RSA Security has announced its Adaptive Authentication for eCommerce capability which improves fraud protection and user experience.
RSA Security, a global cybersecurity leader delivering business-driven security solutions to help organisations manage digital risk, has announced the general availability of RSA Adaptive Authentication for eCommerce version 20.5. In this version, RSA Adaptive Authentication for eCommerce implements the latest features available in the EMV 3D-Secure v2.2 protocol, adds new authentication flows to support transactions where the cardholder is not in session, and introduces new capabilities that significantly enhance the customer’s checkout experience.
Regulations like the Payments Services Directive 2 (PSD2) in the European Union (EU) has driven online merchants to adopt the EMV 3DS protocol for Card Not Present (CNP) transactions, meaning eCommerce transaction traffic is expected to grow exponentially. This makes it even more critical for card issuers to select a trusted and well-performing 3DS Access Control Server (ACS) that can accurately detect fraudulent payments while keeping transaction success rate high and providing a frictionless cardholder experience.
“Our goal with RSA Adaptive Authentication for eCommerce is threefold: reduce fraud and grow CNP transaction approval rates, reduce operational costs for our customers and deliver the most seamless user experience possible,” said Daniel Cohen, Head of Anti-Fraud Products and Strategy, RSA. “As one of the first vendors to support the latest version of the EMV 3DS protocol, we want to ensure our customers have the most advanced and up-to-date capabilities available to fight fraud while also being able to meet regulatory compliance such as PSD2 in Europe.”
As organisations continue down the path of Digital Transformation, they not only see the benefits of expanded use of technology, but also encounter unintended consequences of the evolution that extends deep into business operations. Financial institutions and credit/debit card issuers have been among the first to embrace Digital Transformation by creating innovative transaction methods, such as contactless payments and QR codes, but they often unknowingly open themselves up to new areas of digital risk. Effectively managing these digital risks enables organisations to mitigate threats and maintain compliance, while maximising the opportunities that come with adopting disruptive digital technologies and new operating models.
RSA Adaptive Authentication for eCommerce helps credit card issuers and payments processors prevent over 95% of fraud in CNP transactions that go through the latest EMV 3DS protocol while also maintaining a frictionless shopping experience for cardholders.
Powered by RSA’s Risk Engine, RSA Adaptive Authentication for eCommerce analyses hundreds of risk indicators to silently authenticate genuine cardholders while challenging only the small number of transactions that are high risk.
Leveraging the RSA eFraudNetwork, the industry’s first and largest international, cross-institutional and cross-platform network of confirmed fraud, RSA Adaptive Authentication for eCommerce can identify indicators linked to known and attempted fraud schemes globally.
Experts discuss the topic of fraud prevention and some of the ways to manage data in order to prevent fraud:
Michael Reitblat, CEO, Forter: “With a new breach occurring every day, consumers feel vulnerable and expect merchants to protect their data. Account security could be the difference between a lifelong customer and a one-time buyer, with compromised data from these breaches being used to commit fraudulent activity.
“It is imperative for merchants to keep both company and consumer data safe. Most retailers have a dedicated security team responsible for the safekeeping of vulnerable data. However, security engineers and risk teams are not the only ones to come into contact with this data. Regardless of the organisation’s size, many employees, stakeholders and third-parties come into contact with company and consumer data in the course of its management.
“The biggest cybersecurity risk for many businesses revolves around human factors and employee behaviours. Businesses are concerned with employees inappropriately sharing data, whether malicious or accidental. Furthermore, the increasing use of mobile devices increases the threat of exposure, especially when concerning the physical loss of devices.
“Phishing attacks are one of the most simple and effective means by which employees inadvertently expose company data. Fraudsters aim to gain stolen Personally Identifiable Information (normally obtained through sophisticated social engineering tactics) of legitimate individuals to conceal their true identities. According to Forter’s Fraud Attack Index, identity manipulation has increased by 30% in the last year, which can account for approximately 41% of company security breaches being associated with a phishing attack, overall.
“Organisations need to hire staff that are well-versed in the risks associated with handling personal data, but often holiday rushes, peak seasons, or expected online queue handling restrict the quality of this process.
“One way to combat this is to strengthen your security training programmes and ensure that all employees, regardless of where they sit in the hierarchy of the business, are equally educated on the risks associated with data privacy.
“In the world of fraud prevention, manual review and rules-based systems simply introduce too many risks to a business; these could result in huge financial penalties and losses, not to mention reputational damage. Ultimately, the best way for enterprises to manage data and avoid the above pitfalls, is to automate the system by which data is being processed and reviewed to prevent damage associated with human-activated data breaches.”
Craig Cooper, COO, Gurucul: “Fraud is getting hard to detect, but it occurs every day across a variety of industries, causing trillions in losses each year. While financial services and banking are among the hardest-hit industries, other frequent targets include retail, healthcare, Information Technology, government/public administration and utilities.
