Strong Authentication in a Changing Payments Landscape

2

As technology advances, consumers demand new methods of making payments. However, this demand for new technology creates an expectation for a high-quality user experience. Also, as technology shifts, payment fraud continues to evolve and criminals have nearly unlimited avenues of committing payment fraud both with physical cards (Card Present) and online (Card Not Present). To combat this threat, regulatory bodies are implementing new measures to strengthen payment processes and decrease financial losses for businesses and consumers.

Strong user verification fortifies all types of consumer interactions including service registration, high value transactions, and mobile app sign-in. But businesses walk a fine line between providing security and losing customers due to complicated and frustrating verification processes. To address this dilemma, financial institutions and payment providers must carefully consider the best method of payment verification for their business.

Phone number verification has emerged as the clear leader in payment verification technology. Phone numbers are the ultimate user identity because people typically keep only one phone number and use it for long periods of time. Phone number verification also provides regulatory compliance, global reach, enhanced security, high information privacy, and a quality user experience. By using a strong phone verification service, financial institutions and payment providers can deliver a simple process to their customers utilizing familiar technology that increases payment completion rates.

Executive Summary

An Evolving Technology Environment Consumers Are Changing How They Pay

With the global dissemination of technology, end customers now demand new ways of paying for goods and services. In 2014, 22% of all mobile phone owners reported having made a mobile payment .i Digital wallets such as Apple Pay, Google Wallet, and Bitcoin Wallets gain traction both online and with brick-and-mortar retailers. Bitcoin trading alone rose from $15 billion to $23 billion in 2014, with active wallets increasing to 7.95 million.ii Applications such as Venmo even enable users to send money with a simple text message. Payment provider Alipay handles more than 80 million daily transactions and is transforming Chinese consumer behavior. Combined with online retail titan Alibaba,

2013

15%17%

22%

2014 2015

% of mobile phone owners making at least one mobile payment

Source: Federal Reserve

3

As payment technology changes, payment-related crime also changes. Criminals worldwide skillfully utilize a variety of techniques to steal from ill-equipped users and businesses. Examples include:

▪ Loading iPhone 6s with stolen information and exploiting the lack of strong user authentication or physical card requirements.v With Apple pay, consumers do not provide any personally identifiable information or verify using dynamic knowledge-based questions, which makes digital wallets a tempting target for identity thieves.

▪ Accessing Bitcoin servers and wallets using stolen credentials and trading large amounts of Bitcoins, which cannot be reversed. vi

Strong Verification Has Become a Necessity

Alipay enables consumers to easily purchase international and domestic goods through a single portal that only transfers money upon item delivery. These new developments in payment technology have forced retailers and financial institutions to reconsider how they allow consumers to pay as the next wave of technology innovation approaches.

User Experience Matters

Offering a compelling product or service is only the first step. In 2015, 66% of mobile users regularly abandon their purchase during payment and 63% of these lost purchasers likely will not return, even by non-mobile channels.iii Poor user experiences in the United Kingdom (UK) result in a staggering yearly loss of £1.73 billion because businesses have not made an effort to design user-friendly processes.iv With an increasingly wide range of available purchasing options, payment providers and financial institutions need to carefully examine their payment processes to capture sales instead of letting them slip away. Consumers want simple and intuitive payment methods that integrate with their daily life. Businesses delivering a great user experience will be poised to surpass competitors as payment technology evolves.

4

Account Takeover is Rampant

Pan-EU statistics indicate that internet card payment fraud in 2012 created €794 million in losses (up by 21.2% from the previous year).ix Overall, payment card fraud brings an astounding €1.5 billion of yearly income to organized EU crime groups, which then funds other criminal activities. With an increase in e-commerce, online banking, and mobile purchases, cyber criminals continually develop new methods of identity theft, forcing businesses to implement improved identity verification techniques.

Payment fraud comes in many different forms and is typically categorized into Card Present (CP) theft and Card Not Present (CNP) theft. Whereas ATM withdrawals or in-person card purchases require a physical card, online payments and digital wallet solutions do not necessitate a card being present. For example, criminals use “spoofing” to steal user information by creating fake websites posing as legitimate online retailers or institutions. Once a victim enters sensitive information the criminal begins completing online payments or other Card Not Present (CNP) transactions.

