RSA Security has announced its Adaptive Authentication for eCommerce capability which improves fraud protection and user experience.
RSA Security, a global cybersecurity leader delivering business-driven security solutions to help organisations manage digital risk, has announced the general availability of RSA Adaptive Authentication for eCommerce version 20.5. In this version, RSA Adaptive Authentication for eCommerce implements the latest features available in the EMV 3D-Secure v2.2 protocol, adds new authentication flows to support transactions where the cardholder is not in session, and introduces new capabilities that significantly enhance the customer’s checkout experience.
Regulations like the Payments Services Directive 2 (PSD2) in the European Union (EU) has driven online merchants to adopt the EMV 3DS protocol for Card Not Present (CNP) transactions, meaning eCommerce transaction traffic is expected to grow exponentially. This makes it even more critical for card issuers to select a trusted and well-performing 3DS Access Control Server (ACS) that can accurately detect fraudulent payments while keeping transaction success rate high and providing a frictionless cardholder experience.
“Our goal with RSA Adaptive Authentication for eCommerce is threefold: reduce fraud and grow CNP transaction approval rates, reduce operational costs for our customers and deliver the most seamless user experience possible,” said Daniel Cohen, Head of Anti-Fraud Products and Strategy, RSA. “As one of the first vendors to support the latest version of the EMV 3DS protocol, we want to ensure our customers have the most advanced and up-to-date capabilities available to fight fraud while also being able to meet regulatory compliance such as PSD2 in Europe.”
As organisations continue down the path of Digital Transformation, they not only see the benefits of expanded use of technology, but also encounter unintended consequences of the evolution that extends deep into business operations. Financial institutions and credit/debit card issuers have been among the first to embrace Digital Transformation by creating innovative transaction methods, such as contactless payments and QR codes, but they often unknowingly open themselves up to new areas of digital risk. Effectively managing these digital risks enables organisations to mitigate threats and maintain compliance, while maximising the opportunities that come with adopting disruptive digital technologies and new operating models.
RSA Adaptive Authentication for eCommerce helps credit card issuers and payments processors prevent over 95% of fraud in CNP transactions that go through the latest EMV 3DS protocol while also maintaining a frictionless shopping experience for cardholders.
Powered by RSA’s Risk Engine, RSA Adaptive Authentication for eCommerce analyses hundreds of risk indicators to silently authenticate genuine cardholders while challenging only the small number of transactions that are high risk.
Leveraging the RSA eFraudNetwork, the industry’s first and largest international, cross-institutional and cross-platform network of confirmed fraud, RSA Adaptive Authentication for eCommerce can identify indicators linked to known and attempted fraud schemes globally.
Experts discuss the topic of fraud prevention and some of the ways to manage data in order to prevent fraud:
Michael Reitblat, CEO, Forter: “With a new breach occurring every day, consumers feel vulnerable and expect merchants to protect their data. Account security could be the difference between a lifelong customer and a one-time buyer, with compromised data from these breaches being used to commit fraudulent activity.
“It is imperative for merchants to keep both company and consumer data safe. Most retailers have a dedicated security team responsible for the safekeeping of vulnerable data. However, security engineers and risk teams are not the only ones to come into contact with this data. Regardless of the organisation’s size, many employees, stakeholders and third-parties come into contact with company and consumer data in the course of its management.
“The biggest cybersecurity risk for many businesses revolves around human factors and employee behaviours. Businesses are concerned with employees inappropriately sharing data, whether malicious or accidental. Furthermore, the increasing use of mobile devices increases the threat of exposure, especially when concerning the physical loss of devices.
“Phishing attacks are one of the most simple and effective means by which employees inadvertently expose company data. Fraudsters aim to gain stolen Personally Identifiable Information (normally obtained through sophisticated social engineering tactics) of legitimate individuals to conceal their true identities. According to Forter’s Fraud Attack Index, identity manipulation has increased by 30% in the last year, which can account for approximately 41% of company security breaches being associated with a phishing attack, overall.
“Organisations need to hire staff that are well-versed in the risks associated with handling personal data, but often holiday rushes, peak seasons, or expected online queue handling restrict the quality of this process.
“One way to combat this is to strengthen your security training programmes and ensure that all employees, regardless of where they sit in the hierarchy of the business, are equally educated on the risks associated with data privacy.
“In the world of fraud prevention, manual review and rules-based systems simply introduce too many risks to a business; these could result in huge financial penalties and losses, not to mention reputational damage. Ultimately, the best way for enterprises to manage data and avoid the above pitfalls, is to automate the system by which data is being processed and reviewed to prevent damage associated with human-activated data breaches.”
