Related articles

No items found.
The French newsletter for Ruby on Rails developers. Find similar content for free every month in your inbox!
Register
Share:
Blog
>
Reduce the risks of bank card fraud on your fintech platform

Reduce the risks of bank card fraud on your fintech platform

Bank card fraud is commonplace in the world of the web and particularly among fintechs. Indeed, scammers are more ingenious when it comes to scamming Internet users by various means, whether it is a hacking or a phishing campaign.

This phenomenon has been clearly contained by the gradual deployment of PSD2 within the European Union.

However, when you have a Fintech web platform that allows you to store funds and withdraw them at any time, such as a neo-bank platform or A crowdfunding platform, relying on PSD2 and its strong authentication is not enough to limit the risk of fraud for the following 3 reasons:

PSD2 has only been in force since September 2019 and many banks or states are still lagging behind.

The strong authentication imposed by PSD2 is a European standard and is therefore not applicable to countries outside of it.

Even in the case of strong authentication, there is always a risk of fraud: an example is given below.

Example of fraud despite the 3DS

As an Internet user and with Christmas just around the corner, I absolutely want to get a PS5 to give it to someone close to me. However, as you may know, PS5 stocks are very limited. I came across a new commercial site that has just had a new stock of PS5 (strangely he only sells that by the way).

I carry out my standard checks before making the payment by bank card, we are still talking about €500:

  • The little padlock is present in the address bar: the site is HTTPS
  • By typing “<Le nom du site>SCAM” in Google, I can't find any results

So I make my payment, the payment also requires 3DS, it's reassuring even if strangely my banking application takes almost 1min30 to ask me to validate the payment... I confirm the payment, it's perfect, I am told that I will receive my PS5 within 1 week.

I've just been robbed of €500 and will never get a PS5.

How is that possible?

The merchant site on which I just entered my credit card details was in reality a fraudulent site (phishing) and its owner directly retrieved the credit card details that I provided and at the same time made a payment of the same amount on an account created with an impersonated identity on an online bank! This assembly seems convoluted but it is nevertheless very quick and simple to set up. Note: this example is a real case that we encountered with one of our customers at Capsens, the Web and Mobile Development Agency specialized in fintech, who hosts this blog;)

What to do in this case to eliminate the risk?

You Can't. In Computer Science, Risk 0 Does Not Exist. New Flaws will be discovered all the time. (hello Log4j).

Ok, what are the solutions to reduce the risk?

Solution 1: Protect yourself against identity theft: KYC video

In fact, this is where the root problem lies. Nowadays, it is very easy to get hold of on the Internet. (especially thanks to the dark web) stolen identity documents.

Then, the user can then create an account and pass the identity verification measures without any problems. (KYC) requested by the platform.

One of the best solutions to make sure it's not identity theft is to add a KYC video check. In other words, we check that the face of the person using the account matches the photographs of the identity documents provided for the same account.

Various checks are carried out on the document:

  • Authenticity verification: this is the expected identity document
  • Verify that the document has not been modified with a DTP software (Photoshop etc.)

However, this solution has some significant drawbacks:

  • It adds a step to our registration process and therefore slightly reduces your conversion rate.
  • It is expensive: it generally costs between 2 and 3€ per verified user

Despite these drawbacks, this solution has become more and more widespread because it is currently the most reliable verification system to combat identity theft.

Solution 2: Manually validate some debit requests

Regardless of the type of fraud and the means used, there are certain signals that are always found:

  1. The user makes several credits to his account by bank card, often using different bank cards.
  2. The user has recently registered (this can take up to a few months) and has not performed any traditional transactions on your platform.
  3. The user requests an account debit to withdraw the money that he recently credited.

A simple way to reduce the risk of fraud is to apply manual verification of debit requests by an administrator when the user is not considered trustworthy. That is to say as long as he has not carried out a minimum of conventional operations or until he has not been manually identified as such by an administrator.

Once the debit request has been made, the administrator can choose to approve or reject it based on all the information at their disposal provided by your payment provider (account credits made, geography, amounts...).

If he considers the procedures to be suspicious, then he can report the account to his payment provider who will take over in accordance with his commitments to the fight against fraud and money laundering.

This solution also has disadvantages for obvious reasons:

  • It can be used for administrators.
  • The Human Risk Is Always Present: The Administrator May Be Wrong
  • It extends the time before the user can debit his account

In conclusion, unfortunately, there are no magic solutions. The 2 solutions mentioned above each have significant drawbacks, whether they are additional costs or human time. Nonetheless, fraud will continue to exist and grow. If your platform seems more permeable to them than average, then you will quickly become a prime target for scammers. It is therefore strongly recommended that you take the lead in addressing these vulnerabilities.