Tuesday, April 16, 2024
DigitalSelect1100x220 (Copy of #3)
Evina 110 x 220

    PIN Loops, are they serving the Direct Carrier Billing Industry?

    Whenever Empello sees an increase in complaints and non-compliance in a market, it often follows that one of the actions taken by a carrier or regulator is the introduction of PIN or OTP flows to add more “security” to the payment journey.

    Typically, the triggers for introducing a PIN flow to the payment journey are increasing levels of consumer complaints about unauthorised charges on their bill, and these are often caused by increased levels of technical payment fraud.

    In this article we will demonstrate why there is a smarter, more effective alternative to PINs.

    At Empello we recognise two types of payment fraud – front door and back door fraud. Front door fraud is fraud that originates from the user’s device. The fraud occurs through manipulation of the intended consumer journey, rather than back door fraud which circumvents the intended consumer journey and is injected directly into the payment infrastructure.

    Front door fraud is usually caused by having a malware application on the handset which is able to manipulate the device and emulate user behaviour.

    As a result, buttons on payment pages are clicked by the malware app rather than the user themselves, and carriers wind up with complaints from users saying that they simply did not click on the payment page.

    Differentiating between users complaining because they have malware on their devices emulating user behaviour and users who simply don’t want to pay for services they have used is an impossible task for carriers and often results in blanket refund policies by carriers to make complaints go away.

    However, not all consumers notice charges on their bill, or complain about them, so a significant number of consumers can still be impacted regardless of a carrier’s best efforts. And even for those consumers who have received refunds as a result of unauthorised charging, damage has still been caused to customer satisfaction and may result in customer churn to competitor mobile networks.

    And let’s not forget the merchant! From a merchant perspective, the impact is twofold. Merchants have paid to acquire users via marketing channels which are not legitimate. These don’t generate long term revenues and often have to be refunded. Further revenue is lost when legitimate users who have used services also request refunds and cannot be differentiated from those who have genuinely suffered from fraud. Merchants may subsequently exit markets that become unprofitable in this manner.

    It’s generally believed that adding a PIN makes any payment process more secure. Afterall PIN protection is commonly used in multiple areas in the finance sector to secure payments, from ATMs, to cards, to online payments. However, when it comes to direct carrier billing, there is no separation of authenticating services and therefore it reduces their effectiveness.

    Why? Because the very same piece of malware that is emulating the user behaviour and clicking on buttons, is also perfectly capable of accessing the messaging inbox on that device, reading the PIN that you’ve just received or viewed, and sending a message with that PIN to authorise a payment or subscribe you to service. On-screen PIN processes are no different to circumvent.

    And it’s not very hard to do. Here’s an example of a PIN hack app that our tech team built in a couple of hours to demonstrate how easy it really is in the video below:

    So, PIN or OTP flows don’t deter fraudsters in any way and malware can hack a PIN flow as easily as they can create a fraudulent click. However, PIN flows does add friction into the payment journey with additional steps. This is the essence of the double-edged sword. A PIN flow can demonstrate positive user consent and it can also kill transaction conversion rates by making users drop out of the payment process before completing their transaction.

    We can see the impact of this effect on merchants using PIN loops clearly in a market like the UK. In November 2019 the regulator mandated a compulsory 2 stage verification to the payment flow, which included both SMS and onscreen pin flows. The result on the UK market is that Empello saw a drastic reduction number of the clicks in the traditional merchant services post the introduction of the new PIN flows in 2019, but still blocks the same proportion of fraudulent traffic.  In a nutshell, payment fraud still forms the same share of the pie, but it’s a much smaller pie in the traditional merchant services market.  Furthermore, the number of traditional merchants Empello sees as active in the UK fell by 2/3.

    In the UK having a “user account” functionality has allowed some merchants to dispense with the PIN requirement and interestingly they can also promote the use of a “Remember me” tick box thereby removing the need for password entry, which reduces purchase friction making it comparable to the old two step flow used prior to the introduction of the Regulator mandated PIN process.

    Merchants using this “user account” mechanic continue to be successful, and they now account for the majority of the UK CTB transactions vs. those using PIN flows.

    One of the great strengths of direct carrier billing should be its ease of use, particularly for low value purchases. Adding a Pin or OTP flow makes Direct Carrier Billing less easy for consumers to use.

    In a world where there has been a significant shift to mobile commerce with sales estimated to hit $3.56 trillion by the end of 2021 (Statista), representing 54% of total eCommerce sales (Big Commerce), and there are multiple competitive mobile payment platforms competing for these transactions (Apple Pay, Google Pay, Samsung Pay, Venmo, Wepay, Paypal to name just a few!), making direct carrier billing less easy to use and less competitive doesn’t make sense, nor does it leave carriers in a good position to benefit from this shift in consumer buying behaviour to mobile.

    So what is the answer?

    Rather than adding additional steps to the payment that can be easily hacked by any fraudster but discourage users from completing their payment journey, another option is to implement comprehensive fraud protection measures on mobile payment pages.

    Such fraud protection measures should include the ability to check every transaction to determine whether or not it has been made by a genuine mobile user or auto generated from the user’s handset without their knowledge and verify that transaction to both the carrier and the merchant with a security token.

    Such measures should include amongst their protections IP validation, device fingerprinting, analysis of click behaviour, analysis of browser and app presentation, i-framing protections and a comprehensive and evolving database of suspicious traffic sources

    There is no doubt that the implementation of such protection seems counter intuitive as it will appear to result in a decrease in VAS traffic in any given market. This is because the problematic traffic is identified and weeded out by Merchants which cease paying for traffic from fraudulent sources. The critical difference is that the real profitability of the market improves, regulators have less to be concerned about and such measures are invisible to the mobile user and do not impede their payment journey at any point.

    If the likes of the Empello FraudStop service is applied across the market it prevents market shrinkage due to unwieldy payment journeys and  lack of consumer trust and enables a healthy Mobile payments system for all parties to build upon

    In this way, we can keep carrier payment journeys competitive against other payment platforms and fit for purpose in a mobile first world, whilst ensuring protection for all of the participants in the value chain, consumers, carriers and merchants.

    Related Articles

    Subscribe to our newsletter

    To be updated with all the latest news, offers and special announcements.

    24 Seven 600x500
    SeriouslyFresh 600x500
    Evina 900x750