Craig Cooper, COO, Gurucul: “Fraud is getting hard to detect, but it occurs every day across a variety of industries, causing trillions in losses each year. While financial services and banking are among the hardest-hit industries, other frequent targets include retail, healthcare, Information Technology, government/public administration and utilities.
“Traditionally, companies have used legacy fraud management platforms that have limitations and result in too many false positive alerts to investigate, a condition that enables malicious activities to go undetected. Typically, these platforms produce evidence of activity after fraud has taken place, which is a classic example of too little, too late.
“Recent advances in a range of technologies from Big Data to Machine Learning have merged to build new approaches to fraud analytics. These can detect anomalous and outlying behaviours and activities in real time and provide accurate risk assessments so that mitigations can be triggered at machine speed.
“Here are several elements that are required to implement Machine Learning-based fraud detection at your company:
Big Data store: The first thing you need is an architecture that can scale to millions, even billions of data points over time. A Big Data system should support large and varied datasets (both structured and unstructured) and enable your data analytics to uncover information, including hidden patterns, unknown correlations and trends.
Data sources: Your processing engine should be able to ingest data from all available sources, including online and offline, regardless of its format. More data sources will result in better correlations, context and insights.
Data linkage: The data must be normalised in some way so it can be linked to a specific identity. That identity could be a cashier, a customer service representative, a customer and so on. Likewise, the identity could be an entity, such as a point-of-sale device, a desktop computer or server. Linkage is essential to the creation of a baseline of behaviour for each identity so that new activities can be compared to the baseline to look for anomalies.
A Machine Learning model: Once you have a Big Data store, data sources and data linkage established, you need to set up Artificial Intelligence (AI) and Machine Learning models that can automatically analyse data feeds, establish baselines and risk score activity without being programmed. This process of learning uses sophisticated algorithms to look for patterns in data, adjust risk scores and make better decisions in the future based on data collected and analysed.
“Criminals and hackers are already using advanced technologies, including AI, to harvest information and perform fraud at machine-level speed. To keep pace with attackers, organisations need to consider enhancing legacy rules-based fraud detection with new approaches that use data science to process multidimensional sources of information in ways humans cannot.”
Justin Fox, Director of DevOps Engineering at NuData Security, a Mastercard company: “Many enterprises comply with rigorous standards and regulations that are focused on safeguarding employee and customer data. The challenge is the technical implementation within each organisation – most standards and regulations can be met in a variety of ways, allowing flexibility in how the control is met. This flexibility means that an organisation can meet the requirement specified in a control while leaving a backdoor or emergency access mechanism in place that enables the technical implementation to be circumvented if the need arises.
“Cryptography and access control lists are technical mechanisms for enterprises to secure and manage access to stored data. Let’s use a modern web application running on the AWS Cloud as an example of how these controls can be used to successfully secure a customer’s profile data. A common pattern is to use AWS Amplify with a web framework like Vue to create a web application that incorporates Amazon Cognito for user authentication and with AWS IAM for authorisation policies to access data stored on Amazon S3. Your static web assets would live on Amazon S3 and would be served using Amazon CloudFront. Depending on your requirements, you might use other services like Amazon API Gateway, Amazon DynamoDB, and AWS Lambda.
“This was a fairly simple example, but this web app ended up needing to use a number of different services from the AWS Cloud in order to provide baseline security while still providing a mechanism for a customer to create and manage a profile within the web application. If you get the encryption wrong, then employees can read customer data even if there is no need for it. If you get the authorisation wrong, then customers can read each other’s data. Any exposure of customer data is bad and has to be immediately remediated.
“In addition to data access controls for protection of a customer’s data against internal threat vectors, there is also a number of controls that need to be layered to provide protection against external attacks. A great starting point is to implement the top 10 web application firewall controls recommended by the Open Source Foundation for Application Security (OWASP) foundation. You can use the OWASP Zed Attack Proxy (ZAP) to test vulnerabilities like structure query language (SQL) injections, man-in-the-middle proxies, insecure deserialisations, broken authentication and other security misconfigurations.
“For an enterprise to identify and defend against fraudsters who already have stolen data, they need to take a layered approach to user authentication using advanced technologies. It is crucial to use multiple authentication factors during the user verification process and protect data in accordance with the belief that all data is valuable to cybercriminals. The strength of a particular authentication factor is an important consideration. Static authentication like username and password is inherently broken. Dynamic authentication like a short message service (SMS) with code delivery, is vulnerable to interception.
