A Summary of the Forum on Improving Customer Authentication
Retail Payments Risk Forum
Federal Reserve Bank of Atlanta
On July 31, 2013, the Federal Reserve Bank of Atlanta hosted payments industry participants, including banks, nonbank payment service providers, industry associations, and regulators at the forum titled Improving Customer Authentication. This forum focused on exploring the methods and technologies for improving customer authentication that financial institutions and other payments stakeholders can adopt to mitigate payments fraud. The goals of the forum were to understand the challenges of current methods of customer authentication in both face-to-face and remote channels and the legal implications of authentication, as well as to explore the pros and cons of emerging solutions. Following is a summary of the major themes discussed.
The legal importance of authentication
Open networks have created a complex payments system with many layers and players. Authentication is basic to proving identity, capacity, and consent throughout the payment stream, creating a chain of reliance on the authentication function. Although the focus of the forum was on the top layer—authentication of a person and device—all the intermediaries that form the layers and links in the chain must be protected for payments to be trusted.
All parties in the payments chain rely on authentication for legal protections: the payee for protection against fraudulent consumers and purchases, the intermediaries for protection against fraud and cyberthreats, and the payors for protection against vendors and fraudsters. Ideally, authentication would:
The concept of authorization was defined right away. Check law clearly defines a check as properly payable if it is authorized (signed) by the account holder. However, there is currently no single, simple, legally approved method for authorizing multiple payment types or for assuring that a payment order is authorized. In addition to Regulation E and other regulations providing consumer protection, the primary legal principle covering a payment order is contained in Uniform Commercial Code 4A-202, which requires the bank to use a commercially reasonable security method.
In 2005, the Federal Financial Institutions Examination Council issued guidance on authentication for the Internet banking environment. This guidance shifted the legal discussion from authorization to authentication, and included the concept of multi-factor authentication. In 2011, this guidance was updated. It expanded the financial institution's scope of duty beyond offering multi-factor authentication, to include awareness and monitoring of customer accounts and customer education. Although this guidance is not law, case law now indicates an increased expectation for the financial institution to act in a commercially reasonable manner, addressing all the features of the 2011 guidance in a manner appropriate to the circumstances.
In this age, when consumer protection is of utmost importance, payments providers rely on ambiguous law and guidance for multi-factor authentication as a protection. For this reason, we need improved authentication. This question was posed: do we need new laws or regulations?
The challenges of authentication
The cost to protect Internet accounts is increasing significantly with a projected compound annual growth rate of 75 percent from 2012 through 2017. Peter Tapling, chief executive officer of Authentify, urged attendees to work to reverse that costly trend. Ultimately, electronic payments should be as quick and reliable as cash payments. But the payments industry, bound by business case and return-on-investment concerns, has a tendency toward implementing only incremental solutions, which have led to marginal improvements and complexity in the system. Tapling urged the audience to design the optimal solution(s), and then determine how to get there.
Multi-factor authentication relies on responses to at least two of the following factors: what you know, what you have, and what you are. Today's authentication largely relies on the password—what you know—along with additional layers of what you know, rather than a second factor. Password authentications in and of itself may not be a problem, but it is how we often use passwords that creates the weakness. Poor practices include selecting weak or frequently used passwords, using the same password for multiple applications, and storing passwords centrally. Successful authentication solutions start with a strong enrollment process—without a strong enrollment process, we end up with authenticated thieves. Successful authentication asks who, what, when, where, and how. Answers to these questions should generate a risk-based approach to authentication.
Cybercrime attacks are increasing because criminals can "work from home." This situation creates greater difficulty apprehending the cybercriminals and increases the potential amount of fraud to something much greater than does the traditional physical attack. In addition, new payment methods are stretching the current payments infrastructure, creating weak points for cyberthieves to exploit.
The consumer may not be as concerned with having stronger authentication because Regulation E and "zero liability" policies offered by the card networks give the consumer protections.
Successful authentication solutions will likely have the following attributes:
Authentication methods can be supplemented by the growing amount of data available to assess consumer behavior or to use against criteria to either help authenticate the person or device or identify fraudulent activity. A critical factor in consumer acceptance is end-user convenience that requires a balancing of security and ease of use.
