Online payments fraud: how open banking tackles the most common threats

Monetary transactions have always been prone to fraud, as most of the time, there are fewer risks than the rewards that fraudsters can reap. 

Technology plays a huge role in raising the security standards, but, unfortunately, as more advanced payment options are developed, fraudsters get even more competent. 

The nature of cyberattacks is in a permanent state of mutation, many times influenced by external and unpredictable factors. The recent worldwide health crisis has already been labelled as one of the most prominent reasons behind the recent growth in online payment fraud.

The reason is simple. With the COVID-19 pandemic, many merchants had to transition their businesses to online platforms due to restrictions and social distancing recommendations. 

Many have done so in such a hurry that they haven't considered what is probably the most important aspect of said transition: the implementation of security protocols that can protect the most powerful asset we own — information. 

People don’t consider advanced cybersecurity measures an advantage nowadays. We consider it a must, and we expect these protocols to be in place everywhere, as life is steadily becoming more web-oriented.

Reliable payments architectures should be a top priority for every company, as this is paramount to ensuring a secure flow of extremely valuable information between merchants and customers.

Consider the following: Juniper Research predicts that e-commerce losses to fraud will rise 18% in the next 3 years, which in practicality translates to tens of billions of dollars. 

Man-in-the-middle (MitM) attacks: the most common form of online payment fraud?

This question does not have a simple answer, as there are many common procedures to perform online payment fraud. But most of them stem from some form of MitM attack, where an attacker positions itself between two communicating parties, intercepting the data that is being transmitted. 

If you are serious about securing your business (and you definitely should be), you probably have heard of some of the following methods. Remember, always have your eyes peeled and don't skimp on safety.

Man in the Middle Attacks (MitM): how do they work?

A man-in-the-middle attack allows for a malicious third-party to insert itself in the information sharing process, gaining illegitimate access to data.

As a rule of thumb, this type of attack has two phases: 

1. Interception: attackers usually access open or unsecured Wi-Fi networks, but they might also exploit DNS servers, for example. After the attacker gets access, data is collected via capture tools;

2. Decryption: intercepted data is decoded and is ready to be used in crimes like identity theft; 

A MitM attack can take many shapes and forms, but some are more usual than others. More importantly, it is paramount to keep in mind that we are talking about dangerous operations that can jeopardise your online well-being.

Here are some of the most common strategies used by fraudsters:

• Email hijacking: this type of attack is very common against banks’ or other financial institutions’ email accounts. After a third-party gets access, all transactions can be monitored and the attacker can influence the client’s behaviour by making them think they are performing conventional banking operations;

• IP spoofing: an IP address is a label that’s assigned to a device that connects to a computer network. By imitating this address, attackers can make users think they are interacting with a reliable website and access information they wouldn’t share otherwise;

• Wi-Fi eavesdropping: attackers can set up fake wireless internet connections that appear legitimate. When users connect to those Wi-Fi networks, their online activity — including login credentials and card information — is at the disposal of cybercriminals;

• HTTPS spoofing: the HyperText Transfer Protocol guarantees that a website is secure. However, attackers can use tools that convince your browser that a certain malicious website can be trusted;

• Cookie theft: cookies are small pieces of information, like, for example, the items you added to a shopping cart at an online store. This information is stored on your devices, and attackers can steal cookies from your browsing sessions to access passwords and other sensitive information;

How can open banking stop online payment fraud?

Before noticing that something is wrong, end users can inadvertently share huge amounts of sensitive data when they fall victim to this type of attack. During this time, it is virtually impossible to determine what data was exposed to malicious third-parties. 

By having payments instantly reach the merchant, open banking can help mitigate the risk of fraud. This allows the seller to know if the money has been received, so he can proceed with delivering services or shipping products. 

Through open banking, no details involved in online transactions are shared with the merchant, contrary to what happens with card payments. Payment instructions are instead sent to the customer’s bank, using secure pathways, and therefore reducing opportunities for scammers to capture key information.

Open banking transactions additionally rely on zero-trust security protocols and updated network security systems, serving as a potent barrier to fraudsters’ intentions. Strong Customer Authentication (SCA), for example, is a PSD2 integrated tool that guarantees user ID verification, significantly reducing fraud on online payments. 

To ensure maximum safety, businesses should also partner with PCI DSS (Payment Card Industry Data Security Standard) compliant payment infrastructure providers, so that a secure environment is achieved for companies that deal with credit card data. 

Open banking regulations additionally require constant fraud monitoring and appropriate reporting mechanisms, so that risks can be addressed diligently and effectively.

Keep this in mind: open banking APIs are getting safer every day with new regulations and cybersecurity technologies. But if the first level of security (you) is not as vigilant as it should be, there is no safe place online.