Fraud & Identity Management

Customer experience strategies for success Sometimes it’s easier to describe something as the opposite of something else.  Being “anti-” something can communicate something meaningful. Cultural movements in the past have taken on these monikers:  consider the “anti-establishment” or “anti-war” movements.  We all need effective anti-virus protection.  And there are loads of skin products marketed as “anti-aging”, “anti-wrinkle”, or “anti-blemish.” But when you think about a vision for the customer experience that your company aspires to deliver, this approach of the “anti-X” falls flat. Would you want to aspire to basically “not stink?”  Would that inspire you and your team to run through walls to deliver on that grand aspiration? Would it motivate customers to stick with you, buy more of what you sell, and tell others about you? I think not…But it sure seems like many out there indeed do aspire to “not stink.” Sure, there are great companies out there who have a set a high standard for customer experience, placing it at the center of their strategies and their success. Some, like Zappos, started that way from the beginning.  Others, like The Ritz-Carlton, realized that they had lost their way and made the commitment to do the hard work of reaching and sustaining excellence. On the other hand, there are hundreds of firms who have a weak commitment to or even understanding of the importance of customer experience to their strategy and performance.  Their leaders may give lip service or just pay attention for a few days or hours following the release of reports from leading analysts and firms. They may have posters and slogans that talk about putting the customer first or similar platitudes. These companies probably even have talented and passionate professionals working tirelessly to improve the customer experience in spite of the fact that nobody seems to care much. What these firms lack is a clear customer experience strategy. As nature abhors a vacuum, customers and employees are free to infer or just guess at it.  Focusing on customer experience only when a report comes out – and paying special attention only when weak results put the firm near the bottom of the ranking leads people to conclude that all that really matters is to “not stink.”  In other words, don’t stand out for being bad…but don’t worry much about being good as it is not important to the company’s strategy or results. I think that this “don’t stink” implicit strategy helps explain a fascinating insight from a Forrester survey in 2013: “80% of executives believe their company is delivering a superior customer experience, yet in 2013 only 8% of companies surveyed received a top grade from their customers.”  Many leaders simply have not invested the energy and commitment necessary to define a real customer experience vision that reflects a deep understanding of the role that it plays in the company’s strategy.  Beyond setting that vision, there is a big and sustained commitment required to deliver on the vision, measure results, and continuously adjust as customer needs evolve. Like all journeys, a great customer experience starts with one step. Establishing a customer experience strategy is the first one – and “don’t stink” simply stinks as a strategy. Download our recent perspective paper to learn how exceptional customer experience can give companies the competitive edge they need in a market where price, products and services can no longer be a differentiator.

The availability and opportunities for customers to conduct business through mobile devices continues to multiply, challenging organizations to protect customers without impacting their experience. Our infographic highlights five challenges of customer authentication that businesses face and what customers feel in an increasingly mobile world. Personally Identifiable Information (PII) is more available, but less reliable, than ever before. 35% performance improvement using models built with attributes beyond simple identity element validation. More transactions are taking place in an omnichannel environment. 36% of organizations interact with their customer in five or more channels. Diversity of devices and technology complicates customer authentication. 85% of consumers use online or mobile to conduct business. 17% of consumers reported having an online transaction declined when device information was not available. Increased online transactions have multiplied fraud opportunities, resulting in more false positives. Of those surveyed who have had Card Not Present (CNP) transactions declined: 31% blame the merchant 38% blame the credit card network 83% felt embarassed or angry Stringent requirements change the way organizations interact with customers. 80% expect the focus on managing regulatory risk to be more than it is today Download our fraud prevention perspective paper to gain more insight on how you can prepare your business.  

Have a look ‘Inside Experian’ through this documentary on our global business explaining who we are, what we do and how we’re helping people and businesses around the world protect, manage and make the most of their data. This ‘Inside Experian’ video focuses on 41st Parameter, a leading provider of dedicated fraud prevention solutions. Their methodology and patented technologies are responsible for reductions in fraud losses and subsequent declining attack rates at some of the largest institutions in e-commerce, financial services, and travel services. Here are some highlights of 41st Parameter’s solutions: $25 trillion in e-commerce orders and financial services transactions scored for risk 500 million transactions processed each month with daily volumes exceeding 8 million transactions a day PCI Certified as a Level 1 Service Provider and ISO-27000, SAS-70 and Safe Harbour Compliant 600 million devices detected by their patented tagless device identification technology captures no PII 41st Parameter works to make the process of preventing and detecting fraud easier and more effective, reducing potential losses while protecting operating costs and the customer experience. Download our fraud prevention whitepaper to gain more insight on how you can prepare your business.

