October 25, 2021
The upside is we may ultimately be seeing the final days of credit card fraud. The downside, however, is that online grifters and cyber thieves have upgraded from pilfering plastic to something even more significant: identity theft.
The change comes during a period in which stronger authentication methods and standards, spurred by new privacy laws, are reducing the reliance on cookies (the browser kind) and passwords, and in the end will lower cart abandonment in the offing.
However that bit of upside comes with a warning.
The fraudsters are shifting upstream, going after digital identities, passwords, and dribs and drabs of customer info with which they attempt to trick merchants and con financial institutions (FIs).
“Breaking the cookie pattern” comes as PSD2 regulations demand merchants meet heightened levels of accountability with online transactions and degrees of authentication as well.
The FIDO/FIDO2 (Fast Identity Online) standard (created by the FIDO Alliance) combines cutting edge technologies like artificial intelligence (AI), behavioral analytics, and biometrics to ensure consumers are in fact who they say they are when making purchases on devices.
The importance of enhancing authentication standards is highlighted by the fact that losses attributed to account takeover (ATO) fraud at $6 billion in 2020 was higher than current card-related fraud at $5 billion. The evidence that fraud is shifting “upstream” indicates that chip-and-pin and 3DS efforts are paying dividends.
Additional research demonstrates that credit card numbers as a type of credential that online grifters wanted to steal dropped, while email addresses and passwords spiked.
Simultaneously, new privacy regulations are being implemented and tech titans like Apple have started to rely on discrete authorization, working together with risk-based authorization, where users must assuredly express consent when they want their identity or authorization to occur.
An alternative solution is necessary, and FIDO/FIDO2 with its explicit consent and what is called user presence testing could help.
For example, a user must either swipe their fingerprint or press a button on their device. Currently, FIDO/FIDO2 is not supported on all devices, and that’s where risk-based authentication steps in.
Both approaches work in conjunction with each other.
Shifting Towards Authentication Standards
A multi-layered methodology is and will be necessary in a regulatory environment that could be considered fragmented. Even though PSD2 is in effect in Europe and is being adopted in the U.K., one should not expect an all encompassing regulatory measure in the US.
It is unclear if North America or the U.S. will issue an open banking standard, but there are many lessons that can be garnered from PSD2 guidelines, particularly in terms of how merchants authenticate.
Europe is where many solutions and technologies are being experimented with to try and gain the proper balance of friction and user experience. The ideal user experience (UX) is an objective, but it is quite difficult to achieve.
Visa has welcomed 3DS, allowing merchants and issuers to connect and enact strong multifactor authentication and identity verification (resulting in more secure payments, at least at first, but reaching out to other functions in the struggle against data breaches).
Visa is interested in enacting a standards-based approach — not just payment authentication, but also user authentication to help remove passwords from the ecosystem
The standard the industry is gravitating towards is FIDO/FIDO2, which removes entire vectors of fraud from the system. Delegated authentication allows authorization to be entrusted to a payment service provider or merchant from an issuer (synthesising FIDO/FIDO2 with the 3DS network), which in the end is value add to the consumer checkout process.
What Visa is attempting to do with delegated authority is to merge secure customer authentication solutions that they can introduce to their merchant community right now, but along with additional types of newer functions that are being experimented with that are highly applicable to the issuer and the FinTech side as well.
One such FIDO/FIDO2 function is confirming individual transactions with a biometric action to ensure that the purchaser is who they say they are. By creating a digital signature for each transaction a merchant can effectively eliminate unauthorized purchases from fraudsters.
LoginID offers such a tool, transaction confirmation with digital signature. This easy to integrate digital signature API is a game changer when it comes to authenticating transactions.
Merchants who utilize this tool may even see a liability shift away from themselves, as the merchant of record, to the card issuer when dealing with fraudulent transactions. Leaving merchants off the hook for the expense where they otherwise would be.
This same concept of a digital signature can be applied to crypto exchanges and digital wallets as well. Investors have experienced a massive influx of fraud in the crypto space due the relative anonymity and lack of regulation in the space.
Crypto exchanges and digital wallets, by enacting LoginID’s Digital Signature API for crypto transitions, could ensure transfers of Bitcoin, Etherium, or Algo are authenticated by a biometric action. The transfer is signed and hashed on the blockchain and much more secure.
By way of functions, with a nod toward biometrics, the FIDO/FIDO2 method is a distributed model, which acts as a privacy safeguard due to the biometrics being stored directly in the secure enclave of the device and they never leave or are shared with third parties. (There is an alternative method where biometrics are stored in the cloud.)
When using FIDO/FIDO2 biometric methodology, what occurs is the device hardware signs a digital signature that pairs with one’s individual biometric. The fingerprint and the digital signature template are kept in the secure enclave of the local device.
In the near future, FIDO/FIDO2 and strong customer authentication (SCA) will be sufficient to deter fraudsters and redirect them to new methods of attack — dispersed to other avenues and other weak points.
For organizations that are extra security conscious, either by choice or regulation, LoginID along with their partner AuthID offer an online Identity Verification and eKYC tool. This tool allows for easy digital onboarding and can authenticate over 9,000 documents from hundreds of countries.
The fight will be a constant back and forth, as always, think of it like a game of cat and mouse.
Adapted from an article by PYMNTS