Ondot Systems: Fortifying a House of Cards

October 3, 2017

Banks and credit unions in the USA are finding new ways to empower their cardholders with proactive control and instant visibility over their transactions. Greater customer engagement and confidence in card security is driving card usage while lowering fraud costs. It also has positive implications for legislative compliance, according to Ondot Systems Inc.

Two cars arrive in a dimly lit city street. The first parks under a street light – the driver knows that’s the smart thing to do. The second parks in a convenient spot, but the driver feels scared, so moves to a better lit place. The first driver walks down the road well clear of the doors and alleys where muggers might lurk.

The second one goes anxiously down the pavement, peering into every alley just in case. Realizing his wallet is in the back pocket, he stops and moves it to his inside jacket pocket. The first driver walks on, having safely stowed his wallet before leaving the car…

Two people performing almost identical actions, but the first is making confident decisions while the second is taking actions driven by fear. It’s a psychological fact that – while it is good to exercise caution – the person who does so in a positive, proactive manner not only feels, but actually is, a lot less vulnerable.

For many people, financial transactions do make them feel helpless and vulnerable. Security has become a technological race, and each time a new security measure rolls out, it seems that the cyber criminals are ready to crack it. The written signature gave way to the pin code, then the smart card and now we have dual factor authentication (2FA) – surely the ultimate defense?

But in May this year banking customers in Germany had their 2FA accounts hijacked because hackers were able to intercept the second factor by gaining access to the SS7 signals used to route SMS. And another victim lost $150,000 from his bitcoin wallet because hackers had fooled his phone company into re-routing his number to the hacker’s phone. In theory this should not be possible without security credentials, but the scammers just rang phone rep after phone rep until one fell for their plausible hard-luck story. Yes, there are other, more sophisticated 2FA solutions out there, but they too tend to be backed by SMS options considered “better than nothing” – and so the old vulnerabilities persist.

The upshot for the general public is a growing feeling that transaction security is becoming too cumbersome and complex to understand. In this technological race between the financial industry and its attackers, all a person can do is follow the latest best practices and hope that they are on the winning side – a burdensome reality.

Cardholders are not alone. What hurts them is hurting their banks and credit unions many times over. The industry is not only suffering higher security costs, but also lower interchange revenue, more regulatory pressure, and higher cardholder expectations. They are struggling to make their card programs pay since the Durbin amendment capped the fees paid by retailers. Margins have since fallen 50%, while fraud costs have been growing 15% annually.

Is there a way to give back to cardholders the confidence to use their cards while protecting their own finances? Where taking precautions becomes a proactive sharing of responsibility rather than a fearful reaction to unsurmountable threats?

Absolutely! It has started to appear, initially in the USA, under various names such as CardNav, Card Valet, Card Rule, and SecurLock Equip. What all these programs offer the user is a form of personal card management that goes way beyond the long-standing ability to contact the provider and have a lost or stolen card blocked.

Effectively, personal card management allows cardholders to decide for themselves what sort of transaction would be suspicious or untypical of them, and take immediate measures to block or limit such transactions. The reason it is appearing in so many different guises is that the system is a white box product that makes it simple for each bank or card provider to customize it as an added-value addition to their own brand.

Under whatever name it is given, it can be tailored to match the provider’s current offering and intended strategy. They can either issue a stand-alone mobile app or integrate the functions into their existing mobile offering to allow cardholders some or all of the following functions:

Switch Off: lock or unlock a card with a single touch. If a user misplaces the card, they can switch it off immediately and, if it turns up, switch it back on.

Location control: limit operation to an immediate neighborhood, or region on a map if going on a trip. If the cardholder is not present at the purchase location, it is a strong indicator of potential fraud.

Control preferences: cardholders can define types of merchant, types of transaction and limits on spending according to their unique patterns of behavior. If they do not shop online, they can turn it off until needed.

Instant and two-way alerts: cardholders can opt in for real-time transaction alerts to increase security; and confirm suspected fraud events from the financial institution through two-way alerts.

Self service: cardholders can immediately view available balances, analyze their spending, and manage transactions – e.g. tagging, annotating, capturing receipt images and emailing for reimbursement rather than filling their wallets with receipts. Self-service increases customer satisfaction and lowers support cost.

The common factor is that empowering cardholders with control and visibility over their transactions leads to greater engagement with the financial institution. Reluctant cardholders gain greater confidence and use the card more, while active cardholders move their personally managed card to top-of-wallet.

Financial institutions are discovering that this increases overall card usage while reducing fraud costs. Data from financial institutions so far suggest an average 40% reduction in fraud, a 16% reduction in false payment declines and a 26% reduction in support calls. At the same time, they are seeing an 8% conversion from inactive to active cards and a 23% increase in card usage. Needless to say, this is increasing net revenue and providing a rapid return on investment.

The difference between a passive and an empowered cardholder is even more apparent when we see new patterns of usage emerging. Parents are much more willing to provide cards for their dependents when they have some control over their usage – such as setting spending limits, allowing certain types of transactions, even specifying transaction types and merchant categories – and are able to monitor card usage in real time.

One colleague, whose daughter went to study at a distant college, gave her a credit card that simply restricted purchases to the college neighborhood. These new patterns of usage creates new and intriguing market segments that financial institutions are beginning to tap into.

Even more significant is the power that this allows for companies issuing business cards tailored to employees’ roles and requirements, while enforcing compliance with corporate spending policies. Individual cards can be limited to buying restricted goods or services – such as food, accommodation, transport, materials or fuel – from preferred business partners or at specified locations. Again, this opens up a whole new and especially lucrative user base.

Compliance to individual corporate policies points the way to another potential benefit for the card provider. This added functionality can provide a means to address some of the growing demands of legislative compliance.

For all the many individual and corporate benefits that are already being harvested by card providers that offer personal card management, and their cardholders, there is also something very important happening here. The problems faced by financial institutions are exacerbated by the huge intelligence now pitted against them.

There is the intelligence of the black hat hacker community, plus the intelligence or organised crime, and now the intelligence behind potential cyber warfare and industrial espionage. How much intelligence can the industry afford to match such an onslaught on its security?

The answer is that cardholder empowerment is uncovering a massive new resource: the combined intelligence of a user base that understands its own spending patterns and is now able to become actively engaged in defending its own capital and way of life.

Leave a Reply