“Building a better mousetrap merely results in smarter mice” – Charles Darwin Credit card issuers in general have a good handle on fraud. They manage it under 10bps (i.e. losses of $0.10 or less per $100 of transactions) on transactions made with a "dumb" plastic card lacking any additional context. So Issuers wishing for Apple Pay fraud to fall between 2-3bps was not totally out of character, considering the protections in place by Apple and Networks to keep fraud away – including issuer support during provisioning, NFC, Tokenization, a tamper proof Secure Element and TouchID. But fraud seems to have followed a different trajectory here. About a month post-launch, it seems like fraud has come to Apple Pay. (in one case – as high as 600bps for an issuer that I cannot name). Though what follows was written in the context of Apple Pay, much of it translates to any other competitor – irrespective of origin, scale, intent, or patron saint. Apple Pay and the Yellow Path: All Apple Pay participating card issuers are required to build a “Yellow Path” for when card provisioning in to Apple Pay requires additional bank verification. Implementation of the “Yellow Path” and corresponding customer experience has varied per Card Issuer. Today, depending on your card issuer – you could expect much variance – such as being directed to their call center, being asked to authenticate via the bank’s mobile app, or an entirely other 2FA verification. As one can expect – each has varying levels of success and friction – with just a couple of banks opting to authenticate via their mobile apps, that would have provided a far easier and customer friendly provisioning experience. Where as, those that opted for call center verification traded efficiency for friction and by most reports – the corresponding experience has been subpar. In fact initially “Yellow Path” was marked optional for card issuers by Apple – which meant that only a couple of Issuers directed much focus at it. Apple reversed its decision and made it mandatory less than a month before launch – which led to issuers scrambling to build and provide this support. Why any bank would consider this optional is beyond me. Either way, Card issuer implementations of the Apple Pay Yellow Path have proved to be inadequate – as I am willing to bet that most of the fraud in Apple Pay came by stolen identities. For all the paranoia around elevating your phone to be the container for all your credit cards – fraud in Apple Pay has assumed more traditional and unsophisticated ways. No, iPhones weren’t stolen and then used for unauthorized purchases, TouchID was not compromised, Credentials weren’t ripped out of Apple’s tamper proof secure element – nor the much feared but rarely attempted MITM attacks(capture and relay an NFC transmission at a different terminal). Instead fraudsters bought stolen consumer identities complete with credit card information, and convinced both software and manual checks that they were indeed a legitimate customer. Fraud on Apple Pay is somewhat unique – as the Pay setup is one of the first things one would do upon getting their iPhone 6. At which point – the device will have little to no background or context with the bank. Further, the customer most likely haven’t had the time to install the bank app or login. It is no wonder then that a number of banks defaulted to “Call our call center” as the default Yellow path. In an earlier post on ISIS (Softcard) I did write how the vast retail network coupled with visibility in to customer identity positioned Carriers as a trusted partner for banks to do secure provisioning. But ISIS had other (yet unrealized) aspirations. For all the focus in protecting transactions and plastic – for e.g. via EMV and Tokenization – issuance and provisioning remains the soft underbelly – under protected and easily compromised. And this should concern all – because the strongest chain is only as good as its weakest link – and those with malice are almost always the first to find it. Fraud in Apple Pay will in time, come to be managed – but the fact that easily available PII can waylay best in class protection should give us all pause. Make sure to download our fraud prevention whitepaper to gain more insight on how you can prepare your business. This post originally appeared here. 

41st Parameter, a part of Experian, surveyed 250 marketers to understand the relationship between omnichannel retailing, fraud prevention and the holiday shopping season. The findings show that few marketers understand the full benefit of fraud-prevention systems on their activities as 60% of marketers were unsure of the cost of fraud to their organization. The survey also indicated that 40% of marketers said their organization had been targeted by hackers or cybercriminals. Download the Holiday Marketing Fraud Survey: http://snip.ly/JoyF With holiday shopping in full stride, 35% of businesses said they planned to increase their digital spend for the 2014 holiday season. Furthermore, Experian Marketing Services reported that during 2014, 80%t of marketers planned on running cross-channel marketing campaigns. As marketers integrate more channels into their campaigns, new challenges emerge for fraud-risk managers who face continuous pressure to adopt new approaches. Here are three steps to help marketers and risk managers maintain a frictionless experience for customers: Marketers should communicate their plans early to the fraud-risk team, especially if they are planning to target a new or unexpected audience. Making this part of the process will reduce the chances that risk management will stop or inhibit customers. Ensure that marketers understand what the risk-management department is doing with respect to fraud detection. Chances are risk managers are waiting to tell you. Marketers shouldn’t assume that fraud won’t affect their business and talk to their risk-management division to learn how much fraud truly costs their company. Then they can understand what they need to do to make sure that their marketing efforts are not thwarted. “Marketers spend a great deal of time and money bringing in new customers and increasing sales, especially this time of year, and in too many cases, those efforts are negated in the name of fraud prevention,” said David Britton, vice president of industry solutions, 41st Parameter. “Marketers can help an organization’s bottom line by working with their fraud-risk department to prevent bad transactions from occurring while maintaining a seamless customer experience. Reducing fraud is important and protecting the customer experience is a necessity.” Few marketers understand the resulting impact of declined transactions because of suspected fraud and this is even more pronounced among small businesses, with 70% saying they were unsure of fraud’s impact. Fifty percent of mid-sized business marketers and 67% of large-enterprise marketers were unsure of the impact of fraud as well An uncoordinated approach to new customer acquisition can result in lost revenue affecting the entire organization. For example, the industry average for card-not-present declines is 15%. However, one to three percent of those declined transactions turn out to be valid transactions, equating to $1.2 billion in lost revenue annually. Wrongfully declined transactions can be costly as the growth of cross-channel marketing increases and a push towards omnichannel retailing pressures marketers to find new customers. “Many businesses loosen their fraud detection measures during high peak time because they don’t have the tools to review potentially risky orders manually during the higher-volume holiday shopping period,” said Britton. “Criminals look to capitalize on this and exploit these gaps in any way possible, taking an omnifraud approach to maximizing their chances of success. Striking the right balance between sales enablement and fraud prevention is the key to maximizing growth for any business at all times of the year.” Download Experian’s fraud prevention report to learn more about how businesses can address these new marketing challenges.

