Identifying Security Issues in the Retail Payments System[From – , Federal Reserve Bank of Chicago]
He sums up an important aspect of managing fraud in the retail e-payments world when he says that “Players often make suboptimal fraud risk management business decisions because the true cost of fraud is often misunderstood.” While we all understand that some costs of fraud end up hidden away in bad debt, he points out that there are other, just as important, substantial costs to be taken into account. These include the opportunity cost of dealing with fraud when management time and effort could be going into growing the business instead. The more I think about it, the more I’m sure he’s right. On the one hand, fraud stimulates new product and service ideas all the time: just pick a recent one at random,
Online shoppers in the UK will be able to pay direct from their online bank account rather than via a credit or debit card, thanks to a new service. The POLi online bank payment platform aims to increase payment choice while reducing card-not-present fraud, a category of fraud covering ecommerce transactions which is on the rise. UK card-not-present fraud rose from £212.7m in 2006 to £290.5m in 2007, an increase of 37 per cent… According to merchants in Australia using POLi, the service now accounts for an average of 23 per cent of their total online payment transactions.[From Online banking payment system aims to reduce fraud | The Register]
I would never use this of course because I want to pay for everything using a credit card since that frees me from all worry: it’s not my problem if something goes wrong, but that’s besides the point. The point I wanted to make is that there’s considerable intellectual effort going into dealing with online payment fraud, but if that problem were to be fixed then this energy and initiative could be freed up to develop cheaper, better, more inclusive payment systems instead and give a greater boost to net welfare.
We shouldn’t be too negative. There’s evidence that getting to grips with fraud can work, and work well. We just need to look outside the banks to see what can be done. Look at PayPal, for example:
We’ve been executing against this strategy for close to 18 months, and have a great deal of first-hand experience about what works, and what doesn’t. Over that period of time, we’ve been able to move PayPal from being one of the most phished brands on the Internet to a much less prominent target.[From The PayPal Blog: A Practical Approach to Managing Phishing]
PayPal say that after going live with DomainKeys email blocking they’ve seen a significant drop-off in the number of attempts to spoof PayPal in Yahoo! Mail, meaning far fewer fraudsters even try to send these scams to Yahoo! Mail users. I assume they focus on Yahoo! because that’s where most of the phishing attempts were coming from, but the point is general: the sky isn’t falling in.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]