Moving online shopping authentication towards a risk based model

In this article he tells us why financial organisations need to look past simple username/password to new risk-based authentication models where the type of authentication deployed varies according to the customer’s behaviour and characteristics of the transaction. He says risk-based authentication is key to ensuring secure online shopping and banking that consumers are comfortable with.

In recent years, financial institutions have had to deal with a surge in online identity theft and fraud. Internet fraud is a growing part of Card Not Present (CNP) fraud, which cost the UK £183.2 m in 2005 according to APACS. And as more and hitherto inexperienced users come onto the Internet and start transacting online, it looks likely that these figures will not diminish in the near term. Internet users are sometimes easy victims to fraudsters and a gateway into a financial organisation’s most valuable assets: its customer information. Of course, online fraud is just a new instrument playing an old tune. As with fraud in the bricks and mortar world, financial organisations adapted and protection has been deployed. In the online world, however, phishing continues to exist. And even if we succeeded in rooting it out, it is just a tool. Stopping Phishing doesn't stop Identity Theft and it doesn't stop Fraud. And while most online protection technologies by definition come with an “acceptable“ error rate, to the individual, one failure is still one failure too many for the financial organisations that want to limit costly and reputationally damaging Internet fraud. What they need is another layer of protection that looks beyond whether something looks like a threat but can determine whether a transaction is more likely to be legitimate, i.e. actually authorized by the user, or not.

This principal idea is straightforward. But it took years of research to come up with the solution: Risk-Based Authentication (RBA). RBA provides online behavioral cues, an element that is present for in-person transactions, but until now, not in online transactions.

The key problem we had to solve in developing RBA was to find a way to distinguish, with high precision, legitimate from illegitimate activity, in an environment where every transaction is different and, naturally, so is every organisation and every client. In other words, we had to develop a solution that could discern what is “normal” behaviour. What we developed is a technology that collects certain parameters from users' normal behavior.

If a financial organisation can assess each transaction based upon a user's individual profile, and assign a risk rating in real-time, they can massively improve the user experience at the same time as reduce the risk of a fraudulent transaction. The risk rating can be matched with the client's business policies as well as their customer's preferences. In the end, this enables a triage: If the transaction falls within normal parameters it will be allowed. If it is out of the ordinary with a high degree of certainty, it can be blocked based on the policies of the client, and human escalation can be triggered in real-time. In the zone “in between“, where further authentication is needed to ascertain the legitimacy of the transaction, an out-of-band authentication mechanism, such as a one-time-password sent to the mobile phone number on record for the customer, can be executed.

Let us take an online purchase as an example. James just bought a new computer from an online auction site and pays by credit card. The purchase was closed at 11pm. If the user normally used his credit card only during business hours, this might be one risk indicator, but it wouldn't be conclusive. If, however, the purchase was also an order of magnitude higher than average transactions for James, or conducted from an IP address that doesn't fit his normal geographical location, the aggregated risk might exceed the bank's risk threshold. The transaction might be stalled, until the bank has had a chance to contact the user under his registered phone number.

Real-time validation is an important point for online transactions, so a user experiences no delay. Usability tests show that a web-based transaction needs to be finished in a few seconds. The system needs to be able to pass its decision within this time frame in order to avoid frustrating legitimate users, thereby potentially affecting their loyalty and willingness to trade with the organisation again. Allowing maximum security and maximum control is key. Most users should in fact never know it's there.

How well a financial institution manages their customers' risk and protects their assets may soon become a competitive factor in the financial sector. Today, the situation is mostly black and white - a financial institution's clients are normally liable for any losses, a situation that is as unavoidable, as it is undesirable. While banks can’t provide solid guarantees, they will often silently absorb the damage to avoid risk to their reputation.

The higher ground then, is to better manage the risk altogether. This cuts losses to all parties (except attackers, we rejoice in reporting) without becoming a major cost driver in itself. It solves the conundrum that the consumer is required to take on more responsibility but isn’t really empowered to do so because of the complexity of computer systems.

In addition to customer facing applications, risk-based authentication can be deployed internally. The same rules that allow an end user to live in risk controlled environments allow corporations to manage transaction risk “at home“. Unusual transactions can be monitored and escalated in real time. This helps institutions comply with new, stricter financial and governance rules and provides an additional layer of protection against internal fraud.

Any RBA solution should provide an audit trail for every decision it makes. This means that data can be analyzed in retrospect and the legitimacy of transactions will always be tightly controlled. This is a value-add in its own right.

In conclusion, risk-based authentication is a form of “financial intrusion detection,” a tool that will soon, we expect, be a standard in the financial and business world. Risk-based authentication will provide banks and financial institutions with real time protection that manages to address the balance of enhanced security with customer ease of use.