By: Ori Eisen This article originally appeared on WIRED. When I started 41st Parameter more than a decade ago, I had a sense of what fraud was all about. I’d spent several years dealing with fraud while at VeriSign and American Express. As I considered the problem, I realized that fraud was something that could never be fully prevented. It’s a dispiriting thing to accept that committed criminals will always find some way to get through even the toughest defenses. Dispiriting, but not defeating. The reason I chose to dedicate my life to stopping online fraud is because I saw where the money was going. Once you follow the money and you see how it is used, you can’t “un-know.” The money ends up supporting criminal activities around the globe – not used to buy grandma a gift. Over the past 10 years the nature of fraud has become more sophisticated and systematized. Gone are the days of the lone wolf hacker seeing what they could get away with. Today, those days seem almost simple. Not that I should be saying it, but fraud and the people who perpetrated it had a cavalier air about them, a bravado. It was as if they were saying, in the words of my good friend Frank Abagnale, “catch me if you can.” They learned to mimic the behaviors and clone the devices of legitimate users. This allowed them to have a field day, attacking all sorts of businesses and syphoning away their ill-gotten gains. We learned too. We learned to look hard and close at the devices that attempted to access an account. We looked at things that no one knew could be seen. We learned to recognize all of the little parameters that together represented a device. We learned to notice when even one of them was off. The days of those early fraudsters has faded. New forces are at work to perpetrate fraud on an industrial scale. Criminal enterprises have arisen. Specializations have emerged. Brute force attacks, social engineering, sophisticated malware – all these tools, and so many more – are being applied every day to cracking various security systems. The criminal underworld is awash in credentials, which are being used to create accounts, take over accounts and commit fraudulent transactions. The impact is massive. Every year, billions of dollars are lost due to cyber crime. Aside from the direct monetary losses, customer lose faith in brand and businesses, resources need to be allocated to reviewing suspect transactions and creativity and energy are squandered trying to chase down new risks and threats. To make life just a little simpler, I operate from the assumption that every account, every user name and every password has been compromised. As I said at the start, fraud isn’t something that can be prevented. By hook or by crook (and mainly by crook), fraudsters are finding cracks they can slip through; it’s bound to happen. By watching carefully, we can see when they slip up and stop them from getting away with their intended crimes. If the earliest days of fraud saw impacts on individuals, and fraud today is impacting enterprises, the future of fraud is far more sinister. We’re already seeing hints of fraud’s dark future. Stories are swirling around the recent Wall Street hack. The President and his security team were watching warily, wondering if this was the result of a state-sponsored activity. Rather than just hurting businesses or their customers, we’re on the brink (if we haven’t crossed it already) of fraud being used to destabilize economies. If that doesn’t keep you up at night I don’t know what will. Think about it: in less than a decade we have gone from fraud being an isolated irritant (not that it wasn’t a problem) to being viewed as a potential, if clandestine, weapon. The stakes are no longer the funds in an account or even the well being of a business. Today – and certainly tomorrow – the stakes will be higher. Fraudsters, terrorists really, will look for ways to nudge economies toward the abyss. Sadly, the ability of fraudsters to infiltrate legitimate accounts and networks will never be fully stifled. The options available to them are just too broad for every hole to be plugged. What we can do is recognize when they’ve made it through our defenses and prevent them from taking action. It’s the same approach we’ve always had: they may get in while we do everything possible to prevent them from doing harm. In an ideal world bad guys would never get through in the first place; but we don’t live in an ideal world. In the real world they’re going to get in. Knowing this isn’t easy. It isn’t comforting or comfortable. But in the real world there are real actions we can take to protect the things that matter – your money, your data and your sense of security. We learned how to fight fraud in the past, we are fighting it with new technologies today and we will continue to apply insights and new approaches to protect our future. Download our Perspective Paper to learn about a number of factors that are contributing to the evolving fraud landscape.

