When consumers and businesses make payments online, they typically focus on making sure recipients receive their payments on time, so they don’t incur late fees. Fraud is likely not on their minds.
However, fraud is one constant in our payments ecosystem. Criminals are relentlessly looking for ways to take advantage of people and systems for their own benefit. Authentication practices, tools and processes are designed to prevent unauthorized users from gaining access to our accounts or devices. These approaches focus on verifying the identity of the person or entity who has the right to access the system.
Authentication approaches vary based on many factors, including risk tolerance, transaction types and impact on the customer experience. As a result, authentication is inconsistent across organizations, industries and geographies. In the case of all evolving technologies, newer authentication methods are being deployed that will provide even stronger authentication. Unfortunately, criminals also have access to these more sophisticated tools, and are continually looking for ways to gain access to our accounts. So, what do we do? How can we mitigate authentication fraud?
Mitigating Fraud at Login
Pros & Cons of Passwords
Today, some authentication methods still rely on static login information, such as usernames, passwords, PIN numbers and authentication questions that often are vulnerable to theft. These login credentials and personal information may be stolen by malware deployed to computer and mobile devices. Additionally, this information can be harvested or phished through fraudulent emails and other scams, found openly on social media sites, or gathered through data breaches and then sold on the dark web. If these types of authentication are so vulnerable to fraud, why are we still using them? The answer is quite simple – they are considered the most convenient for users and may create the least friction in the process.
According to a recent study (Off-site), the average person has more than 100 passwords. The difficulty of remembering them all may lead to password re-use or risky password management. To strengthen authentication, systems that rely solely on username/password to verify a user can implement rules on the number and type of characters used, limit the ability to use previous passwords and require regular password updates. This makes it harder for criminals to predict passwords and limits the timeframe in which they can be used. Adding an additional layer of authentication security to the login process can help mitigate the threats when one’s login credentials have been compromised.
Adding a Layer of Authentication with MFA
Multi-factor authentication (MFA) means that at least two authentication methods are required (something you know, something you have and something you are). MFA methods are more secure, which provides a higher confidence level about user access and that payments are legitimate. The risk of an account takeover can be significantly reduced by requiring more than one factor, such as a one-time passcode or the use of a physical biometric (fingerprint, retina scan or facial recognition) at login.
Currently, many systems use a one-time password (OTP) that is sent via short message service (SMS) text or by email as an additional authentication factor. However, these authentication methods are vulnerable if a fraudster has access to the receiving device, or when a user inadvertently provides the passcode to them. The victim may respond to a criminal’s phone call or text message or enter credentials in a website or pop-up that is ultimately determined to be fraudulent.
The financial services industry has moved to stronger authentication at login, at entry to a payment application, and to authorize or release a payment. Many financial applications now require additional authentication to move money, such as one-time passcodes delivered through phone, email or text message. This is becoming a more accepted practice and consumers may not even notice this extra step.
Using Password Managers
Although passwords are a primary point of compromise, some users leverage password managers to maintain multiple usernames and passwords. This may reduce the risk of fraud for users who struggle to remember their login credentials across multiple sites. They now can have different passwords across sites and don’t need to write them down or re-use them. However, malware or phishing increases the risk of unauthorized access to a password manager. Elimination of usernames and passwords can reduce phishing and social engineering attempts that target credentials. This includes scams designed to deceive users to share credentials by posing as legitimate organizations.
Passkeys and Push Notifications to Improve Authentication
The use of physical biometrics as part of multi-factor authentication also has become more common since many consumers unlock their mobile devices with their fingerprints or facial recognition. Passkeys use encryption keys (a private key on a user’s device and a public key on a website or mobile application) that are paired to unlock user access. The benefit of passkeys is that they don’t include knowledge factors that can be compromised, thus making them resistant to phishing. The process depends on users authenticating on their devices, often by using a biometric.
Push notifications for authentication can be used to secure access to websites that still use usernames or passwords as the first authentication factor. A user registers the device, smartphone, watch or tablet, and then downloads a secure authentication application that will push notifications to that device. When the user logs into the website from a computer, a notification appears on the registered device, asking the user if they are attempting to login and to confirm the login is valid. Only someone with access to the registered device can authenticate the login.
