The Public-Private Partnership Forum: Card-Not-Present Fraud & How to Prevent It

Topics: Client Relations, Data Analytics, Digital Identity, Financial Crime, Financial Fraud & Anti-Money Laundering, Legal Executive Events, Legal Innovation, Risk Management, Thomson Reuters


WASHINGTON, D.C. — Most of us have done it, multiple times. We like the near-instant gratification that retailers such as Amazon provides us. You pop open your app, scroll until you find that set of noise-cancelling headphones or the latest best-selling book you want to take on vacation and voila! No need to run an extra errand. No need to rush to the store after work. No need to even pull out your credit card. By clicking a few buttons, Amazon facilitates it all for you, and even delivers the items at your doorstep.

The marketplace reflects that sentiment. The U.S. Census Bureau indicated that ecommerce is big business. In 2016, online sales were up to $102.7 billion.

Yet with ultra-efficiency and Prime shipping expediency comes risk. The risk is known as card-not-present (CNP) fraud, which describes purchases made without the presentation of a physical credit or debit card.

At the last of a three-city, three-part series titled, Thomson Reuters Public-Private Partnership Forum, held last week in Washington, D.C., Bob Schukai, Global Head of Design for Digital Identity Solutions at Thomson Reuters, discussed how digital identity can evolve in the payment space to help combat CNP fraud, a distinctive type of ecommerce fraud.

Ecommerce Fraud on the Rise

Ecommerce fraud attacks in the U.S. rose 30% from 2016 to 2017, a staggering statistic. And if you live in Delaware, Oregon, Washington, D.C., Florida, or Georgia, you are even more likely to have your identities or payment card information used fraudulently. “The amount of card-not-present fraud is pretty high in the US and even worse in a lot of countries around the world,” Schukai said.

If you are the customer, should you just shut down your Amazon account, like you’ve vowed to do with your Facebook account after the Cambridge Analytics scandal, and simply head back to your local brick and mortar store? If you are an online retailer, should you just accept this risk as simply the price to play? To both questions, the answer is a resounding “No.”

CNP Fraud: Here’s How It Works

As consumers, we love the convenience of a CNP transaction; and these transactions happen every day, either through your mobile device or desktop computer. According to the Pew Research Center, 77% of U.S. adults say they own a smartphone. That’s a lot of opportunities to go shopping online, whether to buy something on Amazon or your daily espresso shot through the Starbucks app.


Bob Schukai, Global Head of Design for Digital Identity Solutions at Thomson Reuters, discusses fraud at the recent Public-Private Partnership event.

Fraudsters also love CNP transactions for almost the same reason, ease-of-use. CNP fraud happens when a cybercriminal obtains some combination of a cardholder’s name, billing address, account number, three-digit security code, or card expiration date. These details can be stolen electronically, without obtaining the physical card. The problem is, retailers are often more concerned with the bottom line than with identity verification.

“You have an Amazon login and you give that login to you spouses, kids, your friends,” Schukai explained. “Amazon doesn’t really care if it is Bob making the purchase or Gina.”

What they care about is that the credit card goes through.

Fixing an Outdated Payment System

“We can fix this problem,” Schukai said. And it is in the palm of our hands — our mobile device. So, how can we utilize it for identity verification? Biometric authentication.

“We are not going to authenticate a purchase with knowledge-based questions like the name of your first-born kid or your dog,” Schukai explaining, adding that such practice makes it too easy for savvy fraudsters to find the information.

Instead, Schukai’s team built a CNP demonstrator. It works like this: You enroll as a banking customer, and provide any number of identifying biometrics that are personal to you such as a fingerprint or facial recognition.

At the time of the transaction, if a dollar amount or your risk score triggers a need for authentication, you will get an authentication request sent to your mobile device through a secure channel, not through SMS (likes texts), which Schukai warned is rather insecure. Through the authentication request, you will again provide your fingerprint or facial identification at the time of the transaction. The higher the transaction risk, the more friction there will be.

“If I am reloading $10 on my Starbucks card, I can simply look at my phone. It sees that I’m Bob and reloads. But there should be more friction if I am applying for a loan, moving $5,000 or a litany of other transactions.”

Demand Change

Schukai said we can solve a lot of issues relating to fraud if we demand that the market change to a use-case specific model, adding that he believes we should be rethinking and challenging the discussion around digital identity to be use-case specific.

Using a mobile device — something almost everyone owns — is a much more powerful indicator of who you are than answering a recycled question about where you met your spouse, no matter how nostalgic that is for you.

Want to stay up-to-date on our thought leadership pieces and other topics such as anti-money laundering and fraud? Sign up for the CLEAR Picture newsletter, a free, bimonthly e-newsletter developed for professionals working on AML, KYC, and other high-risk rules and regulations compliance. You can also follow the Risk & Compliance Spotlight page from the Legal Executive Institute.