How Digital Authentication can Reduce Fraud

Last Updated on June 1, 2020 by

Ask any retail merchant, any credit card processor, any bank, any financial technology company about the number one issue on their mind and the answer will be the same: Fraud and authentication. How do you prevent fraud? How do you authenticate the real customers? And how do you strike the right balance between making it nearly impossible for thieves while making it seamless for customers? This is where digital authentication can make a difference.

Digital Transactions asked the question a few months ago with their cover story, The Crisis in Authentication. They shared how PINs, once thought to be a strong defense against fraud is now giving way to newer, more secure methods, such as facial recognition, fingerprint ID, and other biometric techniques. (For example, Mastercard is researching ways to use a person’s gait — the way they walk — to confirm their identification at public transportation terminals.)

This follows the Strong Customer Authentication (SCA) that was born out of European Union’s PSD2 requirements.

In SCA, each credit card or debit card transaction require two of these three items:

1. Something you have (smartphone, chip card, wearable device).
2. Something you knows (password or PIN).
3. Something you are (fingerprint, facial recognition, voice recognition).

Many merchants have stopped using signatures for verification, and at best only use it for a CYA in a liability case.

“Signature is not an effective form of customer verification and it [is] hard to see its utility moving forward,” Nandan Sheth, senior vice president of global digital commerce at Fiserv Inc., told Digital Transactions. “PIN, on the other hand, has several effective use cases as it relates to debit, or even transactions like EBT.”

Instead, merchants are relying more on PINs, but even that is being replaced by better, more digitized methods of authentication, especially since they’re also not very secure.

“While … ‘chip-and-signature’ is inherently less secure than chip-and-PIN—signatures fall short of the ‘something you know’ criteria for authentication—the truth is that PINs are still far from perfect from a security standpoint due to how easily fraudsters are able to compromise them,” said Kevin King, head of marketing at ID Analytics LLC. “PINs are an increasingly outdated form of authentication whose use will continue to decline in the coming years.”

Basically, the technology has to change, because the criminals are able to adapt, finding new ways to defeat the technology that was put in place to defeat them in the first place. The bad guys get smarter, so the good guys get smarter, which means the bad guys have to get smarter, and so on.

This is why we’re seeing new technology and authentication methods like facial recognition, fingerprints, gait technology, iris pattern, and other biometric technology. (Mastercard is even looking at vein patterns.)

For example, if you’ve ever used Apple Pay to pay for groceries or at a restaurant, you’ve been prompted to tap your phone on the payment terminal and then verify the purchase with your fingerprint to prove that you’re really the one holding your phone.

That’s because mobile phones can be two of the three authentication factors — something you know and are. You possess your phone, you activate it with facial or fingerprint recognition. If you had to enter a password on top of that to complete a purchase, it could then fill all three authentication requirements.

There are even behavioral biometrics, including how you interact with your device: How fast you type your password, the number of contacts on the device, and which websites you regularly visit. All of that becomes a sort of digital/behavioral signature that, assuming you’re the one using your own mobile device, would be difficult to replicate.

Making Digital Authentication Frictionless

The entire goal of all of this is to protect the customers with the strongest digital authentication possible, while making it as unobtrusive and invasive as possible. The problem is, the better and more secure the digital authentication is, the worse the customer experience is. If things are too hard, customers will go elsewhere, which will ultimately create foolproof security: If they drive all their customers away, there won’t be any money to steal.

As a result, companies often rely on authentication technology that’s weaker but keeps customers happy. As Kevin King from ID Analytics said, “The better a technology delivers on a strong authentication with minimal impact to the customer experience, the more adoption it will get.”

Ultimately, multi-factor authentication will be the key to authenticating customers even while keeping them satisfied with the experience.

To accomplish this, security experts are recommending that companies move more toward biometrics and away from one-time passwords or “secret” information, like hometowns, high school mascots, names of pets, and so on.

Just last month there were several Facebook memes and quizzes going around asking people to “Answer These 10 Questions So Your Friends Can Get to Know You!” It was a veritable harvest of all these secret questions often used to “secure” your private and financial information. While answering the quiz may not have contributed immediately and directly to someone hacking into a person’s bank account, it became something to add to a dossier of information that thieves could use to begin social engineering their way into a person’s account.

Clearly, biometrics are the safer, more effective way to go.

Merchants bear a lot of responsibility for digital authentication, and could find themselves in trouble with their credit card processor and acquiring bank, not to mention the card networks, if the fraud is found to be something they could have prevented. Corepay can show you how to protect yourself and your business with the right kind of security technology. For more information, please visit our website or call us at (866) 987-1969.

Photo credit: TheDigitalArtist (PXHere.com, Creative Commons 0)