Unlike payment cards where the financial institution, payment provider, or merchant assumes financial liability, online cryptocurrencies have a separate standard. Virtual currencies such as Bitcoin place onus on both the user and the online wallet or Bitcoin Exchange to ensure no fraud occurs. Bitcoin wallet holders face incredible risk because all Bitcoin payments are considered “push” payments and irrevocable once completed, fraudulent or not.x Online wallets or Bitcoin exchanges may partially or fully reimburse wallet holders if their accounts are hacked, but there is no guarantee, as this is not regulated. This makes it critical for online wallets and exchanges to implement strong authentication to verify users and transactions.

A Shift in Regulations

In December 2014, the European Banking Authority (EBA) published a set of guidelines designed to ensure more secure online payments throughout the European Union (EU).xi These guidelines include stipulations for two factor user authentication, reporting, and traceability, with a required implementation deadline of August 2015. Because payment fraud is not confined by geography, many anticipate other countries adopting similar regulatory standards for payment providers and financial institutions in the near future.

▪ Transferring money online using stolen bank account information. Criminals often obtain this information through device malware, website impersonation, or phishing and use it to bring devastating losses to the consumer. vii

▪ Buying merchandise from online or physical retailers using a stolen credit card. viii

5

Service Registration

Strong user verification allows financial institutions and payment providers to prevent fraud by ensuring the virtual account creator corresponds to a real user. This helps reduce false account creation that takes advantage of stolen identities.

Service Login (Optional)

Many times the user can choose to provide additional user verification with each login. This ensures their accounts are well protected by two-factor authentication.

Unidentified Devices or Suspicious Log In Attempts

User verification can be triggered to provide an additional layer of protection when unusual activity is detected during account access attempts. Many times fraudsters will try to log in to accounts through unrecognized devices or through an IP address that is inconsistent with a normal login.

High Value Transactions

Financial institutions are being encouraged to implement user identification, especially for high value transactions. Fraudsters move quickly before the real user recognizes their identity has been

For example, in 2011 the Federal Financial Institutions Examination Council (FFIEC) published a document stipulating the measures to be taken in order to combat the evolving threat of online fraud.xii One such recommendation was to leverage out-of-band verification methods.xiii Out-of-band verification is a type of two-factor authentication that typically uses both system credentials and PIN number, which are delivered through separate networks (i.e. computer and mobile phone) to verify user identity. This provides an extra layer of security if a single piece of a consumer’s identity is compromised.

In 2013, the Monetary Authority of Singapore (MAS) also released a set of guidelines to help mitigate the technology risk financial institutions face today. The MAS strongly recommends adopting two-factor authentication during login for all types of online financial systems and transaction-signing.xiv This places financial institutions under enormous scrutiny as both regulatory bodies and consumers are seeking ways to make secure payments. Two-factor authentication has become the standard for good security.

United States law clearly assigns financial liability in the event of payment fraud. Often the financial institution will assume the burden and cardholders are always protected from unauthorized card transactions. However, with an increase in Card Not Present (CNP) fraud, the burden lands upon the merchant to verify the consumer’s identity.xv CNP fraud can be a huge expense for retailers, especially when combined with high capital expenses from upgrading technology. There is also risk of poor user experiences as their end customers adjust to the new security steps. Businesses seeking to stay ahead of the curve must proactively seek ways to implement compliant payment processes.

How Verification Helps

6

stolen. Strong user verification during any high value transaction ensures against a large financial loss for all parties.

Manual Review Replacement

Strong authentication measures reduce the time spent manually reviewing suspicious user activity. By implementing user and payment verification processes, businesses can automate these manual reviews and focus on other business-critical tasks.

Mobile Application Sign-in

Most financial institutions and payment providers have mobile applications. Consumers can now perform the same functions they would online, but with easily stolen portable devices. The increase in mobile transactions accompanies a need for strong user verification. Having an out-of-band authentication solution provides protection against fraudulent users with stolen mobile device and credentials.

