Intentional and unintentional Fraud in EV charging: Why does it happen and how you can protect yourself as an MSP
Intentional and unintentional Fraud in EV charging: Why does it happen and how you can protect yourself as an MSP
Fraud prevention is increasingly becoming a core issue in the EV ecosystem.
As the global transition to electric vehicles (EVs) accelerates, payment for electricity at EV charging infrastructure has become a critical component of the automotive ecosystem. With this growth, however, comes a rising interest for fraudulent parties, which can undermine your customers’ trust in the system and result in significant financial losses.
This article explores the various types of fraud that can occur in EV charging and addresses a selection of measures Deftpower has taken for fraud prevention. By leveraging advanced technologies such as machine learning and real-time monitoring, our EV charging SaaS platform can detect, prevent, and mitigate fraudulent activities.
1.Types of fraud
Charging with no intention to pay
Bad actors register a charging account at your MSP without an address identification and attach a credit card that has very limited credit; just enough to pass the validity check. The scammer sells other EV drivers access to his account, who can then charge using the start charging button in the app. At the end of the month, or even immediately after the session, the MSP tries to collect its funds but fails. The account is then blocked, but by this time the scammer has created a new account with a new limited credit card and repeats the process.
New digital banks provide customers with virtual credit cards, a service that now has been used heavily by scammers in EV charging. When combined with a monthly postpaid settlement cycle - a common practice in the EV charging industry - fraud with MSPs is easy and its financial impact substantial.
Stealing or duplicating physical charging cards
A second common practice used by scammers is stealing or duplicating RFID charging cards. As was extensively reported in the press in December 2019, the widely used RFID charging cards are not encrypted and can be copied by bad actors. This situation has not improved since, and today 80-90% of charging transactions are still done using a charging card.
The RFID card authentication is done based on a ‘hidden’ serial number imprinted on the chip within the card. The card is then read and validated by the RFID-reader at the charging point. That serial number can be copied by holding an RFID reader (your smartphone can be an RFID reader) close to any card you can lay hands on. An even greater cause for concern is that there are still MSPs who print this ‘hidden’ number (usually starting with ‘04’) on the card itself, meaning any picture of the card will suffice to steal this number and start charging on the owner’s account.
2.Framework to assess your risk of fraud as an MSP
As the previous chapter already illustrates, the risk of fraud in EV charging is influenced by the types of payment methods accepted by the MSP, the chosen billing cycle and the authentication methods chosen by said MSP. Below, we outlined the most common options for each, along with a brief summary of their respective benefits and limitations.
Charging with no intention to pay
Unsecured payment methods
Unsecured payment methods include payment on invoice – the manual bank transfer to the merchant account by the customer based on an invoice – and unverified SEPA direct debit authorisations. Both payment methods have no mechanism built in to verify the creditworthiness of the customer or the validity of the information they provide. While common in B2B relationships, where generally the counterparty is known, such payment methods are highly fraud-sensitive in a direct-to-consumer context, where the customer is unknown.
Very easy user acquisition because there are no barriers to entry.
Lack of verification means limited recourse in case of failed payments, when the counterparty is not known through an external process.
e-Mandate without pre-authorisation
The most common payment methods are those based on e-mandates stored with a Payment Service Provider (PSP e.g. JP Morgan, Adyen, Stripe). These can include a credit/debit card, SEPA direct debit mandate, or a host of locally used digital payment methods. Generally, the PSP verifies the validity of the payment method by triggering a small (0,01 €) payment upon registration. However, a recent rise in digital credit/debit cards has started to undermine the reliability of this verification process, because people have access to many credit cards.
Smooth user onboarding, common practice with reasonable barrier to entry.
PSP fees vary depending on exact the method chosen and can be significant. No longer as secure as presumed.
e-Mandate with pre-payment or reservation
As a response to the rising level of fraud, some MSPs have started to put reservations on customers’ payment methods when they start a charging session. I.e. the MSP has the PSP reserve 40€ before the charging session starts.
Pre-loading an account with credit before being allowed to charge is another variation of this strategy. This method eliminates much of the credit risk, as the MSP is provided a high degree of certainty that the cost of the charging session will be paid. However, EV drivers resent the relatively large amounts (e.g. 40 €) being reserved on their cards. While an intelligent implementation of this feature can mitigate this frustration to an extent, it remains a barrier to usage for drivers.
Easy user onboarding, low credit risk for MSP.
