Wednesday, 14 October 2015

PayWave and Online Fraud

PayWave and Online Fraud

There are news reported regarding the possibility leakage of card holder information that suffices for online purchase. What is going to happen?

One of the possibility is the credit card holder doesn't know. Card Holder takes the lost, but this case really nothing much to talk about.

The next is, The credit card holder identifies this fraudulent transaction. He calls the card centre (issuer) for dispute with reason unauthorised purchase. Eventually, card holder and card issuer will win the case. That is, credit card holder and issuer doesn’t have to bear the lost, either acquirer or the merchant has to bear the lost. In most T&C, the liability will be borne by the merchant.

Please note that this is an online purchase, most merchants would ship their product within days, while the dispute would happens about 30-60 days - after the credit card holder received the statement. This will eventually result in a double lost. The merchant loses the dispute which means they couldn't receive the money, and they have shipped the product.

This is significant. Consider a merchant selling cameras makes $100 for each $1000 camera sales. A fraudulent transaction would effectively cause him $2000. He needs 20 more deals to balance that, and the problem is...

The good camera seller did nothing wrong.

That drives the good merchant to find a solution to fix this. In short, there are two theories of the solution.

The first is - put more gates to ensure every transaction is good. User registrations, verification, one time PIN, password and 3DS are part of this. Since the users have passed so many difficult gates, the issuer will now take the lost. Merchant is happy.

The second is - Merchant or Acquirer using other ways to identify a fraudulent transaction.

It downs to very complicated topics that could be covered in the future.

In layman'a term, you are using an email service which is really secure. It protects you by asking you a new strong password every 30 days with a history record of 12. It means you need to have 12 difficult passwords in 1 year. When you read an email, you have to type in an one time password sent over SMS.

That's the first theory.

The second is, the email provider identities you are using the same email client and platform, then I don’t have to ask for the password anymore.

That's like a customer always in same shirt at a pub sitting at the same table drinking the same beer talking to the same face but the bar tender doesn't know who is he but knows he is he. That guy can't be bad.

That's the second theory.

I am a big fan of the second, because online payment fraud is still very low in terms of transaction number percentage. With the right tech, it enables business with a lower barrier.

Let me re-cap in Cantonese
最近好多人話會比人隔空偷 PayWave Card 資料之後再上網買野,問題係現實既情況會點?




即是說,假設一個商戶賣一台 $1000 的 相機賺 $100,一次詐騙就會令他捐失 $2000,他要多做 20 單生意才能䝶踴彌補損失。



一,就係加多幾把鎖問到個買家死為止。由用家登記,認證,一次性密碼,密碼到 3-D 認證都係同一個方法。如果咁都問唔死個用家既,咁呢一次,發咭行咪頂左佢。



簡單 D 尼講,有一個 Email 公司話佢自己好 Secure,佢會要求每一個寫客戶每三十日用一個記唔到既密碼,而一年入邊又唔可以一樣既密碼咁。再加埋每睇一個 Email 你都要打返個 SMS One Time Password 咁。


第二個方法係,你次次都係用呢部電腦 Check Email 咁部電腦又 Lock 左,咁唔洗次次問呀?

再簡單 D 講,即係有個人日日都係同一間 7-11 同同一個呀姐買同一樣既煙,咁個呀姐會認得架 Ma,第一次就問佢身份証咁唔洗次次問呀?