Fighting fraud and improving online security through strong customer authentication

Financial Services credit card

Fraud with online transactions in the United States has lead to a loss of about five percent of revenues of organisations every year, the Association of Certified Fraud Examiners has calculated. Mobile Commerce and International Merchants experience big losses, BusinessWire has learned.

A LexisNexis study reveals merchants are overwhelmed by increasing revenue losses to fraud. Now in its seventh year, the annual study shows a drastic upswing in retail fraud as merchants lost 1.32 percent of revenue to fraud in 2015 compared to 0.68 percent in 2014. While all merchant segments took a substantial hit on fraud losses as a percentage of revenue, international and mCommerce merchants were hardest hit with 1.56 percent and 1.68 percent lost, respectively, according to BusinessWire.

According to the Association of Certified Fraud Examiners (ACFE), U.S. organisations lose an estimated five percent revenue to fraud every year. Five cents on every dollar has a way of really adding up. Based on projected U.S. Gross World Product, fraud costs will enter the trillions for US businesses, with no signs of stopping, Capco reports.

100% secure? I don’t think so

Today, security and fraud prevention is the highest priority of financial institutions and companies specialising in financial technology (fintech). According to guidelines from the European Banking Authority (EBA), banks and payment service providers (PSPs) must use at least a two-factor authentication for complex transactions such as payments. But Dalton strongly recommends that if SMS is used as part of this, the provider must deploy extra context checks, such as divert detection, location-based checks using GPS, and SIM Swap detect via the contact centre.

Although security is the highest priority, financial institutions know nothing can be 100% secured, the past has proven too. They can only strive to have the best security possible and keep systems up-to-date so they meet the highest standards if it comes to security and fraud prevention. Rather new to the field of authentication are biometrics. Finger prints, iris scans, voice biometrics: there’s a lot of people out there that swear body specifics are the future in identification and authentication.

Biometrics to replace the password

There is a widespread agreement that the good old password is dead. Biometrics too show some severe disadvantages, the Financial Brand reports: “As you begin to integrate biometric security, please don’t assume that this brave new world of iris scans and fingerprints is inherently better than our current solution. We tested lots of biometric prototypes and found that many actually created a user experience that was undoubtedly inferior to the creation and use of the simple password.”

Another new important aspect is the addition that payments providers must comply with strong customer authentication (SCA) as defined under PSD2. SCA, like One Time Passwords, is the predecessor of one factor authentication, which is no longer considered safe to use at all. SCA puts an extra layer over login sessions or transactions. Instead of just logging in with a password, users must identify themselves with another tool such as a mobile phone or biometric methods like fingerprints and iris scans.

Out-of-Band Authentication

The EBA has however identified that a complication arises when a person purchases something through its mobile phone, that at the same time is being used as an authentication method, for instance when a password is sent via an sms text message to verify the transaction made on the same mobile phone. This is a conflict in the independence of the authentication elements. Indeed, in that case a potential compromise of the mobile device itself compromises the reliability of the two authentication elements.

Out-of-Band Authentication (OOB) is a type of two-factor authentication that foresees in authentication that requires a secondary verification method through a separate communication channel along with the ID and password. This makes account hacking more difficult as a transaction requires two separate channels, like a text message that is sent to a smartphone while the user registers with ID and password.

Extra check please?

As Keiron Dalton, senior director of customer strategy & innovation at Aspect, says, financial organisations should use extra security and context checks. Through various methods such as divert detection, location-based checks using GPS, SIM Swap detect and possible roaming information, factors that can not easily be manipulated.

Read more on strong customer authentication and fintech on our blog

Banking & Finance



Enjoyed this article? Please share the news!

About the author

Erik Eggens is an allround journalist, editor, content creator and copywriter and takes a keen interest in mobile, finance and politics.

Connect with Erik on

LinkedIn, Twitter.