“Traditionally, companies have used legacy fraud management platforms that have limitations and result in too many false positive alerts to investigate, a condition that enables malicious activities to go undetected. Typically, these platforms produce evidence of activity after fraud has taken place, which is a classic example of too little, too late.
“Recent advances in a range of technologies from Big Data to Machine Learning have merged to build new approaches to fraud analytics. These can detect anomalous and outlying behaviours and activities in real time and provide accurate risk assessments so that mitigations can be triggered at machine speed.
“Here are several elements that are required to implement Machine Learning-based fraud detection at your company:
Big Data store: The first thing you need is an architecture that can scale to millions, even billions of data points over time. A Big Data system should support large and varied datasets (both structured and unstructured) and enable your data analytics to uncover information, including hidden patterns, unknown correlations and trends.
Data sources: Your processing engine should be able to ingest data from all available sources, including online and offline, regardless of its format. More data sources will result in better correlations, context and insights.
Data linkage: The data must be normalised in some way so it can be linked to a specific identity. That identity could be a cashier, a customer service representative, a customer and so on. Likewise, the identity could be an entity, such as a point-of-sale device, a desktop computer or server. Linkage is essential to the creation of a baseline of behaviour for each identity so that new activities can be compared to the baseline to look for anomalies.
A Machine Learning model: Once you have a Big Data store, data sources and data linkage established, you need to set up Artificial Intelligence (AI) and Machine Learning models that can automatically analyse data feeds, establish baselines and risk score activity without being programmed. This process of learning uses sophisticated algorithms to look for patterns in data, adjust risk scores and make better decisions in the future based on data collected and analysed.
“Criminals and hackers are already using advanced technologies, including AI, to harvest information and perform fraud at machine-level speed. To keep pace with attackers, organisations need to consider enhancing legacy rules-based fraud detection with new approaches that use data science to process multidimensional sources of information in ways humans cannot.”
Justin Fox, Director of DevOps Engineering at NuData Security, a Mastercard company: “Many enterprises comply with rigorous standards and regulations that are focused on safeguarding employee and customer data. The challenge is the technical implementation within each organisation – most standards and regulations can be met in a variety of ways, allowing flexibility in how the control is met. This flexibility means that an organisation can meet the requirement specified in a control while leaving a backdoor or emergency access mechanism in place that enables the technical implementation to be circumvented if the need arises.
“Cryptography and access control lists are technical mechanisms for enterprises to secure and manage access to stored data. Let’s use a modern web application running on the AWS Cloud as an example of how these controls can be used to successfully secure a customer’s profile data. A common pattern is to use AWS Amplify with a web framework like Vue to create a web application that incorporates Amazon Cognito for user authentication and with AWS IAM for authorisation policies to access data stored on Amazon S3. Your static web assets would live on Amazon S3 and would be served using Amazon CloudFront. Depending on your requirements, you might use other services like Amazon API Gateway, Amazon DynamoDB, and AWS Lambda.
“This was a fairly simple example, but this web app ended up needing to use a number of different services from the AWS Cloud in order to provide baseline security while still providing a mechanism for a customer to create and manage a profile within the web application. If you get the encryption wrong, then employees can read customer data even if there is no need for it. If you get the authorisation wrong, then customers can read each other’s data. Any exposure of customer data is bad and has to be immediately remediated.
“In addition to data access controls for protection of a customer’s data against internal threat vectors, there is also a number of controls that need to be layered to provide protection against external attacks. A great starting point is to implement the top 10 web application firewall controls recommended by the Open Source Foundation for Application Security (OWASP) foundation. You can use the OWASP Zed Attack Proxy (ZAP) to test vulnerabilities like structure query language (SQL) injections, man-in-the-middle proxies, insecure deserialisations, broken authentication and other security misconfigurations.
“For an enterprise to identify and defend against fraudsters who already have stolen data, they need to take a layered approach to user authentication using advanced technologies. It is crucial to use multiple authentication factors during the user verification process and protect data in accordance with the belief that all data is valuable to cybercriminals. The strength of a particular authentication factor is an important consideration. Static authentication like username and password is inherently broken. Dynamic authentication like a short message service (SMS) with code delivery, is vulnerable to interception.
“Biometrics technology, like a fingerprint or iris scans, can be used by organisations to help authenticate users and prevent fraud. Passive biometrics generate a frictionless experience by recognising patterns, such as how consumers type, browse or interact with their device, so that users are verified, but their experience is not impacted, unless there is risk present in the transaction. Bad actors are prevented from accessing illegitimate accounts because they cannot replicate customers’ inherent behaviour. This is the key to preventing fraud – to make it difficult for cybercriminals to impersonate someone by adopting authentication methods that hackers cannot deceive with their tools.”