How Can the Payments Industry Fight Fraud While Improving User Experience?
Take a look at the business section of The Wall Street Journal and you’ll notice a disturbing trend. On any given day, a new fraud vector threatens to destroy the reputation of a FinTech, hurt the bottom line of a major card issuer, or inspire new regulations for the entire financial sector. Although the payments industry is far from alone in its struggle against rising rates of identity fraud, it is certainly on the front lines of this global challenge.
It’s not all doom and gloom, however. In response to rising rates of fraud, the payments industry has increasingly turned to cryptographic authentication to both fortify existing security flows and improve user experience. So far, the results of this technological development are extremely promising.
To better understand the impact of cryptographic authentication on the payments sector, this article will dive into both the strengths and weaknesses of more traditional identity authentication such as risk-based authentication (RBA), and then analyze how the addition of cryptographic authentication is helping fortify existing security flows.
What is Risk-Based Authentication?
Think of risk-based authentication (RBA) as the old guard of fraud prevention. It utilizes analytics and data to assess the level of risk behind a particular transaction. In short, it uses data from past behavior to predict future behavior.
Here’s an example of RBA in action: if a consumer purchases a flat-screen television or some other expensive item at 2 am, the purchase may be flagged by the credit card issuer as suspicious. Why? Because past behavior (this particular consumer typically does not make purchases after midnight) informs the credit card company that this transaction is likely fraudulent.
Today, risk-based authentication is the predominant way payments companies and other FinTechs determine whether or not a purchase or transaction is legitimate or should be flagged for further review. In recent years, the industry has leveraged new and more sophisticated machine learning techniques to analyze a growing cache of data including IP addresses, historical transaction velocities, and consumer spend profiles. Despite these advances, however, RBA still has two core vulnerabilities that fraudsters continue to target.
What are the vulnerabilities associated with RBA?
When it comes to fraud prevention, there is no one-size-fits-all silver bullet solution. That’s why fraud experts develop customized security flows that address their company’s unique needs. Today, RBA has two major vulnerabilities that must be addressed:
1. RBA relies on a probabilistic model.
If your memory of Stats 101 is a little bit hazy and you can’t quite remember the difference between probabilistic and deterministic models, you are in good company. Here’s a helpful summary of the core differences:
A deterministic model does not include elements of randomness. Every time you run the model with the same initial conditions you will get the same results.
A probabilistic model includes elements of randomness. Every time you run the model, you are likely to get different results, even with the same initial conditions. A probabilistic model is one that incorporates some aspect of random variation.
Long story, short: When payments companies and FinTechs adopt a probabilistic model like RBA to identify fraud, they’re essentially making an educated guess using as much data as they can. If, however, the data used to identify risk trends is biased or a brand new fraud vector emerges, the accuracy of RBA will decrease.
How can payments companies and FinTechs solve for this? To fortify RBA, it’s critical to augment the existing probabilistic model with deterministic elements. Cryptographic authentication (AKA key-based authentication) is a deterministic element that allows relying parties (financial institutions, companies, and governments) to trust that the data asserted by users during authentication and verification events is accurate by leveraging cryptography as the source of truth. In other words, companies can positively authenticate or verify the identity of an individual using Prove’s 3-step PRO Check.
2. Because RBA’s probabilistic model relies heavily on external data, it is uniquely vulnerable to the rise of synthetic identities
Synthetic identity is a rapidly growing problem. Here’s how it works:
Imagine you are pulling your credit score. To pull a credit score, you need to present personally identifiable information (PII) that, in theory, only you should know (your SSN, for example). Unfortunately, we live in a digital environment where PII is easy to access as a result of large and frequent data breaches. Once a fraudster has your data, they can pull your credit report and even add fake data to your various online credit profiles, creating a synthetic identity without your knowledge.
Synthetic identities pose a major challenge to Risk-Based Authentication because they essentially poison the well of data RBA’s algorithms analyze to make informed fraud decisions.
How can Prove solve this? To preserve the effects of existing security flows, the financial industry must mobilize against the proliferation of synthetic identities. Prove can do just that by reducing the industry’s over-reliance on knowledge-based authentication (KBA). To use the credit score example again, Prove can easily stop the bad actor from pulling a victim's credit score even if the bad actor knows all the relevant information about the victim. This is achieved by forcing an authentication to a known cryptographic key (such as a phone number) into the transaction flow. This is the reason Prove has focused significantly on phones and phone numbers as a means of authentication. However, this overall approach is not limited to phones or phone numbers but rather the usage of a cryptographic key tied to a person.
What steps should companies take to fortify their RBA flows?
The fraudster’s ability to bypass knowledge-based authentication (including passwords) resulted in the payments industry’s reliance on RBA to flag likely fraud. Unfortunately, the surge in synthetic identities has weakened RBA considerably. To reduce fraud, payments companies must address the root of the problem and begin phasing out KBA altogether. The best way to do this? Go passwordless with Prove Auth™.
Prove Auth™ empowers companies to move beyond passwords and OTPs with a 1-tap authentication solution that's simple, secure, and more cost-effective than legacy authenticators. By frictionlessly authenticating customers from any channel, companies can fortify their existing RBA flows to both reduce fraud and improve the customer experience.
Preventing Loyalty Fraud with Prove Auth
Rewarding consumers with points for every purchase is a powerful way for companies to leverage gamification. For many consumers, “earning” points has practically become a part-time job at this point. Whether they’re saving up their points for a “free” cup of coffee, a tank of gas, or a first-class flight around the world, customers will often go to extraordinary lengths to earn loyalty points from their company of choice. Today, the annual value of unredeemed customer loyalty points totals an estimated $160 Billion.
Unfortunately, the $160 Billion worth of unredeemed loyalty points is now a prime target of fraudsters. Fraudsters will specifically steal points that can be easily redeemed for cash (especially airline miles and gas points) by orchestrating bot attacks and leveraging credentials stolen from data breaches. After successfully logging into a victim’s account, they will steal those hard-earned points within minutes and disappear without a trace.
Use Case: Preventing Account Takeover In Loyalty Accounts
By fortifying existing RBA flows with advanced cryptographic technology like Prove Auth™, companies can safeguard their customer’s loyalty points by taking easy-to-steal passwords and OTPs out of the equation.
Picture this: You’re a fraud exec at a major domestic airline that boasts a robust customer loyalty program. Because the existing program still relies on usernames and passwords, however, the loyalty program has become a prime target for fraudsters. To fortify the loyalty accounts and protect your customers, you must replace the username and passwords with Prove Auth™. This achieves two major goals: it both thwarts account takeover fraud by making the passwords or usernames stolen from any breach useless and it improves the user experience by making the login process seamless. A win-win.
Conclusion
Although RBA has many benefits, its reliance on large swaths of consumer data results in two key vulnerabilities. By fortifying their existing RBA flows with cryptographic technology like Prove Auth™, payments companies are preventing fraud and improving the user experience. The trend toward cryptographic authentication will only accelerate as the concept of reusable identity continues to gain traction.
Want to fortify your RBA flow by going passwordless? Talk to a fraud expert today.
Keep reading
The stakes for businesses in ensuring trust and security in digital interactions are higher than ever.
This blog post outlines best practices for integrating identity verification APIs to enhance security, compliance, and user experience in digital interactions.
Identity verification is crucial for developers to prioritize in their applications to ensure a secure and trustworthy online environment for all parties involved.