Behavioural biometrics: The missing ingredient in 3-D Secure fraud detection

3-D Secure is a payer authentication system designed to curb online fraud when making card-not-present (CNP) ecommerce transactions. When a cardholder uses a Mastercard or Visa credit or debit card to pay for an online purchase, the card issuer verifies their customer ID using a number of identifiers to determine the level of risk.  While most transactions are either accepted or denied, a small but significant portion of 3-D Secure transactions require step-up authentication due to undetermined or questionable risk levels. This can be due to a genuine customer using an unrecognised new device to check out online, a high-priced purchase, a new location; or a fraudster in action.

CNP fraud within 3-D Secure 

The 3-D Secure system should be compliant with the EU’s Strong Customer Authentication regulation – so how do fraudsters still find a way in? During the risky transaction verification step of the 3-D Secure process, the card issuer sends a one-time password to a customer’s registered mobile device which they then have to type into a verification page to confirm their identity. 

Firstly, one-time passwords are the main target for SIM swappers (fraudsters who exploit mobile service providers’ ability to switch a cardholder’s phone number over to their own SIM by impersonating their victim). This way they can intercept any one-time passwords sent to the victim via SMS and circumvent the security features of 3-D Secure. The system is also open to phishing attacks, as some users may mistake fraudulent phishing sites for the legitimate Mastercard or Visa pop-up window or inline frame. These and other user manipulation techniques show 3-D Secure is far from failproof. 

Behavioural biometric analysis fills the gap

Declining all questionable transactions is bad for business and customer loyalty, while approving them without additional checks creates chargeback risks for card issuers. To determine with a high level of accuracy which transactions to approve and deny – and block fraudsters in the process – card issuers are beginning to introduce an additional layer in the verification process for behavioural biometric analysis. 

Alongside the one-time password, typing a short string of characters (such as an email address) into the verification page can give card issuers the ability to collect data on user keystroke dynamics, typing speed, and other biometrics, and to determine if it matches the cyber profile, or ‘bionic ID’, of a legitimate customer or a known fraudster. Deep learning technology, the driver of this analysis, can then return a new risk score in real time. This enables card issuers to accept legitimate transactions initially deemed questionable, minimise chargeback liability, and not lose the sale for the ecommerce business or the transaction processing fee. 

Marrying frictionless transaction experiences with 3-D Secure verification 

It’s not enough to step up the security of online banking and payments systems in order to safeguard customers – issuers must also consider the implications of their technology choices for the customer experience. Customers will always prefer a quick and easy payment experience to one that is technologically bedazzling, so simplicity must remain at the heart of their operations. 

Cyber profile-based customer authentication provides a path to curbing card-not-present fraud during 3-D Secure ecommerce transactions, while not compromising the experiences and loyalty of legitimate customers. As behavioural biometric data is analysed in real time – offering continuous, passive authentication – this technology fits seamlessly into existing bank systems. Moreover, it serves not just as verification but also as deterrence. Card issuers that have behavioural biometric systems set up can capture valuable biometric data from malicious entities as they move around in their systems. Using this information, they can reveal fraudsters and thwart fraud attempts.

About Tim Ayling

Tim is buguroo’s Vice President EMEA. He joined the company in 2019, bringing twenty years of experience in the cybersecurity and anti-fraud industry. He has spent time in the cyber-security practice of KPMG, served as EMEA Director of Fraud & Risk Intelligence at RSA Security, and most recently as the Global Head of Fraud Prevention Solutions at Kasperky Labs.

About buguroo

Headquartered in Madrid, Spain, and with offices in the US, UK, Mexico, Brazil, Poland, and Colombia, buguroo helps protect more than 64 million banking customers across the world from online fraud. The company’s flagship anti-fraud solution, bugFraud, utilises deep learning technology combined with behavioural biometrics, device assessment, and advanced malware detection to create a unique profile of each customer, enabling banks to continuously check that the user is who they claim to be and is not being manipulated by fraudsters.