EXCLUSIVE: “Unlocking Secure Payments in APAC” – Christopher von Mitschke-Collande and Hanspeter Jsler, G+D in ‘The Fintech Magazine’

Have one-time passwords had their day in this digitally dynamic region? Christopher von Mitschke-Collande and Hanspeter Jsler from G+D explore the era of the passkey

There’s a scamdemic in Asia Pacific. Payment fraud is up. Identity theft is rife.

You could interpret that as an unfortunate symptom of digital success. Sixty-four per cent of global online retail spending happens in APAC. It’s the world leader in wallet adoption. But for security technology provider Giesecke+Devrient (G+D), it’s a reason for everyone in the payment ecosystem to double down on protecting the integrity of digital payments and staying one step ahead of cyber criminals through education, collaboration and innovation.

The stats around regional fraud make for uncomfortable reading. According to a report released at the end of 2024 by the GSMA – an umbrella organisation for mobile services operators – more than a quarter of adults across Indonesia, Malaysia, the Philippines, Singapore and Thailand have been victims of financial crimes, such as online hacking and identity theft. In Singapore, the country where digital commerce is most prevalent, some 42 per cent of respondents said they have been a victim of financial fraud.

The report, entitled Consumer Attitudes Toward Fraud And Opportunities For Mobile Network Operators In Southeast Asia, also reveals that consumers ultimately hold banks and fintech firms responsible for safeguarding them against financial crimes, with an overwhelming number saying they would change their provider to one that offered them more security.

In fact, says Christopher von Mitschke-Collande, Director for Digital Solution Sales for APAC at G+D, preventing financial fraud is a joint effort, involving lots of players, including the consumer.

“No single entity can address these types of issues alone,” he says. “There are a variety of different stakeholders that need to collaborate – business, government, technology providers and industry networks such as EMV and the FIDO Alliance.”

For its part, G+D is working on multiple fronts and with multiple parties to tighten security without compromising the friction-free payment experience that customers expect. That’s sometimes a difficult path to tread, especially when legislative frameworks mandate that certain protocols must be followed.

“There’s a lot of variation between countries in the APAC region,” says Hanspeter Jsler, MD at G+D in Singapore, where he’s responsible for business development in South East Asia. “Take India and Singapore and compare them to Australia, for example.
Legislators in the first two countries have stipulated that every single transaction must be authenticated and then checked for its authenticity.

“So, even if a transaction is five cents, it can’t go through without authentication. That’s done using a one-time password in India and using out-of-band (sending a message via a banking app) in Singapore. In Australia, however, authentication is only mandatory under certain conditions – large payment amounts, for example, require strong customer authentication (SCA), which usually involves 3-D Secure (3DS).

“Asia’s diversity demands tailored fraud prevention strategies, not a one-size-fits-all approach “

Hanspeter Jsler

“Not only is authentication mandatory in some countries, but various additional rules apply. It comes down to the risk appetite of countries and cultures. APAC’s diversity demands tailored fraud prevention strategies, not a one-size-fits-all approach.”

Banks and merchants also have to decide their own tolerance, constantly making the cost/benefit comparison between chargebacks, fees, fines and investigations, and the time and investment needed in multiple layers of authentication.

“There is no magic wand to create the perfect balance between fraud and friction,” says Jsler. “Every market participant, be it a bank, merchant or payment service provider, has its own risk appetite against which its fraud prevention measures need to be calibrated. Some markets are very liberal. They accept maybe 20-30 per cent of payments being fraudulent. Another might be five per cent.”

Artificial intelligence is becoming an increasingly important tool in this regard, says von Mitschke-Collande.

“These systems correlate various attributes – your email address or phone number, where the merchant is located, which currency you wish to pay in, your country of residence, for instance – to produce a transaction risk score. We can also use AI to monitor transactions to find patterns in real time.

“What does that mean? Say our payment is only $10 and the risk is very low, in many countries it’s not challenged by a one-time password or passkey. That’s how we reach 90 per cent frictionless payments in some markets. It doesn’t mean there’s no authentication; it means the authentication is risk-based.”

G+D has seen rising incidents of account takeover, payment fraud, friendly fraud, chargeback fraud and – the one that’s risen most sharply in APAC – identity fraud, where imposters use stolen or synthetic identities to create accounts. That’s despite many governments (Singapore, India, Malaysia and Cambodia among them) introducing digital citizens’ ID.

While there are many explanations for these increases – social and technical – some in the industry point to the growing presence of co-ordinated fraud rings in APAC that are vastly outpacing those in other regions, such as the Americas and Europe. Whoever is ultimately behind APAC’s scamdemic, the impact on business is severe.