Experian hosted the Future of Fraud event this week in New York City where Ori Eisen and Frank Abagnale hosted clients and prospects highlighting the need for innovative fraud solutions to stay ahead the consistent threat of online fraud. After, Ori and Frank appeared on Bloomberg TV, interviewed by Trish Regan discussing how retailers can handle fraud prevention. Ori and Frank highlighted how using data is good, especially when combined with analytics as a requirement for businesses working to try and prevent fraud now and in the future. "Data is good. The only way that you deal with a lot of this cyber(crime) is through data analytics. You have to know who I am dealing with. I have to know it is you and authenticate that it is you that wants to make this transaction."  Frank Abagnale on BloombergTV Charles Chung recently detailed how utilizing the data for good can protect the customer experience while providing businesses a panoramic view to ensure data security and compliance to mitigate fraud risk. Ultimately, this view helps businesses build greater consumer confidence and create a more positive customer experience which is the first, and most important, prong in the fraud balance.  Learn more on how Experian is using big data.

More than 10 years ago I spoke about a trend at the time towards an underutilization of the information being managed by companies. I referred to this trend as “data skepticism.” Companies weren’t investing the time and resources needed to harvest the most valuable asset they had – data. Today the volume and variety of data is only increasing as is the necessity to successfully analyze any relevant information to unlock its significant value. Big data can mean big opportunities for businesses and consumers. Businesses get a deeper understanding of their customers’ attitudes and preferences to make every interaction with them more relevant, secure and profitable. Consumers receive greater value through more personalized services from retailers, banks and other businesses. Recently Experian North American CEO Craig Boundy wrote about that value stating, “Data is Good… Analytics Make it Great.” The good we do with big data today in handling threats posed by fraudsters is the result of a risk-based approach that prevents fraud by combining data and analytics. Within Experian Decision Analytics our data decisioning capabilities unlock that value to ultimately provide better products and services for consumers.   The same expertise, accurate and broad-reaching data assets, targeted analytics, knowledge-based authentication, and predictive decisioning policies used by our clients for risk-based decisioning has been used by Experian to become a global leader in fraud and identity solutions. The industrialization of fraud continues to grow with an estimated 10,000 fraud rings in the U.S. alone and more than 2 billion unique records exposed as a result of data breaches in 2014. Experian continues to bring together new fraud platforms to help the industry better manage fraud risk. Our 41st Parameter technology has been able to detect over 90% of all fraud attacks against our clients and reduce their operational costs to fight fraud. Combining data and analytics assets can detect fraud, but more importantly, it can also detect the good customers so legitimate transactions are not blocked. Gartner reported that by 2020, 40% of enterprises will be storing information from security events to analyze and uncover unusual patterns. Big data uncovers remarkable insights to take action for the future of our fraud prevention efforts but also can mitigate the financial losses associated with a breach. In the end we need more data, not less, to keep up with fraudsters. Experian is hosting Future of Fraud and Identity events in New York and San Francisco discussing current fraud trends and how to prevent cyber-attacks aimed at helping the industry. The past skepticism no longer holds true as companies are realizing that data combined with advanced analytics can give them the insight they need to prevent fraud in the future. Learn more on how Experian is conquering the world of big data.