Mitigating Fraud Transactions
When criminals are able to successfully authenticate and access accounts without authorization, organizations often rely on tools to monitor account navigation, account activity and transactions for fraud.
A rules-based approach to evaluate transactions is not traditionally viewed as authentication, but when anomalies are detected by this approach, additional or “stepped up” authentication can be required. These rules are used to evaluate potentially fraudulent transactions against legitimate transactions. Additional authentication may be applied in the form of outreach to the customer to verify the activity through an established communication method, or by requesting a different authentication method be applied to complete the process. While payments may be delayed, the user’s online session is ended when rules are applied and the conditions met.
Some fraud mitigation features, such as payment limits and activity notifications, work with authentication dollar limits or thresholds for payment activity and are set by an organization and user. These limits can restrict payment activity amounts for a specific timeframe (daily, for example), and allow for a maximum dollar amount per transaction. To protect the user from fraud, thresholds can be used to control the number of payments sent and the total amount of payments requested during an established timeframe. If these limits are exceeded, transactions will not be processed and may require additional authentication or outreach to the user to verify activity. Notifications of account activity also are useful to alert a user to potential fraud on their account. Notifications sent by email or text message are used to confirm activity or raise awareness. Notifications may ask if a new payee was added, was money sent to a new recipient, or did the user login to the account. These notifications are designed to help a user recognize and report fraud activity.
Stronger Authentication through Technology and Education
Authentication approaches are evolving from transaction-based methods to focus on a user’s digital identity and the known devices they use.
Digital identity is the electronic characteristics and user data that represents a unique individual. For example, an individual profile may be created by using behavioral biometrics based upon how someone uses their mobile phone, device or computer. The user’s interaction with these devices provides information on how they navigate, type, swipe or apply finger pressure. Once a profile has been created, it is used to evaluate differences that could represent fraud. If someone else accesses the account, their interactions, typing and movements will be different than the user’s normal behavior. This will identify potentially unauthorized access and/or transaction activity. Technological advancement has enabled some organizations to use continuous authentication, when a user is authenticated ongoing during each action or step of their session.
The prevalence of physical biometrics authentication has prompted a shift to passwordless authentication to eliminate the need for a username and password. This can be achieved in multiple ways with a biometric, a registered mobile device, a mobile device application or a hardware token.
Machine learning (ML) and artificial intelligence (AI) can analyze large datasets to identify and demonstrate patterns for both legitimate and fraudulent activity. AI detection models automatically adjust and update based upon new data inputs and typically do not require constant human support. Organizations may choose to apply authentication at each step of a customer relationship. Many use ML and AI to identify fraud patterns based on holistic customer data that is collected through each interaction, beginning with onboarding and account opening, then continuing through account access, user profile updates and their payment and transaction activity. This approach has worked well in identifying and detecting identity theft during account opening and account takeover attempts.
In some cases, consumers may have the option to choose the method for additional authentication, which may result in a better customer experience without increasing risk. The use of background tools using behavioral biometrics and ML with AI can enhance authentication and improve fraud detection but may not be the answer for every online customer interaction or payment scenario. Organizations will benefit from educating their customers about authentication risks and help them to understand their options and the importance of strong authentication.
Summary: Industry-Led Change to Improve Authentication
Organizations face the challenge to help protect their customers from fraud impacts and provide a satisfactory customer experience. A step too far in either direction could increase fraud losses and reputational damage or strain the customer relationship. Based on the fraud level and impact, improved authentication should be a priority across industries.
Organizations can meet that challenge by leveraging advances in technology and implementing solutions that match the risk level. Organizations should be evaluating user activity and transaction types to determine when additional or “stepped up” authentication is required. Most important, authentication for online account access and payment transactions has evolved. Increased availability and adoption of new authentication approaches and tools is encouraging and needed to successfully protect online accounts from expanding fraud threats.
This article is part of a series on authentication and its critical role in payments. Read the previous articles, Introduction to the Lifecycle and Methods of Online Authentication and Online Authentication: When Fraudsters Take Advantage of Gaps.