Payment Verification Can Take Many FormsModern companies use a variety of methods to verify customer identity but no method is foolproof. The EBA defines “strong two-factor authentication” as the use of two or more of the following: xvi

EMV Card Enhancements

Standard credit card and debit card verification methods are no longer sufficient. After stealing a physical card, thieves face limited safeguards preventing them from causing financial damage to the consumer and financial institution. To this end, card issuers developed Express-Mastercard-Visa (EMV) technology which creates unique transaction codes to thwart unauthorized card usage. Europe has readily accepted EMV cards and many anticipate the United States will implement EMV technology soon. But widespread adoption takes time and criminals are shifting their attention to the promising frontier of CNP fraud and digital payments.xvii

Something a user knows

Something a user has

Something a user is

User Name, Password, Security Questions, Social Security Number, Address, PIN, Email

Mobile Phone, Security Device, ID Card, Authentication App, Soft Token, Email

Fingerprint, Retina Scan, Biometric

1.

2.

3.

7

3D Secure

As CNP fraud increases due to the rise in online payments, financial institutions and payment providers seek ways to improve online card transactions. 3D Secure verifies user identity with an additional layer of security outside of the normal payment process. First, the consumer creates a 3D Secure password associated with their payment card. Upon purchase, they are required to provide this password within a separate website outside the normal payment portal. Credit card companies such as Visa and MasterCard have already implemented this method of verification with their Verified by Visa and MasterCard Secure programs.

However, these programs have significant disadvantages because merchants must purchase a Merchant Plug-in (MPI) in order to connect with Visa or MasterCard’s secure servers. These MPIs ensure the merchant does not obtain the 3D Secure password, which reduces their liability in the event of data breaches. But there is an increased risk of phishing attacks because cardholders see their browser connect to unfamiliar domains as a result of the MPI implementations. Criminals posing as legitimate businesses to steal user information can leverage this weakness by taking advantage of unrecognized browser redirections.

Additionally, while 3D Secure reduces fraud, it provides an exceptionally poor user experience. The consumer must remember yet another password and often chooses to simply abandon the sale instead of spending additional time.xviii This leads to decline in sales conversion and lack of 3D Secure implementation.

Knowledge Based Authentication

Many institutions combat fraud by requiring Knowledge Based Authentication(KBA), which leverages something a user knows either by static or dynamic questions. Static questions are provided upon registration and should have an answer that is not easily guessable or researched. These questions are often things like “what was the name of your first pet?” or “who was your favorite teacher?” Dynamic questions are not provided in advance, but rather created in real-time to prevent against weak questions or well-prepared fraudsters. Good questions should meet these criteria: xix

1. Appropriate for a large segment of the population

2. Easily remembered

3. Have only one correct answer

4. Not easily guessed or researched

Although static KBA is often effective in deterring fraudulent activity, it is becoming increasingly less effective with the growth of the Internet.xx Especially with well-known members of society, privacy is reduced and the answers for many security questions are easily found through online searches. This occurred in 2008 when Presidential Candidate Sarah Palin’s email account was hacked simply by guessing her security questions.xxi

Dynamic KBA typically relies on public records, credit reports, or compiled marketing data to generate user-specific questions in real-time. While this method is considered more secure than static KBA, it faces different challenges. Canada and many European countries are closing their public records for commercial use because consumers often feel the public record searches invade their privacy. This strong consumer perception threatens to limit the lifespan of dynamic KBA verification.xxii

8

Biometric Identification

Many companies are beginning to adopt new methods of user verification due to the increase in device capabilities and lack of confidence in traditional passwords. To this end financial institutions and payment providers are using both voice and fingerprint identification to verify payments and other transactions. Apple Pay adopted Fingerprint identification for the iPhone 6 and recent tablets, enabling consumers to pay for goods and services using Near Field Communications (NFC) and simply tapping their phone on a reader.xxiii Financial institutions are also implementing voice recognition as a method of verifying users. The consumer is requested to provide a short voice sample at registration, which is then compared to their voice upon subsequent logins.xxiv This has become an increasingly attractive option as phone technology and sound quality has advanced greatly in recent years.