If rumors hold true, Apple Pay will launch in a week. Five of my last six posts had covered Apple’s likely and actual strategy in payments & commerce, and the rich tapestry of control, convenience, user experience, security and applied cryptography that constitutes as the backdrop. What follows is a summation of my views – with a couple of observations from having seen the Apple Pay payment experience up close. About three years ago – I published a similar commentary on Google Wallet that for kicks, you can find here. I hope what follows is a balanced perspective, as I try to cut through some FUD, provide some commentary on the payment experience, and offer up some predictions that are worth the price you pay to read my blog. Source: Bloomua / Shutterstock.com First the criticism. Apple Pay doesn’t go far enough: Fair. But you seem to misunderstand Apple’s intentions here. Apple did not set out to make a mobile wallet. Apple Pay sits within Passbook – which in itself is a wrapper of rewards and loyalty cards issued by third parties. Similarly – Apple Pay is a wrapper of payments cards issued by third parties. Even the branding disappears once you provision your cards – when you are at the point-of-sale and your iPhone6 is in proximity to the reader (or enters the magnetic field created by the reader) – the screen turns on and your default payment card is displayed. One does not need to launch an app or fiddle around with Apple Pay. And for that matter, it’s even more limited than you think. Apple’s choice to leave the Passbook driven Apple Pay experience as threadbare as possible seems an intentional choice to force consumers to interact more with their bank apps vs Passbook for all and any rich interaction. Infact the transaction detail displayed on the back of the payment card you use is limited – but you can launch the bank app to view and do a lot more. Similarly – the bank app can prompt a transaction alert that the consumer can select to view more detail as well. Counter to what has been publicized – Apple can – if they choose to – view transaction detail including consumer info, but only retains anonymized info on their servers. The contrast is apparent with Google – where (during early Google Wallet days) issuers dangled the same anonymized transaction info to appease Google – in return for participation in the wallet. If your tap don’t work – will you blame Apple? Some claim that any transaction failures – such as a non-working reader – will cause consumers to blame Apple. This does not hold water simply because – Apple does not get in between the consumer, his chosen card and the merchant during payment. It provides the framework to trigger and communicate a payment credential – and then quietly gets out of the way. This is where Google stumbled – by wanting to become the perennial fly on the wall. And so if for whatever reason the transaction fails, the consumer sees no Apple branding for them to direct their blame. (I draw a contrast later on below with Samsung and LoopPay) Apple Pay is not secure: Laughable and pure FUD. This article references an UBS note talking how Apple Pay is insecure compared to – a pure cloud based solution such as the yet-to-be-launched MCX. This is due to a total misunderstanding of not just Apple Pay – but the hardware/software platform it sits within (and I am not just talking about the benefits of a TouchID, Network Tokenization, Issuer Cryptogram, Secure Element based approach) including, the full weight of security measures that has been baked in to iOS and the underlying hardware that comes together to offer the best container for payments. And against all that backdrop of applied cryptography, Apple still sought to overlay its payments approach over an existing framework. So that, when it comes to risk – it leans away from the consumer and towards a bank that understands how to manage risk. That’s the biggest disparity between these two approaches – Apple Pay and MCX – that, Apple built a secure wrapper around an existing payments hierarchy and the latter seeks to disrupt that status quo. Let the games begin: Consumers should get ready for an ad blitz from each of the launch partners of Apple Pay over the next few weeks. I expect we will also see these efforts concentrated around pockets of activation – because setting up Apple Pay is the next step to entering your Apple ID during activation. And for that reason – each of those launch partners understand the importance of reminding consumers why their card should be top of mind. There is also a subtle but important difference between top of wallet card (or default card) for payment in Apple Pay and it’s predecessors (Google Wallet for example). Changing your default card was an easy task – and wholly encapsulated – within the Google Wallet app. Where as in Apple Pay – changing your default card – is buried under Settings, and I doubt once you choose your default card – you are more likely to not bother with it. And here’s how quick the payment interaction is within Apple Pay (takes under 3 seconds) :- Bring your phone in to proximity of the reader. Screen turns on. Passbook is triggered and your default card is displayed. You place your finger and authenticate using TouchID. A beep notes the transaction is completed. You can flip the card to view a limited transaction detail. Yes – you could swipe down and choose another card to pay. But unlikely. I remember how LevelUp used very much the same strategy to signup banks – stating that over 90% of it’s customers never change their default card inside LevelUp. This will be a blatant land grab over the next few months – as tens of millions of new iPhones are activated. According to what Apple has told it’s launch partners – they do expect over 95% of activations to add at least one card. What does this mean to banks who won’t be ready in 2014 or haven’t yet signed up? As I said before – there will be a long tail of reduced utility – as we get in to community banks and credit unions. The risk is amplified because Apple Pay is the only way to enable payments in iOS that uses Apple’s secure infrastructure – and using NFC. For those still debating whether it was a shotgun wedding, Apple’s approach had five main highlights that appealed to a Bank – Utilizing an approach that was bank friendly (and to status quo) : NFC Securing the transaction beyond the prerequisites of EMV contactless – via network tokenization & TouchID Apple’s preference to stay entirely as an enabler – facilitating a secure container infrastructure to host bank issued credentials. Compressing the stack: further shortening the payment authorization required of the consumer by removing the need for PIN entry, and not introducing any new parties in to the transaction flow that could have introduced delays, costs or complexity in the roundtrip. Clear description of costs to participate – Free is ambiguous. Free leads to much angst as to what the true cost of participation really is(Remember Google Wallet?). Banks prefer clarity here – even if it means 15bps in credit. As I wrote above, Apple opting to strictly coloring inside the lines – forces the banks to shoulder much of the responsibility in dealing with the ‘before’ and ‘after’ of payment. Most of the bank partners will be updating or activating parts of their mobile app to start interacting with Passbook/Apple Pay. Much of