Higher barrier to entry, prone to a negative user experience (reservation not refunded on time, multiple reservations placed in error etc. and incurs higher PSP fees)
Choice of authentication method
Physical RFID card
The ubiquitous RFID charging card is still the most widely used authentication method for EV charging. Arguably offering the easiest and most reliable user experience (swipe to start), these cards can be found everywhere. Almost all chargers support them, and they are cheap to produce. Unfortunately, the most widely adopted chip protocol (MIFARE classic) is not encrypted, making them prone to fraud.
Virtual charging token
A virtual charging token is what is communicated to the Charge Point Operator (CPO) by the MSP when you swipe or press the ‘start charging’ button in your charging app. While very convenient, as it can be instantly provided upon registration in a charging app (it comes in handy when you are a new driver stuck at a charger with no card), if not properly monitored the low barrier to entry also creates an opening for fraud as outlined in chapter 1.
Plug & Charge
Plug & Charge is based on a standard called ISO15118. A series of certificates provided by a Public Key Infrastructure Provider, ensures that the vehicle itself becomes the authentication method. This certificate cannot easily be copied or falsified, making this the most secure form of authentication. It is also the ultimate user experience for charging and is both more reliable and less expensive to adopt and maintain for CPOs compared to credit card terminals. Unfortunately, the standard requires three-way compatibility between the CPO, the vehicle and the MSP, which has hindered its rollout severely to date.
Choice of billing cycle
Monthly billing cycle
The upside of monthly billing cycles is the lower PSP transaction fees charged to the MSP However, it might also lead to delayed detection of fraud, as the lack of funds behind the registered payment method will likely only be detected at the first collection attempt at the end of the month.
Session based billing cycle
Instant payment on session-basis offers a far lower credit risk (the value of a single session) but a higher number of transactions means higher PSP fees for the MSP, which can lead to higher pricing for the EV driver.
3.What measures can MSPs and their SaaS platforms take?
Fraud management is and always will be a cat and mouse game, which calls for a mixture of foresight and pragmatic responses.
We, in close collaboration with our clients, have built dozens of algorithms that flag suspicious user behaviour and charging sessions. Where there is a high likelihood of fraud, users are blocked from further charging early on – even stopping their ongoing session(s) cold - preventing losses for our MSP clients.
Solutions to prevent fraud should go further than forcing users to pre-pay into wallets (bad UX) or reserving a fixed amount on the user’s payment method at the start of the transaction (expensive and error-prone). That is why we work with 2-Factor Authentication and real-time charging sessions to weed out fraud the second it occurs. In addition to our standard fraud-detection protocols, our MSP clients can choose to implement additional measures (such as pre-payments into wallets and reserving funds), according to their specific use case and comfort level.
We monitor all transactions in real-time, and thanks to the high volume of transactions on our platform, we have the required amount of data for machine learning, which in turn makes detection even quicker.
Lastly, one type of fraud not mentioned so far, as it is not intentional fraud, is the sheer amount of incorrect CDRs and invoices sent by CPOs to MSPs. A classic example is invoices that do not include CDRs, which prevents you from invoicing the EV driver, or charging sessions with an impossible consumption of, for example, 800 kWh for a VW ID.3. When left unmonitored these errors can occur in as much as 8% of all invoices.
To mitigate the unintentional billing and payment fraud by CPOs, our system identifies and corrects 99% of their erroneous or failing charge detail records, meaning our clients and EV drivers are protected from wrong invoices and frustrating customer support experiences. Our CPO-Settlement Service monitors and flags CDRs with dozens of checks and algorithms. This include flagging charging sessions with a wrong price component from the CPO or rejecting invoices for charging sessions that are not supported by a CDR.
Conclusion
Deftpower set out to provide you the tools to prevent and mitigate fraud while simultaneously allowing you to weigh the different options. This way, you will be able to strike a balance between security and user experience that is within your comfort zone. Nonetheless, underlying this freedom is a robust set of measures we take to prevent fraud from happening at all, or detect it as soon as possible.
For you, as a potential Mobility Service Provider, it is important to have a feature-rich charging platform that helps you win the heart and minds of the EV drivers. More importantly, your platform should be designed as a fail-safe, to ensure that you are not hemorrhaging revenue in uncontrollable ways.
Therefore we strongly encourage all MSPs to set strict requirements for fraud-prevention when selecting a platform. . Fraudulent actors always look for the low hanging fruit and anti-fraud is a game of making yourself the least attractive target. That involves technical measures but also the basic setup of the MSP as discussed in chapter 2.
If you wish to learn more about how we deal with fraud, please do not hesitate to contact us!