“Biometrics technology, like a fingerprint or iris scans, can be used by organisations to help authenticate users and prevent fraud. Passive biometrics generate a frictionless experience by recognising patterns, such as how consumers type, browse or interact with their device, so that users are verified, but their experience is not impacted, unless there is risk present in the transaction. Bad actors are prevented from accessing illegitimate accounts because they cannot replicate customers’ inherent behaviour. This is the key to preventing fraud – to make it difficult for cybercriminals to impersonate someone by adopting authentication methods that hackers cannot deceive with their tools.”
Carol Hamilton, Fraud & Compliance Director, GBG: “A surprisingly large amount of businesses (66%) have been victim to customer fraud and even more (75%) have experienced fraud in the past year. This need not always be the case if businesses take a proactive, front-foot approach to implement some of today’s innovative technologies like machine learning and data orchestration.
“Data orchestration is the smart new approach to combating fraud, enabling organisations to make more accurate decisions through improved context and access to richer sets of data. At its core, data orchestration is the ability to efficiently and effortlessly coordinate the use of data into a single layer, removing the need to batch-feed from siloed data across systems. By embracing the connection of datasets in this way, in real time organisations can benefit from smarter answers and insights in order to verify who is a legitimate customer and who’s a fraudster with an intent to deceive.
“Data orchestration not only provides an essential layer of protection but also holds the key to improved relationships with customers and prospects. We’re seeing investment in this technology increase throughout financial services in on-boarding and Know Your Customer (KYC) processing, illustrating the power of data orchestration to go beyond taking customer inputs at face value, to the ability to pre-emptively check data across existing sets to verify identity and prior fraudulent activity.
“A great example is the work between many banks with Cifas in cross checking what types of data are being used as references. This has proven so effective that in 2018 (when data was last available) Cifas members reported a combined total of 324,000 instances of fraud, which they were able to address with combined datasets.
“As this new data-centric approach to fraud takes hold across sectors, the application of Artificial Intelligence (AI) technologies like machine learning (ML) can unlock great powers. Driving ‘neural networks’ to learn in real time helps to continuously benefit from actioned cases, improve hypotheses and better the rules that are working to detect unusual activity. Together with data orchestration and a single layer of fraud intelligence, AI and ML hold the power to significantly reduce instances of ‘false positives’ in cases of fraud, ultimately increasing the accuracy and efficiency of investigations and improving incident response times.
“We live in a data-centric digital world and our anti-fraud measures must reflect this. For any industry, success will come down to smart application and continued innovation. Furthermore, where companies are innovating hard and fast in their detection and prevention measures, they may find that data orchestration is the ‘silver bullet’ they’ve been looking for.”
Todd Moore, Senior Vice President, Data Protection at Thales: “With the rise of digital technologies, consumers expect business platforms to operate smoothly and securely on any type of connected device, wherever they are in the world. This is increasingly the case for organisations in the banking sector, with users now demanding streamlined digital platforms to authenticate and manage their finances – something that’s essential as we’re asked to stay at home.
“Banks offer a solid user experience when it comes to fraud detection on IP networked devices, smart phones and IoT devices. Digitalisation offers new solutions allowing end users to be protected from external attacks whatever device or channel they are using. Nevertheless, with fraudsters using misinformation around COVID-19 to support their scamming efforts, preventing vulnerable customers from being exposed to fraud and guaranteeing a pleasant and seamless experience is still at the top of banks’ agendas.
“Biometric technologies and risk management solutions offer a seamless, yet secure user experience. Indeed, thanks to behavioural biometrics and context analysis but also strong authentication with biometric cards, vendors have the chance to stop fraudsters at the gate.
“With more cybercriminals targeting banks than ever before, biometrics can help businesses to assess every individual online banking session at scale and in real time. By supporting institutions to build profiles unique to each device and customer, behavioural biometrics, combined with Machine Learning algorithms, allow sessions on connected devices to be tracked, minimising the risks of digital banking fraud.
“Creating a personalised but secure customer experience has never been so important with the rise of fintechs and the revised Payment Service Directive (PSD2) regulations. By employing biometrics, banks can protect against fraud and welcome a step-change in the customer experience, by innovating new, customisable ways of proving user identity, beyond clunky and inherently insecure static passwords.
“This is, however, not plain sailing and the margin for error is small. Consumers won’t accept their banks treating their data with anything other than the utmost care and protection, so banks must ensure biometrics are used within a nuanced security strategy to make digital platforms more robust and secure. Biometrics become paramount to three factors authentication as per the regulation mandates, and banks are proposing self-enrolment payment devices, such as Biometric card, whose rigorous and privacy-friendly enrolment process is key. By developing a comprehensive approach to security management and integrating new biometric capabilities into their core services, organisations can detect, prevent and take the fight to fraudsters.”