The Best of the Fall Internet Identity Workshop (Part 2 of...)

Summary:??Another of my favorite sessions from the last?Internet Identity Workshop (IIW)?was led by?Tony Lopreiato of MasterCard. The main painpoint that he addressed in his talk was that, today, there is no reliable and systematic way to link a payment to the person making it. I call this ‘the last inch problem’. Yes, the person behind the screen or handing the card can make the payment, they have and know what is required to make the payment, but who are they? This is important to know when fraud comes into play.

He talked about the plans to include identity information into the EMV and ISO20022 spec, so that every transaction will specify three key things: 1) Was the identity of the person making the payment verified? 2) By whom? 3) How??

This got me thinking about how these changes would affect the business model of payment processors, merchant acquirers and issuer processors. All of them charge for their fraud and risk management services, and in some cases for actually taking on transaction risk. How would their business model look if there is less fraud and risk to manage, or to take? What types of fraud does identity solve or reduce? Does it also help with phishing attacks or first-party fraud?

I think that bringing better identity to transactions (and also pre- and post-transaction) will impact their business, although it will take some time to get there, so this will only become an issue in the medium- to long-term, but they do need to get prepared. Identity will reduce 'traditional' fraud (your payment information being bought in the dark web and used by a fraudster, or many types of very sophisticated attacks delivered by fraud rings), but also phishing attacks, and even first-party fraud.?

Read the post to find out more about the why and how. What do you think??

_________________________________________________________________

Following up my December 10th post, today I am going to cover another of my favorite?Internet Identity Workshop (IIW)?sessions. One led by a?Tony Lopreiato, VP Global Product, Digital Identity. His session was focused on coupling identity with financial transactions (most specifically - payments) to reduce fraud and improve customer experience.?

The Problem:?

After giving a good overview of the credit and debit card infrastructure in the US, including discussion of the?four-party model?and some key regulatory changes, such as the?Durbin amendment, he stated the general problem that we are all facing in payments: Today, there is no reliable and systematic way to link a payment to the person making it.?

For example, although Chip & PIN is fast, convenient and quite safe (with very low fraud rates), this is just a case of multi-factor authentication that requires ‘something you have’ (the card) and ‘something you know’ (the PIN), with likely location as a third factor also playing a role in the background (if she was in San Francisco 5 min ago, how could she now be in New York?). But given that I can give my card to my friend, and share my PIN so that she can buy lunch for both of us while I wait in the car, even if it helps prevent fraud, it does not help the merchant, or the issuer, know who is actually using the card.?

The same is true for the XPays (if I have given you access to my phone, by sharing my passcode, you can pay with it), and even more for all types of online payments (known as Card Not Present, or CNP, transactions).

I call this ‘the last inch problem’. You - the person behind the screen or handing the card - can make the payment, but who are you? It is important to know who is actually behind the payment in case of fraud.?

A Possible Solution:

Tony gave the example of the?Mobile Driver Licenses (mDLs)?that can now be stored in the Apple Wallet. Wouldn’t it be helpful if the information in the mDL could be included in the mobile payment transaction? The best thing is that it could be done in a privacy preserving way: Check FaceID against the key parameters stored from the picture on the drivers license. Check first and last names on mDL against the ones on the credit card. If everything checks out, allow the transaction - whether in-person or online - to continue and include this information in the transaction:?

• ?Yes, identity was checked and passed.?
• ?It was checked by iOS + Apple Wallet + DMV.?
• ?In RT, at the time of transaction, by algorithmic comparison of picture and first / last name in mDL and credit card.

In an in-person transaction with a physical card, it could be the clerk at the till making these checks and entering them into the system. The information in the transaction could specify:

• ?Yes, identity was checked and passed.
• ?It was checked by employee #1234, at merchant #9876, location #6754.
• ?In RT, at the time of transaction, by visual inspection of DL and credit card.

Note: This is certainly not representative of what happens today at stores. Checking your driver’s license is so unusual!

Of course, these are just the two examples that Tony provided, but we could also think about the role that banks, and other regulated institutions, could play in doing these checks and providing this information.

So the transaction message sent from the merchant to the issuing bank would include:?

• ?Whether or not identity was checked (Yes / No).
• Who checked it.
• ?How it was checked.

This would help the issuer better assess transaction risk level, and better protect itself (and the merchant) from fraud.?

The Question that Keeps Swirling in my Head:

Towards the end of the session, and with no time left for discussion, a person in the audience raised a really interesting question: How does the introduction of better identity in financial transactions affect the business model of payment processors like?Adyen?and?Stripe? They offer many advanced fraud tools, and merchants pay dearly for them.?

I had not given this much thought, and the question stayed with me, although I extended it a bit to also think about how it would affect merchant acquirers (the ones that actually take on the merchant’s risk, not ‘just’ process the payments) and the likes of Fiserv or FIS that provide systems and solutions to issuers, including fraud tools. And how will it impact merchant payments, but also, peer-to-peer payments?

Let’s start by saying that, even if this change is likely to happen, it will take some time, and even longer for these capabilities to be ubiquitous. So no immediate or short-term impact. Having said this, they do need to prepare, as ‘traditional’ fraud (your payment information being bought in the dark web and used by a fraudster, or many types of very sophisticated attacks delivered by fraud rings) will be reduced.?

