PSD2 (Payment Service Providers Directive) is going into effect across Europe and its requirements surrounding strong customer authentication (SCA) have proven difficult for some merchants and issuers to effectively implement - due to high costs, long implementation cycles and other factors. This has resulted in high cart abandonment rates across the continent when it comes to ecommerce. In addition, some of the methods of strong customer authentication are still vulnerable to fraud.
Lost revenue and fraud vulnerabilities makes it imperative for merchants to implement the right kind of strong customer authentication and fraud prevention measures into their online checkout process, with ideally, a low-lift integration.
PSD2 Requirements for Strong Customer Authentication
The requirements for strong customer authentication under PSD2 fall into two categories. The first, covered by articles 6,7 and 8 outline the need for multi-factor authentication (MFA) in at least two out of the three below elements.
Something known - PIN or a password
Something owned - mobile phone, laptop, security key
Something you are - a biometric like a fingerprint or face ID
The second, article 9.3.a, outlines the requirement that authentication devices maintain the independence of the authentication methods. This means that, in order to meet the strong customer authentication standard, the device must ensure that whichever two authentication elements are being used are in no way interacting.
Vulnerabilities of Strong Customer Authentication
The principles behind PSD2’s strong customer authentication regulations are sound and designed for fraud prevention. However, not all implementation methods are created equal. When it comes to fraud prevention, some methods of MFA are stronger than others.
Fraudsters today utilize a combination of tech savvy tricks and social engineering to get around the fraud prevention measures of MFA, which is the heart of strong customer authentication. Issuers, third parties, and online retailers alike need to pay particular attention to points of weakness in certain strong customer authentication methods which fraudsters seek to exploit so they can enact more effective measures of fraud prevention.
The three primary means by which fraudsters seek to bypass strong customer authentication are as follows:
Social Engineering:Social engineering attacks are usually phishing or man in the middle (MITM) attacks designed to trick a user into providing compromising information like a username and password. During a phishing attack a fraudster sends out emails or SMS messages that prompt a user to unknowingly surrender their personal info, like a password.
In a MITM attack, fraudsters interject themselves into an ongoing conversation or data transfer. Once they have positioned themselves in the "middle" of the transfer, the fraudsters act as if they are both of the intended participants. This allows the MITM attacker to both intercept compromising personal information and send false or misleading information out.
SIM Swapping: A SIM Swap scam begins with a fraudster pretending to be the mobile phone owner while contacting the phone company. They then lie to the phone company and say they have a new SIM card to activate on the account. The fraudster then uses this false SIM to intercept one-time passwords (OTP) sent via SMS.
Malicious Accessibility: This is where hackers exploit either a known software or firmware vulnerability or an unknown vulnerability, called a zero-day exploit. In the case of a zero-day exploit, the hacker discovers a vulnerability in the software before any fraud prevention measures can be taken.
The fraudster then engineers some type of malware and makes an attack. Because the website or app is unaware of this vulnerability, they have no fraud prevention measures in place and thus the attack is highly likely to succeed.
Strong Fraud Prevention Measures
In the case of social engineering and SIM swap attacks, the primary target factor of strong is something known (password or PIN). Passwords and PINS are the most commonly targeted authentication factor by fraudsters and also the weakest link in any fraud prevention measure.
When instituting strong customer authentication, a website or app can bypass the weakness of passwords and eliminate the threat of engineering attacks and SIM swap attacks by only using the something owned and something you are authentication factors. A combination of a device based authentication factor and a biometric authentication factor is much stronger than any real time fraud prevention process that involves a password.
Online merchants who want to both meet PSD2 standards for strong customer authentication and institute effective real time fraud prevention measures can integrate LoginID’s FIDO2 passwordless authentication platform into their website or app with just a few lines of code. LoginID’s solution utilizes the private key cryptography of the FIDO2 protocol which ties the end user’s biometric (something you are) to their device (something owned).
Additionally, LoginID offers a FIDO2-certified transaction confirmation with digital signature tool which adds an additional layer of fraud prevention to the checkout process. At the time of checkout, the customer is prompted to provide a digital signature for the transaction which is then cryptographically signed using the FIDO2 protocol and a digital receipt is created. This digital signature can help merchants challenge fraudulent chargeback claims since it is difficult for a fraudster to argue that it was not them making the purchase.
LoginID offers several easy to integrate SDKs and APIs that can help with strong customer authentication.
Click here to view our docs
Our dashboard is available here