Regulations like GDPR and PSD2 are creating an attack shift for fraudsters and alternative methods for them to create havoc. Forter’s CTO Iftah Gideoni discusses how to fight back against fraud with similarly evolving fraud prevention measures.
Today, data is the most valuable asset for consumers, businesses and fraudsters alike. Thanks to the rise in technological innovations, including the cloud, remote work and e-commerce breakthroughs, we now have the ability to do anything, from anywhere, at any time. But there’s also a dark side to this constant connectivity: criminals seeking to exploit personal, sensitive information, ranging from bank account numbers, credit card credentials and even customer loyalty accounts. In fact, according to recent research, fraud attacks on loyalty accounts increased by 89 percent in the past year alone.
In parallel with this data evolution, we are witnessing a growing focus by consumers, enterprises and regulators on the privacy and security of data collected, stored and shared online. Legislatures and regulatory bodies are passing more wide-reaching and comprehensive privacy laws, including Europe’s GDPR, which became binding in May 2018, and the California Consumer Privacy Act (CCPA), which takes effect in 2020. We should expect this trend to only increase; any enterprise dealing with personal data must be able to stand behind its privacy compliance program.
In the European Union, the Second Payment Services Directive (PSD2) came into effect last month. This regulation is intended to democratize access to data and simultaneously protect it through strong customer authentication. Given the complexity of compliance and attendant business implications, the U.K. and several other nations have announced enforcement delays, which vary from country to country. And while this regulation is intended to better safeguard data and payments, it may create headwinds for customer conversion — in fact, as many as half of consumers (49 percent) are likely to abandon online/mobile purchases if faced with a multi-step authentication process as outlined by PSD2.
As regulatory and legislative bodies continue their efforts to protect consumers and personal data, businesses need to build compliance programs that still optimize user experience and customer satisfaction and that take into account the adaptability and ingenuity of fraudsters and cybercriminals.
The Unintended Consequences of Increased Compliance
While both GDPR and PSD2 are intended to protect data, in reality, today’s payments ecosystem is too complex for legislation to predict and guard against fraudsters’ next moves. Making matters worse, online fraudsters are only growing in sophistication. These criminals are shifting their focus from brute-force attacks, where a high quantity of attacks increased the likelihood of a payoff, to investing in higher-quality, targeted attacks, where one attack translates to a larger and more meaningful payoff.
In the case of PSD2, a potential unintended consequence of this regulation is the shift in fraudulent activities outside the EU. PSD2 may make fraud more difficult at the point of transaction in the EU, leading fraudsters to shift to other geographies and attack points outside of the region. Criminals who stop using European data won’t stop stealing; they’ll just start stealing elsewhere.
Privacy regulations like GDPR and CCPA are giving consumers more rights to access and request deletion of their data. This introduces the risk of fraudsters disguising themselves as legitimate actors and demanding all data on their personas be removed. The ability to identify fraudsters as returning bad actors is vital to all fraud-fighting efforts, and the loss of historical data would be a serious handicap to proper prevention.
Fighting Back Against Fraud: Understanding Your Ecosystem
One of the most effective ways to combat the unintended risks that regulations like PSD2 and GDPR bring is to develop a deep understanding of your organization’s ecosystem, as well as the users who are a part of it. This includes:
- A full understanding of good and bad actors, as well as the connections between them, which can provide the necessary framework for protecting an online business.
- Knowing how your fraud prevention system recognizes fraudulent behavior – for example, can your system detect fraudsters when they return in different guises?
- Going beyond matching obvious data points such as addresses, names or even IP addresses to instead, match behavioral data and patterns, while using cyber intelligence to piece together unclear elements.
- Lastly, in order to guard against the risk of geographical fraud patterns, it’s important that your fraud prevention system be sensitive to genuine behaviors within different geographical areas and be able to flag when a user does not match the expected norms for their location.
Fraudsters are becoming ever more sophisticated, so your organization needs to evolve in turn when it comes to fraud prevention. Add to this equation the ongoing challenges and changes that compliance regulations like PSD2 and GDPR bring, and it may create a recipe for disaster.
Make sure your customers and accounts are protected by a system that knows your customer base just as well as you do. It requires flexibility, continuous innovation and an ongoing effort to stay ahead of criminals and to keep up with the evolution in customer behaviors and expectations. However, with constant, accurate and informed protection, you can maintain compliance, security and customer trust.
Iftah Gideoni is CTO of 