that interaction will use existing hooks in to Passbook – and provide richer transaction detail and context within the app. This is an area of differentiation for the future – because those banks who lack the investment, talent and commitment to build a redeeming mobile services approach will struggle to differentiate on retail footprint alone. And as smarter banks build entirely digital products for an entirely digital audience – the generic approaches will struggle and I expect at some point – that this will drive bank consolidation at the low end. On the other hand – if you are an issuer, the ‘before’ and ‘after’ of payments that you are able to control and the richer story you are able to weave, along with offline incentives – can aid in recapture. The conspicuous and continued absence of Google: So whither Android? Uniformity in payments for Android is as fragmented as the ecosystem itself. Android must now look at Apple for lessons in consistency. For example, how Apple uses the same payment credential that is stored in the Secure Element for both in-person retail transactions as well as in-app payments. It may look trivial – but when you consider that Apple came dangerously close (and justified as well) in its attempt to obtain parity between those two payment scenarios from a rate economics point of view from issuers – Android flailing around without a coherent strategy is inexcusable. I will say this again: Google Wallet requires a reboot. And word from within Google is that a reboot may not imply a singular or even a cohesive approach. Google needs to swallow its pride and look to converge the Android payments and commerce experience across channels similar to iOS. Any delay or inaction risks a growing apathy from merchants who must decide what platform is worth building or focusing for. Risk vs Reward is already skewed in favor of iOS: Even if Apple was not convincing enough in its attempt to ask for Card Present rates for its in-app transactions – it may have managed to shift liability to the issuer similar to 3DS and VBV – that in itself poses an imbalance in favor of iOS. For a retail app in iOS – there is now an incentive to utilize Apple Pay and iOS instead of all the other competing payment providers (Paypal for example, or Google Wallet) because transactional risk shifts to the issuer if my consumer authenticates via TouchID and uses a card stored in Apple Pay. I have now both an incentive to prefer iOS over Android as well as an opportunity to compress my funnel – much of my imperative to collect data during the purchase was an attempt to quantify for fraud risk – and the need for that goes out of the window if the customer chooses Apple Pay. This is huge and the repercussions go beyond Android – in to CNP fraud, CRM and loyalty. Networks, Tokens and new end-points (e.g. LoopPay): The absence of uniformity in Android has provided a window of opportunity for others – regardless of how fragmented these approaches be. Networks shall parlay the success with tokenization in Apple Pay in to Android as well, soon. Prime example being: Loop Pay. If as rumors go – Samsung goes through with baking in Loop Pay in to its flagship S6, and Visa’s investment translates in to Loop using Visa tokenization – Loop may find the ubiquity it is looking for – on both ends. I don’t necessarily see the value accrued to Samsung for launching a risky play here: specifically because of the impact of putting Loop’s circuitry within S6. Any transaction failure in this case – will be attributed to Samsung, not to Loop, or the merchant, or the bank. That’s a risky move – and I hope – a well thought out one. I have some thoughts on how the Visa tokenization approach may solve for some of the challenges that Loop Pay face on merchant EMV terminals – and I will share those later. The return of the comeback: Reliance on networks for tokenization does allay some of the challenges faced by payment wrappers like Loop, Coin etc – but they all focus on the last mile and tokenization does little more for them than kicking the can down the road and delaying the inevitable a little while more. The ones that benefit most are the networks themselves – who now has wide acceptance of their tokenization service – with themselves firmly entrenched in the middle. Even though the EMVCo tokenization standard made no assumptions regarding the role of a Token Service Provider – and in fact Issuers or 3rd parties could each pay the role sufficiently well – networks have left no room for ambiguity here. With their role as a TSP – networks have more to gain from legitimizing more end points than ever before – because these translate to more token traffic and subsequently incremental revenue – transactional and additional managed services costs (OBO – On behalf of service costs incurred by a card issuer or wallet provider). It has never been a better time to be a network. I must say – a whiplash effect for all of us – who called for their demise with the Chase-VisaNet deal. So my predictions for Apple Pay a week before its launch: We will see a substantial take-up and provisioning of cards in to Passbook over the next year. Easy in-app purchases will act as the carrot for consumers. Apple Pay will be a quick affair at the point-of-sale: When I tried it few weeks ago – it took all of 3 seconds. A comparable swipe with a PIN (which is what Apple Pay equates to) took up to 10. A dip with an EMV card took 23 seconds on a good day. I am sure this is not the last time we will be measuring things. The substantial take-up on in-app transactions will drive signups: Consumers will signup because Apple’s array of in-app partners will include the likes of Delta – and any airline that shortens the whole ticket buying experience to a simple TouchID authentication has my money. Apple Pay will cause MCX to fragment: Even though I expect the initial take up to be driven more on the in-app side vs in-store, as more merchants switch to Apple Pay for in-app, consumers will expect a consistency in that approach across those merchants. We will see some high profile desertions – driven partly due to the fact that MCX asks for absolute fealty from its constituents, and in a rapidly changing and converging commerce landscape – that’s just a tall ask. In the near-term, Android will stumble: Question is if Google can reclaim and steady its own strategy. Or will it spin off another costly experiment in chasing commerce and payments. The former will require it to be pragmatic and bring ecosystem capabilities up to par – and that’s a tall ask when you lack the capacity for vertical integration that Apple has. And from the looks of it – Samsung is all over the place at the moment. Again – not confidence inducing. ISIS/SoftCard will get squeezed out of breath: SoftCard and GSMA can’t help but insert themselves in to the Apple Pay narrative by hoping that the existence of a second NFC controller on the iPhone6 validates/favors their SIM based Secure Element approach and indirectly offers Softcard/GSMA constituents a pathway to Apple Pay. If that didn’t make a lick of sense – It’s like saying ‘I’m happy about my neighbor’s Tesla because he plugs it in to my electric socket’. Discover how an Experian business consultant can help you strengthen your credit and risk management strategies and processes: http://ex.pn/DA_GCP This post originally appeared here.