According to LexisNexis, nearly 3.3 per cent of total annual e-commerce revenue was estimated to have been lost to payment fraud – effectively wiping out the estimated 3.4 per cent annual growth of e-commerce across the region in 2023/24. And it leaves consumers fearful and mistrustful. But the problem is, too many authentication checks in the checkout process can present a barrier to sales – 75 per cent of respondents to the 2023 LexisNexis True Cost Of Fraud In APAC study noticed a decline in conversion rates after they’d introduced them.

So, what’s the most effective anti-fraud tool in the tool kit?

It’s not one, but several, says von Mitschke-Collande: “It’s not a one-off task, it’s an ongoing process, and it’s a multilayered approach.”

In this dynamic environment, even widely adopted fraud prevention tools reach their sell-buy date quickly as cybercriminals edge ahead in the technology arms race. Take the widely adopted one-time password (OTP), sent via SMS or email, which first appeared in the 2010s. Many banks still rely on this as an authentication method, but – like passwords themselves – it’s vulnerable.

“We’re already seeing the OTP being phased out,” says von Mitschke-Collande. “It’s not ideal for a variety of reasons. Mainly because SMS wasn’t a channel designed to send secure information. It can be intercepted and compromised – consumers can be tricked into reading out an SMS to a fraudster, for instance. And the user experience isn’t great, either, swivelling between apps to enter it.”

The future of authentication

The Monetary Authority of Singapore (MAS) sounded the death knell for OTPs in financial services there in 2024. It worked with major banks to quickly phase them out in favour of digital tokens or passkeys (although it hasn’t said definitively which a bank should be using).

“In some countries that have stepped away from OTPs, customers instead receive a message in their banking app [where they can approve or decline the transaction], which is already common in Europe” says Jsler. “But ‘out of band’ as we call it, is still seen as introducing friction for the consumer by some market participants, particularly in South East Asia. Just giving a fingerprint or using your face for ID instead to confirm a transaction would be super secure but super easy.”

Both Jsler and von Mitschke-Collande see these biometric passkeys, based on standards set by the FIDO Alliance – an open industry association that promotes phishing-resistant sign-ins with passkeys – as being the future of authentication in APAC and elsewhere.

“The technology is based on public key cryptography and is designed to allow a consumer to sign in more securely without the traditional passwords,” explains von Mitschke-Collande. “Google is a big player in this field. When you’re asked to set up a passkey by Google, what’s happening in the back end is a public/private key pairing in conjunction with the device you’re using at the time.

When you next authenticate yourself, the website or the app will send you a challenge and you will most likely use the device biometrics to unlock the private key on that device to create a response. It ensures that only the registered device can authenticate you.

“We’re already seeing the OTP being phased out, mainly because SMS wasn’t designed to send secure information “

Christopher von Mitschke-Collande

“What you’re doing is basically a two-factor authentication because two elements come into play here. You are using something that you own, in this case your device, and something that you are, your biometrics. So that satisfies those regulatory environments that require 2FA and it’s something clients are approaching us for.”

Jsler describes passwordless authentication as being ‘sea level’ for the industry, above which is the safety zone.

“Gone are the days of using passwords that you keep under the keyboard, or you’ve reused for any number of services,” he says. “We’re seeing domestic card networks, be it eftpos in Australia or NETS in Singapore, NAPAS in Vietnam or ITMX in Thailand becoming more and more innovative in this area. And by increasing security, they are enabling financial inclusion at the same time.”

G+D remains an agnostic player, responding to the needs of the industry and adapting to ever-changing regulatory environments in multiple jurisdictions. Its pragmatic approach to bridging the distance between usability and safety is demonstrated in one of its latest releases, due this summer.

“Still 40 per cent of cardholders do not like the idea of storing their card details with a merchant,” says Jsler. “It’s a surprisingly high number. But, for them, the guest checkout process comes with the disadvantage that they have to enter the card details every time.

“Our first version of a solution to tackle this used an OTP that allowed you to see all your cards [on your device] with the details masked out, so you could easily choose the card to pay without having to go through the entire process. This year, we will launch a programme using passkeys, which means you can have a click-to-pay or guest checkout just by using your face to bring up all the cards at your disposal. There’s no friction and you don’t enter any card details with the merchant.

“As digital commerce evolves across APAC, staying ahead of fraud will demand more than just technology. It will require a collective commitment to education, cross-sector collaboration, and innovation. G+D’s work here reflects that: combining global expertise with local insights to build a safer, more inclusive and seamless payment experience for all.”

This article was published in The Fintech Magazine Issue 34, Page 6-8