Authentication as a means of reducing fraud: A tough business case
According to the day's speakers, fraud as a percentage of sales is at an all-time low on a global basis, and is in the range of 0.05–0.06 percent. The move to the Europay, MasterCard, Visa (EMV, or chip-based technology) standard in the United States is expected to decrease counterfeit fraud, which is the vast majority of card fraud. However, the United States can expect card-not-present (CNP) fraud to increase, as it has in other countries post-EMV-implementation. The shift to EMV is also significant in regards to the affected parties. Issuers generally take the loss on card-present fraud, while merchants take the loss on CNP fraud. Although the overall cost associated with fraud is not known, the low overall fraud level influences any business case to invest in improved authentication as a means of reducing fraud.
Most countries have implemented EMV with PIN verification, whereas the U.S. transition will allow for signature and PIN, and no cardholder verification. Visa recently increased the no-cardholder-verification required transaction ceiling from $25 to $50 to further reduce friction at the point of sale (POS). This lack of reliance on cardholder verification (as a what-you-know authentication) is due to the online environment in the United States, where card transactions are instantly authorized at the point of sale.
Biometrics as a form of authentication has been used successfully at ATMs in other countries. However, the conditions are different than they are here, and the business case has not existed for adding biometrics to U.S. ATMs.
In response to a question, one panelist stated that companies could compete on fraud mitigation tools. The use of data to identify fraud or potential fraudulent behavior is one such differentiator.
There was also discussion about the "openness" of the EMV standard since it was developed by the card networks. Would it be better for a globally-recognized independent standards organization such as ANSI to assume responsibility? In response, a panelist indicated that membership in EMVco was open to any company and that the EMV standard is a global standard that has been in place for more than 20 years.
Law enforcement efforts towards electronic payments fraud
U.S. Secret Service Agent Charles Baxter reviewed the efforts of federal and local law enforcement agencies in combating electronic payments fraud. Many of the major cybercrime leaders are located outside the United States, but foreign countries have become more cooperative in working with U.S. authorities. An exception is Russia, whose constitution prohibits the extradition of a Russian citizen to another country.
Financial institutions are encouraged to participate in their regional electronic crimes task force and develop a working relationship with law enforcement agencies before they experience a major electronic crime against them or one of their customers. Data sharing between law enforcement and financial institutions can be critical to piecing together large financial crimes committed through a series of smaller crimes against multiple institutions.
Authentication in the remote channel: A layered approach
By its nature, providing authentication through a remote channel has its challenges, but starts with reliable enrollment. Financial institutions are required to know their customers, and thus are in a good position to ensure validity of enrollment. Third parties can provide services in this regard, and authentication options extend past what you know (the user ID/password) and include what you are (biometrics) and what you have (tokens), among other solutions.
Speakers were unable to quantify the amount of CNP fraud, and no one in the United States has data to indicate whether CNP fraud is higher or lower than the global card fraud rate of 5 to 6 basis points of sales.
The panelists acknowledged the improbability of stopping all fraud and reiterated the importance of using data to identify fraud or potentially fraudulent behavior. There is not a single solution to mitigate fraud that can be adopted for all remote environments. Implementing a layered approach using data and other elements is critical to mitigating fraud while also ensuring a smooth customer experience. Many of the networks have implemented sophisticated transaction-data analytical capabilities, and these have become a significant part of their fraud management tool set. A challenge still exists to share some of the data being collected among all of the participants involved in the payments transaction.
Additionally, organizations such as the Fast Identification Online (FIDO) Alliance have recently formed to help develop an open set of standards that supplant reliance on passwords to improve the authentication of online users.
The consumer experience and protecting the consumer seem to be of utmost importance in the United States. By contrast, the Canadian model precludes financial institution liability if the financial institution acts in good faith.
In concluding the forum, the Federal Reserve committed to posting a summary of the event as well as Peter Tapling's presentation on the Portals and Rails blog website. The Federal Reserve Bank of Atlanta, in conjunction with the Secure Remote Payment Council, will hold a forum focused on card-not-present fraud solutions on October 29. More details on this event will appear on the Federal Reserve Bank of Atlanta's website.