A large part of my job is essentially reasoning about risk and economic theory. Consumers have a very different view of security – they tend to view it more emotionally, they have some rough sense of security from what they’ve seen that doesn’t always correlate with actual security.
For example, customers associate a feeling of security with their existing banks because they are subjected to many security checks. They don’t often consider the recovery flow – a password is only as secure as its recovery flow and it’s these recovery flows that are typically exploited by attackers.
Today by far the most likely way for money to fraudulently leave your account is for your card details to be compromised and used fraudulently. We will, of course, refund any card fraud that occurs on your account but consumers are used to carrying around a piece of plastic with what is essentially a key to your money embossed onto it.
So why hasn’t this improved? The answer is because banks aren’t generally liable for this fraud. There are huge misaligned incentives that means the situation continues to get worse. If an e-commerce payment doesn’t go through 3DS then the merchant is liable for fraud. If the transaction does go through 3DS then the bank is liable.
This should give merchants an incentive to apply 3DS to transactions. However, the 3DS flow of most banks is sufficiently bad that many merchants would lose more money to people dropping out of the checkout than they lose from fraud so they don’t use it. Banks have no incentive to improve the 3DS flow as doing so would just make them liable for more fraud.
The EU is attempting to sort this out with some legislation called Strong Customer Authentication. This will effectively require all e-commerce merchants to put every transaction through 3DS. This will level the playing field for all merchants and give the banking industry an incentive to improve the 3DS flow to properly balance between security and customer experience.
I’m genuinely interested to see what happens to e-commerce fraud rates over the next 5 years as a result of this legislation.