A popular payment channel will always attract fraudsters. Sad but true. So what’s the best defence against DCB fraud. MEF experts tackled the issue.
Direct carrier billing has had a bumpy journey over the last decade. It was initially heralded as the next big thing – a friction-free payment channel that would bring riches back to the operators.
Then it lost its way, stymied by high revenue shares and uneven availability.
Happily, this was a blip. Towards the end of the last decade, DCB went mainstream. The major app stores deployed the channel in order to reach unbanked customers. At the same time, the big digital giants (Sony, Spotify, Netflix) saw DCB as a hugely effective tool for reaching new customers.
Watch the MEF Panel in full
Today, the DCB market is worth $49bn and could grow to $79bn by 2024, according to Ovum’s latest forecast.
Regrettably, where there are millions of users, there will be fraudsters. DCB is no exception. Criminals use a combination of malware and social engineering to trick unwitting users in to fraudulent one-off payments or subscriptions.
Needless to say, their activities threaten to poison the channel. Can they be stopped? Or at least frustrated?
Last week, MEF hosted a panel session in Barcelona to explore the topic. Our four experts were:
There are around 1000 different solutions and SDKs out there that do this kind of fraud. Fraudsters share them around. They even have groups you can get into if you have certain reputation, with gold, silver and platinum members.”
- Laurent Frainais – VP Carrier Partnerships Americas & Europe, Boku
- Roland Kneisler – Executive Director Product, Freenet Digital
- Brian Pettit – Technology Director, MCP Insight
- Christopher Henseler – Operations Director Central Europe, Telecoming
Here are their top insights.
Most fraudsters are individuals making money on the side…
In Roland Kneisler’s opinion the vast majority of DCB fraud is run by tech-savvy youngsters who see it as an easy way to accrue easy money. “Most fraud is one man companies. They’re students. They’re well trained and they don’t earn thousands. But there are lots of them doing it.”
…But maybe there is some organised crime involvement
Christopher Henseler had a slightly different view. “Most payment gateways are under 24/7 attack in an effort to find loopholes. The hackers are very aggressive. I agree there are lots of single actors, but I believe there might also be bigger organisations behind it.”
Fraudsters share knowledge and even compete for status
Kneisler added: “There are around 1000 different solutions and SDKs out there that do this kind of fraud. Fraudsters share them around. Or they ask for money. It used to cost $10,000 for the software. Now, it’s much cheaper. More like $100. They even have groups you can get into if you have certain reputation, with gold silver and platinum members. I’ve tried but I can’t access them.”
Some fraudsters are ‘insiders’
Alarmingly, many hackers might work in the industry. Brian Pettit disclosed that he’d been told around a third of fraudsters in India are working for for service providers.
More OTP authentication is not the answer
Authenticating payments with a one time PIN might seem sensible. But it will probably make things worse. This was the view of Christopher Henseler. He believes it adds to the friction and provides another opportunity for fraudsters to insert themselves into the transaction.
“The beauty of DCB is the ease of use. A PIN flow won’t make it more safe,” he said.
Laurent Frainais agreed. “The main fraud for us is social engineering. Fraudsters initiate a transaction and then contact the owner. They pretend to be someone else, and ask for PIN code. The victim shares it and then gets charged.”
People don’t uninstall malicious apps
A lot of DCB fraud comes from malware-infected apps that people download in good faith. They’re often poor in quality. However, many consumers don’t remove them even when they discover this. “The apps might not be interesting, but people keep them on the phone. People are lazy. Or they don’t want to wipe their entire phone,” said Kneisler.
Silent authentication can remove a lot of fraud
Frainais disclosed that Boku now offers technology that can verify that the phone number and the device are the same – without sending an OTP to the user. It can also flag if there has been a recent SIM swap. Both methods can reduce the ability of fraudsters to hijack another users’ SIM.
Blacklists are mostly useless
It’s too easy for fraudsters to share information and to enter different names – or leave blank – the fields that might identify them as blacklisted developers.
It’s possible some apps are unwittingly committing DCB fraud
Brian Pettit suggested that some malicious advertising SDKs are sold as genuine. Unwitting developers encode them without realising that they will defraud their customers. “The theory is that they don’t even know. It’s scary.”
Sideloading from smaller app stores is a problem
If it’s hard for Google to identify malware, it’s even more difficult to smaller app stores to do it. These portals are frequently targeted by fraudsters. And their users can be young and naive. Kneisler said: “Some of the big games companies, who don’t want to pay 30 per cent to Google, use these stores a lot. They’re even training kids on how to sideload. And these kids don’t read the warnings.”
Better KYC would help
Henseler wondered why more companies in the ecosystem don’t do better know your customer. “We shouldn’t on-board just anyone. If someone is asking for net 7 or 14, don’t work with them. Ask yourself: why do they want quick money? The answer is quite obvious. With 30 days you have more time to verify.”
Some fraud is inevitable. It’s unrealistic to expect otherwise
Henseler warned that aiming for total eradication of fraud is unrealistic. “We have to accept that fraud will always be there to a certain degree. We can fight it by getting operators to understand what’s happening, and by using anti-fraud tech. Hopefully we can win this battle. We can’t have DCB getting a bad reputation, when there are so many good things that could happen to this market.”
To get involved or to find out more – contact us
MWC 2020 may have been rightfully cancelled, but with many MEF Members were still in Barcelona to hold meetings, catch up with colleagues and discuss the issues facing the Global telco ecosystem, MEF created a line-up of sessions across our programmes. MEF Members – log in now to watch the presentations and download the slides.