According to a recent 41st Parameter® study, 85 percent of consumers use online or mobile channels to conduct business.

In a recent webinar, we addressed how both the growing diversity of technology used for online transactions and the many different types of access can make authentication complicated. Technology is ever-changing and is continually reshaping the way we live. This leaves our industry to question how device intelligence factors into both the problem and solution surrounding diverse technologies in the online transaction space. Industry experts Cherian Abraham from the Experian Decision Analytics team and David Britton from 41st Parameter, a part of Experian, weighed in on the discussion. Putting It All Into Context Britton harkened back to a simpler time of authentication practices. In the early days of the web, user names and passwords were the only tools people had to authenticate online identities. Eventually, this led organizations to begin streamlining the process. “They did things like using cookies or placing files onto a computer so that the computer would be “known” to the business,” said Britton. However, those original methods are now struggling to fit into the modern-day authentication puzzle. “The challenge has been that for both privacy reasons and for the advancements of technology we have actually moved to a more privacy-centric environment where those types of things have fallen away in terms of their efficacy.  For example, cookies are often easily deleted by simply browsing incognito. So as a result there’s been a counter move approach to how to authenticate online,” said Britton. New Technology – A Quick Fix? Don’t be fooled. Newer technologies cannot necessarily provide an easy alternative and incorporate older authentication methods. Britton referenced how the advent of mobile has actually made recognizing the consumer behind the device, the behavior of the machine and the data that the consumer is presenting even more complex. Additionally, rudimentary methods of authentication don’t actually exist well in the mobile environment. On the other hand, newer technologies and the mobile environment force a more layered approach to authentication methods. “There is a better way and the better way is to look at a variety of other inspirations beyond user names and passwords before vindicating the customer. This is all the more evident when you get to newer channels such as mobile where consumer expectations are so different and you cannot rely on the customer having to answer a long stream of characters and letters such as a user name or a password,” said Abraham. Britton weighed in as well on device intelligence and the layered approach. “Our whole philosophy around this has been that if you can recognize aspects of the device in the form of device intelligence – we’re able to actually leverage that information without crossing the boundaries of good privacy management. Furthermore, we are then able to say we recognize the attributes of the device and can recognize the device as that person is attempting to come back into an environment,” said Britton. He emphasized how being able to help companies understand who might be on the other end of the device has made a world of difference. This increasingly points to how authentication will continue to evolve in a in a multi-device, multi-screen and multi-channel environment. For more information and access to the full webinar – Stay tuned for additional #fraudlifecycle posts.

Fraud is not a point-in-time problem and data breaches should not be considered isolated attacks, which break through network defenses to abscond with credentials. In fact, data breaches are just the first stage of a rather complex lifecycle that begins with a vulnerability, advances through several stages of validation and surveillance, and culminates with a fraudulent transaction or monetary theft. Cyber criminals are sophisticated and have a growing arsenal of weapons at their disposal to infect individual and corporate systems and capture account information: phishing, SMSishing and Vishing attacks, malware, and the like are all attempts to thwart security and access-protected information. Criminal tactics have even evolved to include physical-world approaches like infiltrating physical call centers via social engineering attacks aimed at unsuspecting representatives. This, and similar efforts, are all part of the constant quest to identify and exploit weaknesses in order to stage and commit financial crimes. There are some companies that claim malware detection is the silver bullet to preventing fraud. This is simply not the case. The issue is that malware is only one method by which fraudsters may obtain credentials. The seemingly endless supply of pristine identity and account data in the criminal underground means that detecting a user’s system has been compromised is akin to closing the barn door after the hose has bolted. That is, malware can be an indicator that an account has been compromised, but it does not help identify the subsequent usage of the stolen credentials by the criminals, regardless of how the credentials were compromised. Compromised data is first validated by the seller as one of their “value adds” to the criminal underground and typically again by the buyer. Validation usually involves logging into an account to ensure that the credentials work as expected, and allows for a much higher “validated” price point. Once the credentials and/or account have been validated, cyber criminals can turn their attention to surveillance. Remember, by the time one realizes that credential information has been exposed, cyber criminal rings have captured the information they need – such as usernames, passwords, challenge responses and even token or session IDs – and have aded it to their underground data repositories. with traditional online authentication controls, it is nearly impossible to detect the initial fraudulent login that uses ill-gotten credentials. That is why it is critical to operate from the assumption that all account credentials have been compromised when designing an online authentication control scheme.

