accounted for 40% of fraud volume.

The continued concerns of merchants and business comes as they adopt more payment technologies. Fifty-eight percent of those surveyed support digital wallets, and 60% support peer-to-peer payments, according to the Forrester report. Almost three-quarters of respondents support paying bills through mobile banking.

"Consumers' usage of new payment technologies is expected to increase substantially over the next five years," according to the report. "Banks, merchants, and fintechs are working hard to ensure they offer these capabilities to their customers."

Yet many merchants and banks do not have the security maturity to guard against fraudulent transactions. Most are still using usernames and passwords to protection accounts, without two-factor authentication. Half of merchants use some device data to identify the user, and 43% use some form of biometrics. Ways of countering fraud generally add friction to any transaction, potentially resulting in a lost sale. For that reason, many companies do not like their options to combat fraud.

"There are a lot of merchants and stakeholders in the payment ecosystem who are immature in their processes," Prasad says. "Increasingly, those smaller and less-mature clients are seeking ways of improving their security."

Most companies are hiring staff specifically tasked with security and anti-fraud roles, while more than three-quarters are spending on new tools to help secure transactions. 

Merchants and banks need to improve their anti-fraud defenses because cybercriminals are already doing so, Visa's Prasad says. In the past three years, the company has seen fraudsters adopt a new technique, using machine learning to attempt to find valid credit card numbers by generating account numbers and then distributing the testing of those numbers across a large number of sites to evade detection.

"Fraudsters are using artificial intelligence to advance their techniques," he says. "We see large-scale attacks happening, [where] they don't have to steal a card from a wallet, but they can actually enumerate the numbers."

The best approach to combating fraud is to improve security holistically, investing in people, products, and collaboration with service providers, Prasad says. About two-thirds of companies with mature security processes say that partners are critical to the effort, the report states.

Related Content

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Deliver a Deadly Counterpunch to Ransomware Attacks: 4 Steps
Mathew Newfield, Chief Information Security Officer at Unisys,  12/10/2019
Intel's CPU Flaws Continue to Create Problems for the Tech Community
Irfan Ahmed, Assistant Professor in the Department of Computer Science at Virginia Commonwealth University,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19750
PUBLISHED: 2019-12-12
minerstat msOS before 2019-10-23 does not have a unique SSH key for each instance of the product.
CVE-2019-4606
PUBLISHED: 2019-12-12
IBM DB2 High Performance Unload load for LUW 6.1 and 6.5 could allow a local attacker to execute arbitrary code on the system, caused by an untrusted search path vulnerability. By using a executable file, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-For...
CVE-2019-16246
PUBLISHED: 2019-12-12
Intesync Solismed 3.3sp1 allows Local File Inclusion (LFI), a different vulnerability than CVE-2019-15931. This leads to unauthenticated code execution.
CVE-2019-17358
PUBLISHED: 2019-12-12
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP ...
CVE-2019-17428
PUBLISHED: 2019-12-12
An issue was discovered in Intesync Solismed 3.3sp1. An flaw in the encryption implementation exists, allowing for all encrypted data stored within the database to be decrypted.