The pandemic payments trade-off
Contactless payments have rocketed as the risk of spreading disease by touching money and payment terminals saw the world's consumers adopt a 'no-touch', socially distanced approach to transacting. In 2020, the World Health Organisation released its advice, urging a switch to contactless to slow the spread of Covid-19. As a result, the UK and 29 European countries raised their limits on contactless payments that year and it became vital in helping to sustain economies. The UK didn’t stop there. It raised its limit again to £100 in October 2021, making UK consumers among the world’s biggest spenders without having to confirm their identity.
Today, it is the preferred choice of payment in many countries, with the contactless market set to reach a global value of US$6.25 trillion by 2028. Europe and the UK are currently leading the market. As many as three quarters of all Mastercard transactions in Europe are taking place in this way. In the UK, thanks to the higher limit, Visa has cited that eight-in-ten in-person payments are now contactless.
For banks and merchants, it has enabled them to provide faster, frictionless transactions and more positive experiences for their customers. For consumers, contactless payments have given them convenience, ease and security. What about for fraudsters?
Will contactless payment open up potential new security issues?
The rapid growth of this form of payment has attracted the attention of fraudsters who are always seeking out new methods to steal money.
If we look at the current numbers against the wider backdrop of card fraud, they are fairly low in comparison. For example, in the UK, data from UK Finance revealed that in 2020 there was a total of £574 million lost through card fraud. Of this, only £16 million represented contactless payment fraud. Against a total of £9.46 billion worth of contactless transactions, that equates to 1.8p worth of fraud in every £100 spent using contactless technology. Across Europe, research from Visa in 2021 revealed that, for now, the rise in contactless limits has not corresponded into a rise in fraud rates. The impact of the higher limits for contactless payments may not yet be evident but the value we carry in our purses and wallets that can be used by a fraudster or thief has increased significantly.
The kind of fraud that takes place in the realm of contactless payments, is currently fairly unsophisticated - the accidental loss or deliberate theft of a debit or credit card. Criminals can make several purchases up to the limit before a PIN is needed. This ensures that even if the loss or theft of the card has not been immediately realised and reported to the provider, there's a hard limit on the number of times it can be used.
Still, the increase in contactless transaction limits translates into increased profits for criminals from a single transaction. Contactless cards have become standard issue in most banks, so consumers frequently carry multiple contactless cards all with a limit of £100 each. These cards can be used up to the limit three times in succession without facing a security check. So, for example, if a criminal manages to get hold of a wallet holding three different cards, the value of that wallet to them would be up to £2,700. It’s not an insignificant amount.
Mobile phone payments instead of a physical card offers the added security of face-ID, fingerprint or a passcode, while the cards themselves might be left in a ‘safe place.’ If they happen to be stolen from the ‘safe place’, how many transactions will take place before the owner realises what has happened and informs the bank?
While levels of fraud associated with contactless payments are currently low, history has shown us that fraudsters will keep evolving their techniques to find new ways to steal people’s money.
Take for example the growth of scams. With the rise of ID theft, banks invested heavily in authentication processes to ‘strengthen the locks on their front door.’ Aware of this, fraudsters have found more creative ways to access those funds, through Authorised Pushed Payment fraud, or scams. People have been tricked into willingly opening the ‘front doors’ to their finances and enabling criminals to bypass those traditional authentication processes.
It may only be a matter of time before fraud related to contactless payment becomes more sophisticated.
Mitigate the risks now
Banks and financial institutions will have to refund unauthorised payments, unless their customers have broken the rules or been ‘grossly negligent.’ It’s a grey area, and with the increased limit and, therefore, increased value of a person’s wallet, it’s important that banks and financial institutions start putting measures in place to mitigate any risk of contactless payment fraud.
- Implement AI and machine learning
Investment in AI and machine learning to predict customer behaviour and spot signals of fraudulent behaviour will prove invaluable in identifying potentially fraudulent transactions. Sophisticated solutions like FICO’s Falcon Fraud Manager can investigate transactions from alternative perspectives, and provide a highly predictive view on the likelihood of fraud.
Based on the premise that human beings are creatures of habit, it monitors an individual's frequent, repeated payment behaviours and assesses whether certain purchases are out of character. For example, is a card suddenly being used for multiple transactions? Are each of the transactions close to the allowed limit? Do the purchases hold certain attributes that are attractive to criminals ie could they easily be re-sold?
- The right communication
If fraud is suspected, then providers can choose to alert their customers by SMS with a ‘was this you?’ text or notifications in a phone app. The crucial point here is that any response to an ‘indication of potential fraud’ will need to be timely and proportionate. If suspicion of fraud is regularly stopping legitimate transactions, customers will be deterred from using that specific card or even choose to move to a new provider.
Our research has shown that for 27% of the UK population, a significant irritation is when a fraud alert related to a purchase decline was too slow or never arrived. For over a third of the UK population, it only takes two to three erroneous purchase declines before they take their custom elsewhere (34%).
- Enable customers to be more proactive
Providers should consider factoring in the ability for customers to use their banking and card apps to ‘turn on’ and ‘turn off’ the ‘contactless’ feature on their card. It gives them control at times when they know they will not need to use their card for a period, rendering it valueless to a thief if stolen. It will also enable customers to be more proactive in stopping transactions the moment they realise their card has been lost or stolen.
Fraud – an ongoing fight
Contactless payments have become the norm. In the UK alone, billions of pounds are spent using contactless bank cards. It offers significant advantages for banks, merchants and consumers alike. However, in this growing culture of ‘tap and go,’ it would be quite easy for consumers to lose track of spending, and even easier for criminals to take advantage. At present, fraud rates are a low, but we also know that fraudsters are resourceful at finding new and creative routes to accessing other people’s money illegally.
The fight against fraud must also keep evolving with more creative ways to ensure contactless payments remain secure.
How FICO’s Advanced Analytic Capabilities Can Help Your Organization Fight Fraud
- Learn more about FICO’s fraud focused AI and Machine Learning
- Understand the role customer communications play in fraud management
- Find out how data orchestration can be used to fight fraud