The Payment Services Directive (PSD2) requirements for digital payments were first introduced two years ago. What effects and benefits have followed the legislation?
European security level standards are increased thanks to PSD2. Still, fraud is not stopping. Also, the COVID-19 pandemic has risen exponentially the phenomenon. Regulation can help, but it cannot solve the problem since the weakest link of the fraud issue is always the end-user.
Indeed, Strong Customer Authentication (SCA) introduction as one of the PSD2 requirements made it more complex to fraud on technological vectors. Since two-factor authentication occurs on different channels (web and mobile), developing coordinated malware attacks between browser and mobile app has become challenging for fraudsters. This initially led to a decrease in financial malware. Then, in 2021, mobile malware resumed its growth.
The fraudsters have adapted to PSD2, modifying how to approach the victims. Mostly, they choose social engineering to induce the user to make payments or provide valuable information to finalize the fraud. Social engineering is different from all other types of payment fraud because the fraudster does not directly compromise a payment transaction or a financial institution. Instead, the fraudster exploits human error or cognitive biases to manipulate a user into disclosing personal credentials to commit fraud. European Central Bank (ECB) admitted the limits of the technical security measures provided by the PSD2 regarding social engineering, underlining the importance of end-user awareness campaigns to raise awareness on this sneaky phenomenon.
HOW DOES SOCIAL ENGINEERING WORK?
Social engineering is a manipulation technique that exploits human error to gain access to valuable private information. Initially, the fraudster collects victims’ personal information through phishing campaigns or purchasing it on the dark web. Then, he contacts the victim pretending to be a bank operator, and instructs him to access the bank account (first-factor authentication). Here, we have three scenarios.
The first one is about activating a token to let the victim authorize the fraudulent payment (second factor).
In the second scenario, the fraudster induces the user to download a remote management tool (not necessarily malware) on the user’s device. Then, he takes control of the device and finalizes the payment.
The third scenario happens when the user is pushed to authorize the payment autonomously.
As we found out, social engineering fraud is not easily addressed by the fraud prevention requirements introduced in PSD2. Then, the most successful way to block real-time any suspicious operations is having a behavioral-based anti-fraud system capable of making the most of the information collected about the user and his devices.
XTN Cognitive Security Platform® provides functionalities to fight social engineering phenomena thanks to holistic controls evaluating a wide range of risk indicators, for example:
- Behavioral analysis of user operations: identifies if transactions diverge from user usual operations habit.
- Biometric analysis of user-device interaction: useful for identifying Accounts Takeover
- Correlation of suspicious patterns: for example, a series of suspicious payments after a token initialization.
- Geolocation anomalies identification between the web and mobile channel: a valid indicator in the context of a broader assessment.
- RAT detection: detect operations remotely governed via RAT (even if performed by legitimate solutions such as TeamViewer)
- Device fingerprinting analysis: useful for detecting anomalies such as devices shared by a suspicious number of users.