With online holiday sales set to surpass the $100 Billion mark this year, are credit card companies and retailers doing enough to protect your financial information?
Every time you make an online purchase – and submit your payment information – you have to trust that A) the retailer has security systems in place to keep your information from landing in the wrong hands and B) that the financial institution that holds your money or offers you credit will have your back if it does.
The current holiday shopping season is already shaping up to be an epic one for fraudsters. Brand new iovation research shows a 20 percent increase in online retail credit card fraud during the 2016 Thanksgiving holiday shopping weekend when compared to the same period in 2015, and a 34 percent increase in online credit card fraud from Black Friday to Cyber Monday 2014 to 2016.
There's plenty more data where that came from too. Check out our latest infographic for more holiday shopping weekend trends.
The good news is that it’s in the best interest of financial institutions and retailers to protect your financial information against fraudulent charges. Until recently, financial institutions held a legal responsibility to reimburse those charges, though those institutions would pay a legal visit to the retailer who failed to protect the cardholder’s data and recoup some of the losses.
The Impact of a Cardholder Data Breach
The infamous 2013 breach of Target’s database shows precisely how this can play out. Initially, the banks and credit card companies had to make good on all the fraudulent charges, but as CNN Money explains, these companies followed up with lawsuits against Target. Target settled the lawsuits for a total of $108 Million (not to mention the $10 Million for the class action lawsuit brought against the company).
Multifactor Authentication Provides an Added Layer of Defense
How can – and should – financial institutions and retailers protect your sensitive information? The Payment Card Industry Data Security Standard often referred to as PCI, requires retail merchants to use multifactor authentication (MFA) to do that.
In fact, Krebs on Security speculates that the lack of multifactor authentication for an HVAC vendor that Target contracted with may have been the cause of the company’s 2013 breach.
Multifactor authentication provides the extra layer of security that ensures that even if hackers know your username and password, they still can’t access your sensitive information. When it comes to shopping online, that includes your credit card, debit card, and in some cases your banking account information.
There’s a catch when it comes to online retail, though. You want all the protection of your financial information that multifactor authentication affords, but you still want a frictionless shopping experience. If this eMarketer article that claims mobile ecommerce sales will increase by 43.2 percent is accurate, it appears that you’ll increasingly want to have this smooth shopping experience using your mobile device.
And that forecast is already bearing out. iovation research also finds 55% of all online retail transactions were made from a mobile device from Black Friday to Cyber Monday.
Common Methods of Multifactor Authentication
We’re all familiar with these methods of multifactor authentication and, perhaps, have experienced their shortcomings when it comes down to ensuring frictionless shopping:
- Captcha codes require you to enter the code correctly from visually distorted codes. What if you can’t decipher the weird text and have to repeatedly generate a new code to try again? What if you are visually impaired?
- Knowledge-based authentication (KBA) requires you to remember a piece of information that you initially told the system. For example, it asks for and stores the name of your favorite teacher. But what if you have several favorites—Mrs. Barry for 3rd grade, Mr. Blodgett for 6th grade, and Mrs. Lashley for 12th grade? When you try to authenticate, you might have to make several attempts to get it right.
- SMS text codes require grabbing the code from your phone and entering it into the authentication screen. What if you accidentally close the browser as you are trying to make the purchase or you don’t grab the full code when you copy?
These methods all put roadblocks along the path to completing the purchase, particularly when made from mobile devices with small screens and that you use while on the go.
Multifactor Authentication for Mobile Shoppers
Fortunately, some methods of multifactor authentication minimize the impact of authenticating on mobile devices while still providing extremely high levels of data protection. Here are just a few such methods:
- Biometric authentication requires you to touch your touch-enabled device. Your device must recognize your fingerprint on that specific device to authenticate you to whatever system you are trying to log into.
- Device proximity uses Bluetooth to see if you are within a given radius of a known device. If you are, the system can approve your login request.
- Onscreen slide takes the idea of the SMS text code, but makes it far easier to use. A simple swipe on the device that has received the code allows the user to authenticate.
So when you’re shopping online for everyone on your holiday shopping list, pay attention to the means of authentication retailers are using. If they’re using just basic username and password authentication, be aware that your financial information is at greater risk.
If you happen to purchase from retailers who embrace technologies designed to protect your financial information while making your shopping experience a joyful one, you’ll most certainly notice the difference.