Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/12/2019
02:15 PM
50%
50%

More Focus on Security as Payment Technologies Proliferate

Banks and merchants are expanding their payment offerings but continue to be wary of the potential fraud risk.

More than three-quarters of companies are investing in new payment technologies, despite concerns about the security of specific implementations and the potential for transaction fraud, according to a Forrester Research report released on August 12. 

The report, "Understanding the Evolving Payments Landscape," says that retail merchants and online businesses expect the way that consumers pay for goods to change relatively quickly, with about half expecting to face increasing choices in payment offerings. At the same time, 61% of financial institutions and merchants believe that fraud will also increase.

This bifurcated outlook on the financial future is not all that surprising because many consumers are quick to adopt the latest technology, while companies often distrust new technologies until they prove themselves, says R.L. Prasad, senior vice president of payment system risk at Visa, which commissioned the Forrester report.

"Consumers are becoming more and more comfortable with carrying money on their phone, so mobile wallet expansion is an area that will see a lot of growth," he says. "Peer-to-peer payments are also here to stay. The convenience is unparalleled right now."

As merchants and credit-card issuers continue to suffer significant breaches, Visa and other payment technology companies are looking to improving analytics and deploy machine learning that can detect and prevent fraud. The Forrester report says that while digital payments have lower fraud rates, the impact of fraud in card-not-present transactions — the most common type of digital transaction —is much worse. Card-not-present fraud affected 28% of companies surveyed but accounted for 40% of fraud volume.

The continued concerns of merchants and business comes as they adopt more payment technologies. Fifty-eight percent of those surveyed support digital wallets, and 60% support peer-to-peer payments, according to the Forrester report. Almost three-quarters of respondents support paying bills through mobile banking.

"Consumers' usage of new payment technologies is expected to increase substantially over the next five years," according to the report. "Banks, merchants, and fintechs are working hard to ensure they offer these capabilities to their customers."

Yet many merchants and banks do not have the security maturity to guard against fraudulent transactions. Most are still using usernames and passwords to protection accounts, without two-factor authentication. Half of merchants use some device data to identify the user, and 43% use some form of biometrics. Ways of countering fraud generally add friction to any transaction, potentially resulting in a lost sale. For that reason, many companies do not like their options to combat fraud.

"There are a lot of merchants and stakeholders in the payment ecosystem who are immature in their processes," Prasad says. "Increasingly, those smaller and less-mature clients are seeking ways of improving their security."

Most companies are hiring staff specifically tasked with security and anti-fraud roles, while more than three-quarters are spending on new tools to help secure transactions. 

Merchants and banks need to improve their anti-fraud defenses because cybercriminals are already doing so, Visa's Prasad says. In the past three years, the company has seen fraudsters adopt a new technique, using machine learning to attempt to find valid credit card numbers by generating account numbers and then distributing the testing of those numbers across a large number of sites to evade detection.

"Fraudsters are using artificial intelligence to advance their techniques," he says. "We see large-scale attacks happening, [where] they don't have to steal a card from a wallet, but they can actually enumerate the numbers."

The best approach to combating fraud is to improve security holistically, investing in people, products, and collaboration with service providers, Prasad says. About two-thirds of companies with mature security processes say that partners are critical to the effort, the report states.

Related Content

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19698
PUBLISHED: 2019-12-10
marc-q libwav through 2017-04-20 has a NULL pointer dereference in wav_content_read() at libwav.c.
CVE-2019-4428
PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
CVE-2019-4611
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
CVE-2019-4612
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
CVE-2019-4621
PUBLISHED: 2019-12-09
IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.