But will it also reduce other types of fraud, like phishing scams and first-party fraud? In phishing scams, I did send the money to this person claiming to be a long-lost relative stranded in Nigeria… In first-party fraud, by definition, the fraudster is the legitimate owner of the bank account, credit or debit card, and they are using their own identity. In both cases, knowing that it was me will not really help avoid the fraud, or will it? Let’s look at a handful of examples.

#1 Phishing Scams:?Why can’t I request identity information about the person (or the business) I am sending the money (or the information) to? Granted, this is a bit of a deviation of the idea of including identity information of the payer as part of the financial transaction or payment, but it is a natural extension. The same way that my bank wants to know it is me sending the money, I want to know that I can trust the person / entity that is receiving it. It would certainly help?Zelle?and?Venmo?reduce fraud, and avoid human error, if I can check that @GigaMuffin is really my friend David asking me for $20 to cover our friend’s birthday present, and not some random person trying to trick me.

#2 First-party Fraud - Pre-authorization Fraud:?Forbes explains this very well in the?December 3rd, 2021 article ‘Fintech’s Fraud Problem: Why Some Merchants Are Shunning Digital Bank Cards’.??

‘When someone picks up a rental car or checks into a hotel, the merchant processes a pre-authorization charge on their debit or credit card and puts a ‘hold’ on a set amount of money. That hold expires after a short period of time - say, three days, depending on the terms set by the bank that issued the card. Once it expires, a bad actor, who might have rented the car for a week for example, can spend the money, since it’s no longer locked up. When the rental car agency finally goes to charge the customer after the car is returned, the bank account tied to the debit card is empty or the limit on the credit card is exhausted, and the merchant or bank can’t collect.’

The fact this problem disproportionally affects neobanks such as?Chimeand?CashApp?(some rental car companies do not even accept cards from these institutions), where customers have much less history with the institution, and onboarding is online and designed to be seamless and easy, makes me think that better identity would reduce the problem. At the moment it seems that some (many?) customers are opening different accounts under slightly different names, but using the same ID (their own ID). This is a flaw of the onboarding process, which could be strengthen with the use of solid customer identity, where part of the identity provided by Apple, Google, or a Bank, would not only include name or address information, but also tenure with the institutions, and maybe some behavioral flags (green / amber / red).

#3 First-party Fraud - ACH Shell Game Fraud:?The same Forbes article provides an excellent example.

‘HMBradley, a three-year-old, Santa Monica-based online bank with $375 million in assets, saw a startling rise in fraud coming from the transfers it gets from Chime and Cash Apps accounts. The schemers would typically open an HMBradley account, then connect it to an existing Chime account. They’d request to transfer funds from Chime, and when the money reached HMBradley, they’d quickly ferry it into a third bank account. Often, the funds HMBradley was pulling in from Chime didn’t exist - and that’s possible because of the way the U.S. bank-to-bank transfer network, or the Automated Clearing House (ACH) system, works.

The ACH network, first built in the 1970s, lacks real-time verification and it can take days for transactions to settle through ACH. So when a neobank allows a customer to pull money from an outside account via ACH, it takes on the risk of finding out several days later that the customer only had $1 in his account even though he requested to transfer $1,000. ACH still underlies most money transfers, to the tune of $62 trillion in 2020, and is run by Nacha, a nonprofit association funded by financial institutions.’

In this case, both institutions were neobanks, with short customer tenures, and relatively lax online onboarding processes (prioritizing growth over fraud avoidance). Improving this onboarding process, in a similar way as described under #2 would be very beneficial.?

Having said all of this, I think that first-party fraud could also be very effectively reduced without waiting for digital identity:

• ?Have FinTechs share information about bad-actors and suspicious activity an effectively as banks do.
• ?Legally merchants and FinTechs pursue the bad actors more aggressively. It may be more expensive initially, but it will be an excellent deterrent in the medium term.

Two Parting Thoughts:

First, to me identity has the potential to solve many types of fraud. Either by adding identity to the transaction itself, or by using the infrastructure to also provide identity information pre- and post-transaction, about the sender and the receiver. In fact, safe transactions will be easy and seamless, if we do onboarding well, and identity (including reputational signals) play a key role there. Although it will take some time for these solutions to be mainstream, payment processors, acquirers and issuer processors will see their revenues, and business models, by the reduction in risk digital identity will bring. For sure they could become key players in the identity space, but few seem to have taken steps in this direction, at least not clearly and openly, with?Stripe Identity?being a great exception.

Second, I found it a bit puzzling that Tony did not mention (certainly no more than in passing) Mastercard’s own identity project - ID. He used Apple Wallet and mDLs main example in his talk, but MasterCard is creating its own digital wallet with a similar purpose. This?2020 white paper - titled ‘Building Trust in a Digital World’?- provides a very good and detailed view of the ID Service. In a nutshell, it is an identity service, not tied to financial transaction (although it could be), that provides identity information to third parties based on customer verified information stored at their bank. In my opinion it has some key drawbacks (namely that it uses bank information and resources to provide a MasterCard-branded service - the banks have been here before…), and it has not really taken off (yet?), but it was really a surprise to me that it not had a more prevalent role in the conversation.?

What do you think??

Link to this article on my website: https://trishburgess.com/f/the-best-of-the-fall-internet-identity-workshop-part-2-of