However, there are downsides to both methods of biometric identification.xxv Although fingerprints are uniquely identifiable, fingerprint readers are easily baffled. Hand injuries, calluses, lotions, dirt, or water can interfere with the reader’s technology and prevent access without cause. Many companies also distrust fingerprint scanners because the scan occurs on the user’s device instead of on their internally controlled technology. Voice identification solves many of the problems with fingerprint scanning but shares the difficulty of interference. Background noise prevents a good voice sampling, sickness or other voice-related illnesses affect how the user speaks, and high quality recordings can fool even the most sophisticated systems.xxvi

Failed logins create a poor user experience for the consumer and lead to higher rates of payment abandonment. Additionally, biometric identification has evolved, but does not have widespread adoption. Very few phones have the capability for fingerprint identification and implementing voice identification is often cost prohibitive to many businesses.

Phone Number Verification

Phone numbers have become the ultimate user identity. Many consumers possess multiple email accounts, social media profiles, and mobile devices, but typically only one phone number that

9

is retained for years or decades. Phone number payment verification leverages SMS and voice technology to send a unique response request (typically a PIN number) that customers must verify before the payment completes. Unlike biometric identification, nearly any mobile phone can receive SMS messages and the process requires no memorization. Phone verification also reduces implementation costs because consumers already have phones and the business buys no physical hardware. Lastly, phone verification does not lower payment conversions because consumers are never directed to another website and the entire process is completed within seconds.

Phone Number Verification Has Emerged as a Clear Front-RunnerWith the problems inherent to EMV technology, 3D Secure, KBA, and biometrics, phone number verification leads the way in payment security and fraud avoidance.

Compliance

Phone number verification can be combined with traditional password-based logins (something a user has + something a user knows) to meet requirements imposed by governing bodies. Many Financial institutions, online services, and payment providers have already begun implementing phone number payment verification. Large banks such as HSBC recognize the importance of using a solution that is proven to work and smaller credit unions such as Seattle Metropolitan Credit Union are following closely after this trend. Google email also provides optional phone verification for users seeking to protect their important digital information.

Reach

Today, large geographical regions cannot employ several payment verification options. The United States has not yet widely accepted EMV card enhancements and the majority of consumers lack high performance smart phones needed for biometric identification. Phone number verification allows businesses to verify payments across the globe with readily available technology. Payment solutions do not need to choose between reliability, performance, and scope when verifying payments.

Security

Phone number verification allows passcode information out-of-band from the original application, providing additional security compared to a social login or an email-based login. Phone numbers are also inherently difficult to fake, unlike social media profiles or email addresses, because carriers typically verify their customers and virtual numbers that are favored by criminals can be detected.

Information Privacy

Third-parties and merchants do not receive any data beyond the required transaction information. Whereas knowledge based authentication(KBA) necessitates additional information beyond payment details, phone number verification does not. This removes any potential accusation of privacy invasion and removes liability for businesses because they do not obtain sensitive customer data, which can be stolen.

10

User Experience

Consumers discard 25% of apps after a single day, many times because of an overly complicated user experience.xxvii Phone number verification allows companies to tightly control the user experience. Instead of relying on a third-party service, the financial institution or payment provider remains in control of the web or mobile interface to ensure a seamless login and verification process.

Phone number verification provides a simple and intuitive payment process leveraging familiar phone technologies. It helps any business provide consumers with a user-friendly and straightforward way to verify payments almost anywhere in the world.

Registration Verification

First the phone number is provided to the financial institution or payment provider upon registration. The consumer then receives a unique PIN number either by SMS or voice that they must confirm within the application. This associates their account with a physical number that the business can now use to confirm future payments.

How Verification Works

11

Payment Verification

After a consumer has registered, they can now log in to the website or application with their established credentials. Once a customer desires to make a purchase or payment transaction, a transaction-specific PIN number is sent to their phone either by SMS text or Text To Speech. This PIN code is then entered into the business’ application. Once the PIN is confirmed, the transaction is complete and payment can take place.

12

Factors for SuccessNot all phone verification services are created equal. If you are ready to implement strong authentication for payments, look for these seven best practices in a third-party service:

Best Practice Description

Reliably deliver PIN codes to phone recipients

Being able to reliably deliver PIN codes globally is critical. Select a vendor with global reach and direct connections to carriers. In case SMS delivery fails, must automatically failover to voice to ensure timely PIN delivery.

Comply with global carrier and country regulations

Verifying international numbers with SMS and voice requires companies to adhere to many regulations that vary from country to country and carrier to carrier.

Distinguish between mobile phone and landline numbers

Phone number patterns and logic vary between countries. Some countries clearly distinguish landlines and mobile phones, but in some other countries there remains overlap.

