Tanja Steinhoff described a pattern she encounters regularly in conversations with bank customers: an account takeover that never looks like one. The fraudster gains access to online banking and then, rather than going straight for the transaction, starts making small innocuous changes: adjusting credit limits, updating a phone number, redirecting an authentication app, and so on. Each action, looked at in isolation, raises no flags. By the time the fraudulent payment hits the 3DS rails, the attacker has full control, the transaction authenticates cleanly, and the SCA mechanism designed to prevent exactly this outcome has been rendered irrelevant. "What was meant to be the countermeasure against fraud," she said, "has been – via social engineering, via account takeover – taken out of our control as a pure ACS provider."
The reason this keeps happening comes down to a structural problem the industry has been slow to address. Banks typically intervene when money moves, and not before. Everything that precedes that moment – the reconnaissance, the account manipulation, the quiet preparation – happens in the gaps between systems that don't talk to each other. Sannelie Gallichan put it bluntly: "We choose to do an intervention when money moves. That is typically where banks choose to act. By the time the payment transaction is around, 3DS happens completely outside of the bank's ecosystem."
The fraudulent merchant problem illustrates exactly why that matters. A rogue merchant doesn't limit themselves to one bank; they operate across many, exploiting the fact that the intelligence each institution holds stays within its own walls. Bank A spots a suspicious pattern but has no way to alert Bank B, C, or D. By the time the fraud has run its course, each institution has seen only a fragment of the picture. "What is really important is to look for the places where you have the best coverage," said Gallichan. "Look for the opportunities to create that intelligence within your 3DS ACS provider environment, whether that's a consortium arrangement, a proprietary model, or just an informal alerting system."
Ultimately, the problem is not that the signals aren't there. It's that they are fragmented: a limit change in one system, an authentication update in another, a device switch somewhere else. Each, individually, is unremarkable, but collectively, they tell a clear story. The industry just needs to start reading it.
The data problem runs deeper still. Static personal information, once the foundation of identity verification, is increasingly easy to obtain. Keith Groves illustrated the point with a recent real-world example: an individual arrested not for committing fraud directly, but for harvesting and selling personal details to those who would. "It doesn't take organised criminals a lot of effort to harvest and collect that data," he said. Which means that knowing who someone claims to be is no longer sufficient. The question the industry needs to ask is not who, but how. "We're shifting away from simply validating the identity to validating whether or not the action aligns with the way the consumer behaves."