Cherian Abraham, our mobile commerce and payments consultant, recently wrote about the future of mobile banking in regards to the Apple Pay news out this week. The below article originally appeared in American Banker and is an edited version of his blog post. Editor's note: A version of this post originally appeared on Drop Labs. Depending on who you ask, the launch of Apple Pay was either exciting or uninspiring. The truth is far more complicated — particularly in terms of how it will impact the dynamics of Apple's relationship with banks. I would venture that most of the financial institutions on stage at the launch of Apple Pay earlier this week have mixed feelings about their partnership. They have had to sacrifice a lot of the room for negotiation that banks have retained with other wallet players such as Google Wallet and Softcard (the company formerly known as Isis). If you are an Apple Pay launch partner, having your credential or token on Apple Pay does not mean that you get to extend that credential into your own mobile banking app or wallet. For example, Bank A, with its credentials stored on Apple Pay, cannot leverage those credentials so that its own mobile banking app can use them to enable direct payments. Banks will have to accept that their credentials will be indefinitely locked to Apple Pay till deletion.  No bank wants its brand to be overshadowed by Apple, nor do banks want smartphone users to close their app and open up a different wallet to make a payment. But this was not up for debate with Apple, which wants to tightly control the payment experience. This should be a cause of concern for Apple Pay partner banks, for whom enabling payments outside of Apple Pay in iOS is now off the table. Banks' only hope of having an integrated payment experience is to focus on Android, which supports host card emulation technology. HCE uses software to emulate a contactless smart card and communicate with near-field communication readers. I would expect a lot of banks to revisit Android and HCE in upcoming months. That goes double for the institutions that were not chosen to partner with Apple, along with retailers who have not rejected contactless payments as a modality in stores. Given that Apple will reportedly collect fees from its partner banks when customers execute transactions on the mobile wallet, all banks should be thinking about ways that they can make their presence on other Apple offerings more lucrative. If I were them, I would begin segmenting customers who hold one of iTunes' 500 million active accounts to see which ones are affluent spenders and which cards have higher interest rates, then implement targeted customer incentive strategies to move Apple users to higher-rate cards. I would use the same tactic to convince customers to replace debit cards on file with iTunes with credit cards. But the big takeaway is that from here on out, banks can only gain incremental value from iOS. If they want to create a unified payment system that customers can use as part of their existing banking relationships, they'll have to focus on Android. Should that happen, I doubt that Apple could prevent such moves from diluting its merchant value proposition. But such moves on the part of issuers are hardly long-term strategies to incentivize frequent usage, merchant participation and overall customer value. Learn more about how Experian can help you with your mobile banking needs please visit: http://ex.pn/1t3zCSJ?INTCMP=DA_Blog_Post091214

By: Maria Moynihan At a time when people are accessing information when, where and how they want to, why aren’t voter rolls more up to date? Too often, voter lists aren’t scrubbed for use in mailing, and information included is inaccurate at the time of outreach. Though addresses and other contact information becomes outdated, new address identification and verification has not typically been a resource focus.  Costs associated with mandated election-related communications between government and citizens can add up, especially if messages never get to their intended recipients and, in turn, Registrar Offices never get a response. To date, the most common pitfalls with poorly maintained lists have been: Deceased records — where contact information for deceased voters has not been removed or flagged for mailing Email and address errors — where those who have moved or recently changed information failed to update their records, or where errors in the information on file make it unlikely for the United States Postal Service® to reach individuals effectively Duplicate records — where repeat records exist due to update errors or lack of information standardization With resources being tighter than ever, Registrar Offices now are placing emphasis on mailing accuracy and reach. Through third-party-verified data and advanced approaches to managing contact information, Registrar Offices can benefit from truly connecting with their citizens while saving on communication outreach efforts. Experian Public Sector recently helped the Orange County Registrar of Voters increase the quality of its voter registration process. Click here to view the write-up, or stay tuned as I share more on progress being made in this area across states.

More than ever before, there may now be credence in the view that the majority of consumers’ personally identifiable information (PII), user names and passwords, and even some authentication tokens have been, or are, at risk of compromise.  Between sophisticated hacking schemes and regularly reported and sometimes unreported data breaches, those charged with implementing and maintaining identity authentication and management systems must assume this to be true.  In doing so, the need for layered authentication becomes readily apparent.  Layered authentication can mean many things to many people, but I would offer it up as diversifying authentication and risk assessment techniques and processes across multiple elements and attributes throughout the customer lifecycle.  These elements and attributes corresponding techniques can include: traditional PII validation and verification identity transaction link analysis and risk attribute derivation credit and non-credit data and risk attributes identity risk scores knowledge-based authentication question performance device intelligence and risk assessment credentials biometrics and should be layered proportionally by inherent risk per application, addressable population, transaction history and types, current transaction, and access channel for example.  Industry guidance such as the FFIEC Guidance of Authentication in an Internet Banking Environment is a solid foundational direction that calls out the need for institutions to move beyond simple device identification — such as IP address checks, static cookies and challenge questions derived from customer enrollment information — to more complex device intelligence and more complex out-of-wallet identity verification procedures.  I would suggest that while this is a great start, it is by no means comprehensive.  Institutions across all markets, both private and public sectors, should be exploring all available services and technologies in an effort to reduce reliance on one or only a few methods of authentication and identity management.  Particularly, again, assuming that the one method an institution may rely on could be greatly weakened or without value if subject to mass compromise. Make sure to read our Comply whitepaper to gain more insight on regulations affecting financial institutions and how you can prepare your business.   Learn more about how your business can authenticate consumers confidently.