Select Page

Why is Risk-Based Authentication (RBA) critical for banks?

Mar 28, 2022

Did you know it takes just 6 seconds to hack any credit or debit card?

As the number of Card-Not-Present (CNP) transaction increases, so do the associated risk factors. The 6-second hacking window is quite scary, especially when you are a bank or a card issuer.

Even though the end-consumer faces losses, card issuers and banks are the ones who will have to bear the major brunt, including refunding the customer, dealing with chargeback fees/fines, and investigation charges which often lead to reputation loss.

Modus operandi of fraudsters

Card payment fraud happens in both card-present and card-not-present scenarios. Usually, the customer gets unsolicited calls, text messages, emails, or unauthorized software update requests under the pretense of KYC updates, or gift offers.

Scamsters pretend to be genuine in these communications and ask consumers to share personal information, card credentials, PIN, or OTP details. Phishing, skimming, and mail intercepting are among the key modus operandi that criminals use to defraud consumers of their money, data, and identity.

Other usual scenarios include:

Stolen or lost card fraud- In this situation, the card either slips out of the cardholder’s hands or is stolen. The fraudsters then use the card to go on a shopping spree and then discard the card.

Account takeover- One of the rising crime scenarios today is complete account takeover. Here the fraudsters shoulder surf or steal card details and get in touch with the card-issuing company. Pretending to be the cardholder, they would falsely report a stolen card and ask for a replacement with modified address details. The genuine cardholder will know about this scam only when the card is used.

Page Jacking- Here, the scamster redirects an e-commerce store page and takes the user to their malicious portal. This page would contain links with the potential to crack network security.

Now, this is only the tip of the iceberg. Each day, fraudsters develop more sophisticated methods to commit card payment fraud.

Signs banks need to look out for to identify fraudulent activity

Card issuing banks need to be vigilant and check for signs to nip card scams in the bud. They need to design systems to proactively identify suspected fraudulent activity in real-time and decline these attempts before the cardholder is affected.

Suppose a bank notices anomalous spending patterns, erratic location changes, or unexplainable large ticket transfers, they need to notify the cardholder and investigate the matter immediately.

What can banks do?

Delivering secure, smooth, and customer-friendly online payments is critical for banks and card issuing companies. Otherwise, customers will leave in hoards, shifting their loyalty to competitors. Choosing a suitable authentication method is crucial to eliminate security risks in card payments.

Gone are the days when binary authentication such as static passwords and usernames were unbreakable. Today cyber criminals use advanced technology that can decode these credentials in seconds. Hence, banks need to adapt to a more robust, scalable form of authentication that can be adjusted according to different risk levels.

The solution: Risk-Based Authentication (RBA)

When it comes to the standard credential-based authentication process, the user will have to undergo two-factor authentication (2FA) or Multi-Factor Authentication (MFA), which is a One-Time Password (OTP) or password every time a transaction happens.

But with risk-based authentication, it is not necessary that the transaction must go through 2FA. Instead, every single transaction is monitored and assessed for risk. And a risk score is assigned to evaluate if the transaction can occur securely.

In conjunction with a few other parameters, including business rules/logic, this risk score effectively decides if a transaction requires a challenge or if it can be allowed to go through frictionless (without an explicit 2FA).

Case studies from different markets suggest that ~90% of transactions tend to be low risk and can thus be allowed to go through frictionless. Around 8% may require some form of 2FA, and ~2% tend to be high risk and can be declined.

Risk-based authentication helps banks cut fraud losses, reduces transaction drop-offs, and ensures regulatory compliance. It plays a critical role in boosting e-commerce by balancing customer experience and controlling fraud. Dynamic RBA systems power card issuers to identify optimal risk levels and deliver quick, secure, and seamless payments.

More info…

Risk-based authentication is a real-time process that assesses underlying risks and applies appropriate levels of controls. Also known as adaptive authentication, the identification happens based on the user’s risk profile when they try to authenticate who they claim to be.

An increase in the user’s risk profile leads to stricter and more restrictive methods of authentication. Risk-based authentication uses behavioral profiling to assess risk and protect customer data.

Risk-based authentication ensures a protective guard against complex security breaches and hacking attempts. The authentication uses various parameters such as the user’s transaction history, merchant profile, IP & location, device usage history, and other critical parameters to assess risk.

Based on the evaluation, the Access Control Server (ACS) decides if the user can complete the transaction without any additional factor of authentication or if there is a need for an additional factor of authentication such as the following.

  • One time passcode
  • Permanent or temporary PIN
  • Security question (knowledge-based authentication)
  • Biometric data, such as a fingerprint
  • Mobile phone-based authentication such as Swipe to Pay

Setting up an RBA system

Designing and deploying a quality risk-based authentication system involves implementing 3D Secure (3DS). Now, 3D Secure is a payments security protocol that adds a strong layer of security to CNP transactions by tying payment authorization to the online authentication process.

To authenticate the cardholder, the transaction needs to be redirected to the Access Control Server (ACS). Issuers can define their risk profile and set up the ACS to control the customer authentication experience based on the risk analysis. After the customer completes the authentication, the response is sent back to the merchant and processing bank.

What is the ACS?

Access Control Server (ACS) is the server that enables bank customers to authenticate themselves and complete card-based online transactions securely. The ACS is built on the 3-D Secure rails defined and certified by global card networks, including Visa and Mastercard.

While the initial version of the 3DS protocol (3DS 1.0) was designed to boost customer confidence, it did not provide the most optimal transaction experience and resulted in a high percentage of online drop-offs and cart abandonments in quite a few markets.

The updated protocol version, EMV 3DS or 3DS 2.0, is designed by EMV, the consortium of global card networks. This protocol is optimized to support in-app payments, facilitate risk-based authentication via the exchange of richer data parameters, and encourage the use of dynamic out-of-band authentication techniques such as biometrics.

Features of our ACS system

Our ACS system guarantees top-class customer security while ensuring a seamless transaction journey. It is easily configurable and provides issuers the flexibility to design a custom authentication experience for their customers.

Some of the key features of our ACS

  • 3DS 2.0 certified with support for Visa, Mastercard
  • Cloud-ready system with the platform set up in India and the UAE
  • Highly scalable and configurable platform
  • Best-in-class success rates and performance
  • 24*7 application monitoring and production/operations support
  • Support variety of issuer integration options — real-time API fetch, batch file upload via SFTP, and push API
  • Comprehensive risk-based authentication system with scope for advanced rule design using an external data feed
  • Multiple modes of step-up, including OTP (SMS/email), swipe to pay (push notification), biometrics, soft tokens, etc.
  • Role-defined access to comprehensive reports and dashboards

Now, this is Risk-Based Authentication in a nutshell for you.

Got questions on how to implement a dynamic ACS system? Ask us at business@m2pfintech.com.

Subscribe to our newsletter and get the latest fintech news, views, and insights, directly to your inbox.

Follow us on LinkedIn and Twitter for insightful fintech tales curated for curious minds like you.

0 Comments

Trackbacks/Pingbacks

  1. Cryptographic Keys and Hardware Security Modules -An Introduction|M2P Fintech Blog - […] your customer data, credentials, and documents are vulnerable to security hazards. Without strong risk management measures, you may risk…
  2. Debit Card Issuance 101 - All You Need To Know - […] contract. We also possess our own card switch on the issuer side (for routing transactions) and ACS system (authentication gateway), which…

Submit a Comment

Your email address will not be published.

You May Also Like…