MRC Athens 2023: The Importance of Getting Incentives Right

MRC Athens 2023 featured a diverse set of speaker sessions from October 9-11, but one leitmotif during many of them was the importance of adjusting incentives for parties in the eCommerce ecosystem to reduce fraud and boost authorization rates.

Nowhere was this more apparent than in a regulatory themed panel regarding Europe’s upcoming Payments Service Directive (PSD3) and Payments Service Regulation. According to the Merchant Risk Council’s Una Dillon, one of the problems with the existing PSD2 is that issuers were not mandated to properly implement exemptions to the Strong Customer Authentication (SCA) requirement for transactions. Instead, handling such exemptions represents a cost to them, so it hasn’t been handled well. ACI Worldwide’s Amanda Mickleburgh went a step further and explained that issuers are miscoding soft declines due to PSD2 as hard declines, which is seriously impacting the customer experience of cardholders trying to shop with European merchants. Unlike soft declines, payments that receive hard declines cannot or at least should not be retried by the merchant. This means that miscoded hard declines are causing customers to switch to other cards or go to other merchants to receive the goods and services they want and need.

The most frightening session of the conference for the close to 200 participants was the keynote provided by Europol’s Tobias Wieloch. “Fraud will never die out,” said Wieloch in his speech. “It is always evolving.” He then went on to describe the development of Large Language Model (LLM) based AI tools for criminals that have developed since June 2023. These AI-as-a-service solutions have lowered the risk and investment required from criminals to commit a wide variety of cybercrime.

Unlike legitimate services like Chat GPT, these criminal friendly services don’t censor prompts. That means with a little prompt engineering, a criminal can, for example, get an LLM tool to provide a how-to-guide to phishing and even a basic, relatively well-written script that they can use to phish. The cost for these sorts of tools. Well, the now defunct Worm GPT was charging just $100 per month. Quite affordable when you imagine all the damage, financial and otherwise, a criminal could wreak using such a tool.

Unfortunately, AI may be shifting the incentives in fraudsters’ favor at the moment.

In a session on account takeover (ATO), there was talk of the need to empathize with customers who suffer from ATOs even if they are victims due to their lax security practices, such as reusing passwords. As F5’s Josh Goldfarb pointed out, merchant employees have to realize that they aren’t going to dramatically alter consumer behavior for the vast majority of users. Most users are not security conscious enough to use a tool like password manager. They will likely want to avoid the added cost in effort to remember multiple passwords for different services. As Vanita Pandey from identity solution provider CAF pointed out in an early morning speech, the average person today is managing hundreds of online accounts. It’s no wonder people are re-using passwords.

Fraud fighters Jaanus Uudmae and Daria Popa also walked attendees through how their superapp (European) Bolt leveraged social media to outsmart fraudsters and change their economic incentives. Their key observation was that if Bolt had requested that major social media companies remove ads and discussions by fraudsters advertising their criminal services as a way to get discounted services from Bolt, the activity would simply have moved to other social media channels or online fora. Instead, the fraud team at Bolt was able to use social media intelligence to monitor when and where fraudsters were offering their services with the Bolt app.

Bolt’s fraud, engineering and product departments then collaborated to determine how fraudsters were stealing and re-selling services using the Bolt app and redesign elements in the app’s flow to provide obstacles to fraudsters. These obstacles would reduce the economic payoff to fraudulent activity and Bolt would then see some of these fraudsters tell their online followers that their discount service was “down.”

Fraudsters being fraudsters, they would then probe the app for new or additional weaknesses and the iterative process would repeat itself. However, using social media intelligence, Bolt’s fraud team was able to minimize the damage, keeping pace with fraudsters and sometimes even anticipating their next moves thanks to future oriented online advertisements for “discount” services.

Of course, fraudulent behavior is not only perpetrated by professional fraudsters. It is also important to address incentives for bad consumer behavior, including friendly fraud. The abuse of the chargeback mechanism requires merchants to engage in chargeback mitigation to lessen the damage on the bottom-line.

While a chargeback management solution will not prevent chargebacks altogether, having a solution that allows you to defend up to 100 percent of the chargebacks you face helps stop opportunistic friendly fraudsters in their tracks. It tells all those people hanging out on online forums that your company isn’t easy pickings and that they should take their shenanigans elsewhere. This is important for a wide variety of companies, such as Bolt and Justt’s MRC Athens co-speaker G2A.com, the gaming marketplace, who have a large, young demographic of users. As mentioned at MRC Athens, these Gen Zers often may not have a lot of disposable income, but they have plenty of free time to game company systems for free rides, free games, etc. By shoring up your defenses, you alter their incentives for mischief and push opportunistic fraudsters and friendly fraudsters to target other brands.

A lot of the time good fraud prevention comes down to getting the incentives right. Make “bad” behaviors that hurt your company’s operations difficult, and they will decline. Make good consumer behavior easier and more rewarding and see your company’s revenue and profits grow.