Will contactless payments expose Asia to greater fraud risk?

Brian Kinch, Senior Partner – Fair Isaac Advisors, FICO

This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.

Asia is slowly embracing contactless payments. Singapore, for example uses contactless payment for everyday conveniences including public transportation rides. Now, people are asking about its impact on fraud. This was a point of discussion at a recent conference on fraud, where Peter Bayley from Visa and I debated some of the issues arising.

The good news is that contactless doesn't appear to increase fraud. But it could.

The first thing to note here is that the type of fraud consumers worry about is hugely unlikely. This is "proximity intercept," where a card's signal is grabbed by a fraudster's device. The fear of this is played on by the manufacturers of physical RFID wallets. It sounds plausible but has not proven to be a big problem.

The more likely potential threat of contactless is actually more complicated, and involves "disowned" transactions where the consumer fails to recall a transaction; in extreme circumstances this can lead to the kind of fraud most of us don't want to think about -- first-party fraud.


Where the Consumer is the Criminal

First-party fraud is one of the most prevalent, growing and insidious forms of fraud in mature EMV (chip issuance) markets. This is essentially where the individual who undertakes the fraud has either performed or facilitated the fraud in their own or a completely synthetic (fictitious) identity. In short, there is no consumer victim. Estimates suggest that first-party fraud -- which is often hidden in a bank's credit and collections losses because of the difficulty in identifying it -- dwarfs third-party fraud, including card not present (CNP) transactions, lost and stolen and counterfeit put together.

Identity and payment security defences are usually vested in a multi-factor requirement -- in a card context this would typically mean a card authentication method or CAM (something you have) such as a satisfactory chip read,  and a cardholder verification method or CVM (something you know) which would typically mean a PIN. In a contactless payment context -- which consists almost exclusively of low-value transactions -- there is of course only a CAM not a CVM. So this has a lower level of security commensurate with the lower risk values.

Obviously there are good, convenience reasons for the prevalence of contactless, especially where speed of transaction is all important.

Add first-party fraud to contactless payments and you get some interesting market dynamics.


Challenging Contactless Transactions

Because contactless typically involves a customer not receiving a receipt, there is a higher chance of a consumer not recognising transactions. This is exacerbated by consumers believing that there are technology challenges with contactless; for example the problems with "card clash" or failed payment because two or more contactless cards are in close proximity.

1  2  Next Page