The need to maintain frictionless SCA and as result - better conversion and outstanding user experience, while at the same time, maintaining top-tier security standards is one of the biggest challenges faced by banks and e-commerce in the light of PSD2. But there is a solution for this challenge!
You simply need to learn more about modern tech possibilities like behavioural biometry and Machine Learning. We will show you how to handle them effectively – but first things first.
Long story short
- Recently, through PSD2 (Revised Payment Service Directive) European Commission introduced SCA (Strong Consumer Authentication) which, among others, aims at minimizing online payment fraud.
- SCA requires use of at least two factor transaction authorisation from three independent elements: Knowledge, Possession and Inherence.
- This separation of elements is required, so that if one of them is compromised, remaining ones can secure the transaction.
So, what is the problem here?
PSD2 is a spark of bigger changes in the financial services market, which can spread from EU to the whole world (as it can be seen that countries outside EU started working on their own similar initiatives). But, as it directly strengthens security of online transactions (which is undoubtedly an important thing to take care of) it also has some indirect negative aspects, for example:
- more friction in authentication process,
- worse user experience,
- drop in conversion rates,
- additional security costs.
Let’s take a deeper look in the situation to make it all clear.
Considering the fact that new technologies are supposed to make our lives easier, adding the next step to the identity authentication process isn’t the best way to make it that way. Frankly speaking as consumers, we want to have immediate access to our bank accounts or to close the transaction quickly. At the same time, we want it to be as safe as possible. If it is not, then well… In times of such a big competition, we can easily find other companies, which will meet our needs quicker. As simple as that. That is why user experience plays such a significant role in online business. More friction often results in drop of conversions rates, as customers often abandon the transaction if they meet some obstacles.
Obviously lower conversion rates hurt the merchant's profits. Same goes for additional costs of higher security regulations (under PSD2 each entity must comply with Regulatory Technical Standards – RTS). Moreover, implementing SCA also needs investments, e.g. banks need to send a SMS with an access password or engage further funds in analyzing the legality of transactions. The scale effect is quite important here.
In conclusion, the need to maintain frictionless flow while maintaining high security standards is one of the biggest challenges facing banks in the light of PSD2.
But this challenge can be accepted thanks to…
Behavioural biometry and device fingerprinting supported by Machine Learning
Nethone has been conducting research on the use of behavioural data for ATO prevention (meaning, countering illegal takeover of online accounts). We have already deployed this solution as Nethone ATO, which is not only part of the 3FA (three-factor authentication) compliant with PSD2, but also enhances security by countering known attack vectors which are able to bypass standard 2FA.
During the users' first login we consider them to be unverified. With every online action of the users (including the first visit), they leave a digital trace - a virtual fingerprint, which consists of sets of user-related data (information about user’s device, software, and the type of network connection). Thanks to the uniqueness of each data set, it is possible to distinguish users basing on the fingerprints. Therefore, it is possible to identify user with great accuracy. We create it with our proprietary Profiler (it can collect over 5000 user attributes). This fingerprints will be later used as an element of SCA, as they are used to identify returning users that have already been verified previously.
Another authentication factor is based on the user’s behaviour. This is the moment when behavioural biometrics enter.
According to PSD2, biometry is a valid authentication factor in the form of Inherence (something the users is). Behavioural biometrics is the analysis of behavioural patterns of specific users, which among others, helps with their authentication (confirming their identities, meaning – is the user the person, who they claim they are). Within our analytics we do not only observe the login, but also user’s interaction with the website – behavioural biometrics measuring such activities as:
All of this data can be effectively processed by Machine Learning (you can learn more about ML here). ML has proven to be more effective than any other fixed rules with its proficiency to analyze vast amount of data. That is why, our models are perfect, when it comes to finding non-obvious links between user behaviours. For example, we can check if users logged from different locations than usual or if they’re operating on tools keeping the anonymity like VPN or TOR, including changes of their standard behaviours, such as keystroke dynamics. Knowing that, we are able to provide a real-time decision on whether the transaction is fraudulent or not. In a matter of fact, we outperform standard SCA, by providing all that data (and much more), which enriches the context. There is no need for any additional security factors such as sending a SMS code or manual check. So it is possible to generate frictionless transaction flow which, as mentioned before, will result in better UX, better conversion rates and lower operational cost.
Accuracy of our analysis is so high that it meets all the requirements of RTS, SCA and PSD2. As a result, Nethone ATO assures:
- seamless UX for the customers (frictionless flow as the tool works in the background, no need for the additional authentication like sending SMS,
- enhanced security (protects from the unauthorised use of login and password, but also from fraud tools that easily deceive other ATO solutions such as stealing cookies or phishing domains),
- cut of operational costs (we take the hardest parts of the authentication process on us).
If you want to know more about Nethone ATO, just contact us at firstname.lastname@example.org!