What your fraud risk service provider may not want you to know
Since the advent of B2C eCommerce in earnest about twenty years ago, an "armed conflict" has been raging between the merchants and financial services providers on one side of the equation, and the fraudsters attempting to take advantage of vulnerabilities in the ecosystem on the other side. A typical metaphor for this conflict is the reference to the "Whack-A-Mole" game. The implication is that immediately after a vulnerability is quashed by the implementation of technologies targeted to detect and block it, new technologies and tactics are introduced by fraudsters to perpetuate successful fraud. And so the battle rages on… until now.
One key consideration in preventing fraud is the use of technologies to determine whether the purchaser at the other end of an Internet session is actually the person they represent themselves to be. Some would say that the first major breakthroughs in identifying "Who is there?" on the purchaser side was the use of IP intelligence, and associated technologies like proxy piercing detection. Additional enhancements to complement the first fraud detection technologies have included the addition of more sophisticated "inference-dependent" technologies categorized as Artificial Intelligence and Behavioral Biometrics. All of the services delivered in this category use the combination of various dynamic and static inputs or "signals" to infer the probability that there is indeed a person at the other end of an Internet session, and that it is indeed the person is actually who they represent themselves to be. In other words, implying "Who is there?"
Up until recently, risk scoring technologies were the only available approaches available to B2C merchants to know who is there. But that is no longer the case.
With the introduction of the promotion and support of FIDO (Fast Identity Online) Strong Customer Authentication (SCA) by major industry platform providers such as Apple, Microsoft, Google, Samsung, Mastercard and Visa to name a few, merchants now have the option to add secure and explicit "binary conclusions" as to "Who is there?" for each purchase transaction.
In addition to the technical benefits that a FIDO-compliant SCA solution can bring to the B2C ecommerce ecosystem, since FIDO is an industry-standard for authentication, similar to the SQL standard for databases. One key difference is that the major operating environments that are used to support online transactions, namely iOS, Android, Windows 10 and MacOS, as well as all major browser environments including Chrome, Safari, Edge and Firefox, have all delivered updates to these environments that further enable and streamline the use of FIDO authentication. The key aspects of using FIDO in these environments, namely a cryptographic binding between the "Relying Parties" web service, and the purchaser’s device, combined with secure access to the purchaser’s biometric or knowledge-based authenticator, is a capability that cannot be delivered conclusively with an inference approach.
Two typical arguments against the introduction of Strong Customer Authentication are the requirement to register the purchaser’s device (or devices), and the requirement to interact with the user with a challenge at the time of purchase authorization. While there are many aspects to these challenges, here are a few responses I provide when a merchant or service provider when these potential objections are raised:
- Today all merchants rely on some form of "Identity Proofing" to establish, and or continue to trust that the purchaser in the current session is who they say they are. Merchants need to determine what Identity proofing measures are appropriate when registering the purchaser’s device and authenticators. Also, new approaches to identity proofing are now available beyond KYC and SMS-OTP that can "modernize" this area for merchants in conjunction with the introduction of SCA.
- The actual establishment of a FIDO registration can happen completely in the background, and without any interaction with the purchaser/user. What is presented to the purchaser at the time of registration is a matter of how the merchant wants to inform the purchaser of the added security being provided by the merchant to protect the purchaser.
- Requiring the user to interact with the merchant’s app or web interface has always been categorized as "friction" based on legacy definitions in our industry. Friction, of course, has a negative connotation. However, recent analysis of the impact of user interactions like TouchID or face recognition are actually welcomed by online users, and can provide more trust in the product or service being offered to consumers. The move away from "All things that the purchaser sees are negative." needs to be modernized in our industry.
Some companies who generate significant revenues and profits from their proprietary approach to inferring a risk score are understandably concerned about the potential impact of adding FIDO support to their solutions. Many others in the ecosystem who have invested significant expense and effort to integrate inference-based systems are also naturally critical of adopting a secure, multi-factor, and binary authentication solution.
Other merchants and service providers, including many "mega-merchants", are in the process of implementing FIDO-compliant SCA in their B2C eCommerce systems. One major catalyst for the adoption of these solutions is the impending enforcement period for PSD2 in Europe and the UK. As with any innovative and disruptive technology, those who implement early will benefit most from their preparation, and generally, the rest will scramble to catch up once adoption is imminent.
There is no question that the combination of legacy (inferenced-based) solutions, a FIDO-compliant SCA solution, and the benefits of "reputational inputs" (e.g. 3DS data, or equivalent reputational tracking approaches) will result in reduced cart abandonment, a better trust relationship between merchants and their customers, more top line revenue, and better eCommerce KPIs for merchants.
Walter Beisheim is Chief Business Development Officer of Nok Nok Labs.