Yesterday afternoon I received one of the calls we all dread – my credit card company phoned to ask if my husband had purchased airline tickets within the last five minutes. Alas he wasn’t planning to whisk me away – a fraudster was using his credit card number to book a flight. Within twelve hours I received another call. This time the fraudsters were using my credit card number to purchase more air travel along with some electronics.
Aside from the inconvenience of being without our credit cards until the issuer can send replacements and spending about twenty minutes on the phone, it was fairly painless for us and we weren’t liable for the charges. However fraud is a zero sum game so either the merchant or the issuer is absorbing a loss of over $2,000.
So if I am an online merchant, how would I protect myself from chargebacks related to fraud without making online transactions difficult for the good guys (especially the guy who really IS trying to whisk his wife away)?
This is the first in a series of posts that will address that question.
One of the most basic things that any organization which supports online transactions can do is to make sure the person initiating the transaction is who he says he is, or implement strong authentication. Of course online merchants are serving both consumers who have an account on their site as well as those who check out as guests and authentication will look different for each.
Let’s start with accounts.
Rather than relying on the account holder to provide information that proves they are who they say they are each time they use their account, online merchants can use risk-based authentication to “silently” assess the probability that the person attempting to make a purchase is the actual account holder.
By correlating device forensics, IPs, geolocation and other indicators, a risk-based authentication solution can identify those customers who have a higher probability of not being the actual account holder and then request additional information (e.g., on-card data, challenge question) or send a One Time Password to the registered telephone number. Typically only about 5% of transactions qualify for re-authentication, leaving 95% or so to cruise right through.
Note that an effective risk-based authentication solution for ecommerce accounts should include a rules engine so that online merchants can control the customer experience in a way that aligns to their business goals. Online purveyors of luxury goods like jewelry or designer bags will likely have much different level of risk tolerance than a site selling novelty items.
Risk-based authentication is a great strategy to reduce fraud related to hacked accounts but many fraudsters check out as a guest which requires a different approach. We will tackle that in a future post.
Interested in learning more about how a risk-based approach can reduce fraud chargebacks? Please join us at online 11 am EST on August 25 for an educational webinar. Register here.
Read about how one ecommerce site leveraged Adaptive Authentication, RSA’s risk-based authentication solution, to reduce fraud by two thirds while improving customer experience.
The post Securing eCommerce Transactions without Losing Customers Part 1 – Risk-Based Authentication appeared first on Speaking of Security - The RSA Blog and Podcast.