Ensure security Quality phone number verification providers secure their system against fraudsters by detecting and blocking virtual numbers.

Provide a localized user experience Phone verification messages need to be targeted. This includes country-specific or region-specific language, format, and tone.

Align their goals with customer objectives

Increased costs accompany an increase in conversion rates, if this process is implemented in house. Look for solutions that charge only for successful verifications.

Measure performance and provide complete visibility

Success requires insight and analytics to see what drives conversions and what does not.

13

About The Spur Group

Sources

About Nexmo

The Spur Group delivers business results that matter. We provide the thought partnership, business insight or extra bandwidth you need to be more successful. Make better decisions, realize your objectives, tell your story, leverage your channel and strengthen your staff with The Spur Group.

We can help you make your next project more successful. Our expertise includes developing partner programs for Microsoft and Dell, managing messaging and partner conferences for Cisco and Juniper Networks, and providing recruitment insight and strategies.

Nexmo provides innovative communication APIs that bridge traditional voice and text services with cloud communications. Nexmo enables applications and enterprises to make phone calls, send and receive text messages, and verify phone numbers with ease to improve user experiences, no matter where in the world customers are located.

High-volume communication companies such as Alibaba, Airbnb, Line and Viber send millions of messages per month using Nexmo APIs.

www.nexmo.com/verify

i http://www.federalreserve.gov/econresdata/consumers-and-mobile-financial-services-report-201503.pdfii https://www.cryptocoinsnews.com/bitcoin-trading-volume-increased-15-billion-23-billion-last-year/iii http://www.keepitusable.com/blog/?tag=2015-trendsiv https://econsultancy.com/blog/10936-site-speed-case-studies-tips-and-tools-for-improving-your-conversion-rate#i.1adhywj99qd98s

v http://www.cultofmac.com/310173/apple-pay-actually-makes-really-easy-commit-credit-card-fraud/vi https://bitcointalk.org/index.php?topic=576337#post_toc_18vii http://www.americanbanker.com/issues/178_194/wire-and-online-banking-fraud-continues-to-spike-for-businesses-1062666-1.html

viii https://www.wepay.com/api/payments-101/payments-fraud-and-lossix http://www.eba.europa.eu/-/eba-issues-guidelines-to-strengthen-requirements-for-the-security-of-internet-payments-across-the--1

x https://coincenter.org/2015/01/payment-security/xi http://www.eba.europa.eu/documents/10180/934179/EBA-GL-2014-12+(Guidelines+on+the+security+of+internet+payments).pdf

xii https://www.fdic.gov/news/news/press/2011/pr11111a.pdfxiii http://www.outofbandverification.com/

14

xiv http://www.mas.gov.sg/~/media/MAS/Regulations%20and%20Financial%20Stability/Regulatory%20and%20Supervisory%20Framework/Risk%20Management/TRM%20Guidelines%20%2021%20June%202013.pdf

xv https://www.wepay.com/api/payments-101/payments-fraud-and-lossxvi http://www.eba.europa.eu/documents/10180/934179/EBA-GL-2014-12+(Guidelines+on+the+security+of+internet+pa yments).pdf

xvii http://www.emv-connection.com/emv-faq/#q13xviii http://www.lightbox.ie/3d-secure-payments-and-the-online-shopping-user-experience/xvix http://searchsecurity.techtarget.com/definition/knowledge-based-authenticationxx http://securityintelligence.com/is-the-internet-killing-knowledge-based-authentication/#.VSQDNGpFCppxxi http://www.telegraph.co.uk/news/worldnews/sarah-palin/7750050/Sarah-Palin-vs-the-hacker.htmlxxii http://itsecurity.vermont.gov/Alternative_Passwordsxxiii http://www.apple.com/apple-pay/?cid=wwa-us-kwm-features-comxxiv http://www.secureidnews.com/news-item/breaking-down-voice-biometrics/2/xxv http://www.digitaltrends.com/computing/can-biometrics-secure-our-digital-lives/xxvi http://www.voicetrust.com/blog/voice-biometrics-pros-and-cons/xxvii http://www.nuance.com/ucmprod/groups/enterprise/@web-enus/documents/collateral/nc_020218.pdf