Why it’s time to factor in two levels of authentication

It was Detective Lester Freaman’s sage advice in the hit TV series ‘The Wire’ that the investigation needed to follow the money.

This philosophy also stands true beyond the realms of fictional TV. Although the comparison may sit a little uncomfortably, real world crooks and real world corporations all follow the money, although for very different reasons.

For companies, getting the online payment process right and providing a smooth user experience reduces the amount of transactions that get abandoned. For cyber criminals, the payment process is something to exploit with fraud that benefits their own ends. With this in mind, online payment providers are attempting to achieve a streamlined process without compromising security. Yet striking the balance isn’t as easy as it sounds, even as the new European Banking Association (EBA) guidelines for payment service providers (PSPs) take effect on August 1st.

More Payment Methods, More Problems

There are more payment methods available today than ever before. Online vendors can accept payments from credit cards, debit cards, prepaid cards, PayPal, Apple Pay, Google Wallet and cryptocurrencies like Bitcoin and Litecoin.

The growth in online payments options has naturally seen an increase in payment fraud. A recent study from LexisNexis Risk Solutions claimed that mobile transactions make up 21% of fraud cases, despite being just 14% of overall transactions.

Also the third report on card fraud published by the Eurosystem highlighted that card not present (CNP) fraud accounted for 60% of all card fraud in 2012, up 21% from 2011, from cards issued in the Single Euro Payments Area (SEPA).

Pay it safe

Due to the increasing risk of online payment fraud, new payments security guidelines requiring strong customer authentication when collecting payments in online transactions have been issued by the EBA. These rules have already been replicated elsewhere on the planet, and the improved security results will probably encourage others to do so.

Under the new guidelines, two or more of the following methods must be employed for users to prove who they are:

  • something only the user knows, such as a static password
  • something only the user possesses, for example a phone or a token-generator
  • something the user is. In short, biometric identification

Here the challenge for payment service providers is to comply without making the process too onerous for the customer.

Unlocking phone security

So the challenge remains, what is the best way to implement these security measures? Phone number verification has become the leading alternative for implementing two-factor authentication because it’s easy to set up and imposes very little additional effort on the consumer.

With the speed of technological change so rapid, and the deadline for implementing the measures of authentication on the horizon, payments service providers should draw on the ubiquity of mobile phones to meet the initial challenge.

With so much fraud committed online, it is positive to see authorities taking steps to meet the challenge head on. Without doubt, calling on the mobile phone within a two factor authentication process should see the number of successful frauds dialled down.