The Evolution of Fraud Detection: From Card Present to Card Not Present

The Evolution of Fraud Detection: From Card Present to Card Not Present

Aug 22, 2023

Meet Ofer Golan, a highly experienced professional in the world of payments and risk management. As Fintech Risk & Compliance Director at KPMG Israel, and over 18 years of expertise in the payments industry, Ofer’s focus lies in payment acceptance, risk, and compliance. His extensive knowledge and experience in payment risks have positioned him as a trusted advisor, sought after by merchants, acquirers, and issuers to help them tackle complex payment challenges. We caught up with Ofer to get his thoughts on the evolution of fraud in the industry.

How has the fraud industry changed in the past 20 years?

Over the last 20 years, fraud has evolved because technology and banking have changed dramatically. Back then, there were fewer payment options – most people used bank transfers, credit cards, debit cards, and checks. Banking was simpler and fraud tended to be much easier to detect and control. Fraud analysts were called investigators. That’s because they spent their time investigating. They didn’t have a lot of tech to rely on, so they had to rely on their gut instinct when trying to uncover identity fraud. They would pick up an old device called a telephone and talk directly to the suspect. Sometimes they would even meet the suspect in person. Some would even collaborate with the police to catch a suspect in action.

On the other side of the equation, merchants would try to protect themselves from losses by using secure transaction services to help verify the cardholder’s identity. Later on, fraud analysts were obsessed with writing rules to target fraud. However, these rules-based mechanisms failed to take into account the cardholder’s profile, behavior, or identity. Everyone was treated the same back then. Banks were content to use a sledgehammer across the board to kill a fraud “ant”.

Compared to the past, today’s banking is really exciting. Today we aim to give our customers excellent service, a variety of financial services, and a range of alternative payment methods. And as Card Present transactions became more secure with EMV chip cards, the focus shifted to online and mobile channels. This shift resulted in a decline in Card Present fraud rates. Today there are so many ways to send and receive money, and fraud is becoming more and more sophisticated, adapting itself to digital transactions and our hybrid work lifestyle. This is why fraud prevention departments have had to adapt their strategy and technology to detect and prevent emerging threats.

What is the size of the problem?

A few recent studies have found that the total cost of e-commerce fraud will exceed $48 billion, up from last year’s number of around $41 billion. The problem can be expected to worsen moving forward as more alternative payment methods and digital wallets enter the market, all of which create new fraud risks. By the way, North America is identified as having the largest fraudulent transaction value of any region around the globe, around 40% out of the total amount.

According to the Identity Theft Resource Center, 2022 was an all-time high for fraud, with a record number of compromised identities. We need to recognize that our personal data is out there and can be purchased through the dark web or social networks. That’s why today’s generation of fraud fighters needs to rely on multiple data sources and sophisticated models  to attack the problem.

What is the difference between offline and online fraud?

Offline fraud is usually committed when a card is lost or stolen. Alternatively, thieves may use skimming and NFC devices to steal card data from ATM machines or gas pumps. Online fraud is when you make an online purchase using your payment method, and information transmitted over the web is intercepted and used by criminals to make unauthorized purchases. In recent years, barriers for criminals to commit this type of fraud have decreased. It’s much easier today than in the past.

What are the most common types of fraud that companies experience today?

Synthetic fraud has experienced dramatic growth  across fintech, traditional banks, and credit card companies. Unlike traditional identity theft where a victim’s financial identity is taken over and used for existing accounts or funds, synthetic IDs are created by combining real and fake information. Criminals may use your ID, my address, and someone else’s phone number to create a synthetic ID. They use genuine data, but the combination creates a fake ID.

Another popular fraud type is social engineering. It’s a huge threat that everyone is experiencing. With technological development, the bar has been lowered dramatically for criminals, allowing them to carry out sophisticated social engineering attacks without any technical skills or capabilities. Other types of fraud include fake accounts, false advertising, friendly fraud, and fake buyer-seller closed loop. Fraud impacts all industry verticals from e-commerce to airlines to money transfer and banking services.

The bottom line is that no business can choose to ignore the changing face of fraud. The risks are too high and the impact is too significant.

What are the challenges that financial institutions face in dealing with online traffic, and how do they address these challenges?

The main challenge today is to find the right balance between preventing fraud and giving cardholders a frictionless experience. We must ensure we are allowing the good guys to onboard quickly while stopping the bad guys from the start. The challenge is finding that sweet spot.

Another issue is considering what we need to expose users to along their user journey. There are three major approaches to that:

  1. Balancing Access & Security: We must allow only limited access to high-risk users before we create the friction that comes with activating strong customer authentication. This can be achieved by setting more controls and implementing more checks.
  2. Protecting Sensitive Details: PII or stored payments should be hidden. Just because a user has the login details, does not mean all information should be shared. Even when credentials are provided, additional checks can be put in place like email verification, SCA, strong customer authentication via phone, or other means to authenticate the user.
  3. Prioritizing User Insight: Risk scoring and communication with the users is one of the most important tools to understand who we are dealing with.

What is the fraud impact in the future?

First of all, we need to understand that we’re dealing with fighting criminals. There is no bulletproof solution. Fraud will always be part of doing business but we can try to minimize the loss as much as possible. The use of a financial crimes center tool that collects and synthesizes data from many different sources enables organizations to make better decisions. These tools allow you to see the entire end-to-end process from the onboarding process to the termination activity and understand exactly who we’re dealing with. This is where KYC, KYB come in. Understanding what we are, which services we would like to give to this specific client, and through the ongoing process, ensuring his behavior is according to what is expected — according to his profile, to similar user profile, and all other users on our platform. This way, we’ll probably be able to identify risks in advance.

Of course, we have to have all the dashboards and relevant reports for that. We always need to test new data sources, set workflows, escalation paths, risk thresholds, and KPIs, and we must also continuously monitor the fraudulent activity, and build red flags. We must learn when to trigger the data analyst, or the risk analyst. In some cases, we can auto-approve or auto-reject, but we need to understand what is in the middle – when enhanced due diligence is called for.

In addition, security and trust will remain critical. Users will be much more comfortable using your service if they trust you. Reputational risk is an important issue.

Finally, we need to remember that the fraud detection department plays a critical role in educating users about potential risks, safe transaction practices, and how to recognize phishing attempts or other fraudulent activity. I think that by raising awareness and promoting customer vigilance, financial institutions can reduce the likelihood of successful fraud attempts.


A bit more on Ofer Golan: Throughout his career, Ofer has held influential positions within renowned U.S.-based and Israeli banks, which have allowed him to garner a wealth of experience in risk management, fraud prevention, and compliance. As the former Head of Risk at Payments by Wix, he demonstrated his proficiency in implementing industry-leading risk management practices. Moreover, as the former Chief Compliance Officer, Head of Fraud Risk, and Risk & Compliance Program Manager at one of Israel’s largest credit card companies, Ofer showcased his ability to lead and execute critical compliance initiatives. His dedication to fostering trust, resilience, and security within organizations has been pivotal in making companies more reliable and responsible in their operations.