AUTHENTICATION IN THE AGE OF ELECTRONIC TRANSACTIONS

Transcription

1 AUTHENTICATION IN THE AGE OF ELECTRONIC TRANSACTIONS MAC Webinar July 30, 2015 Dave Lott Retail Payments Risk Forum The views expressed in this presentation are those of the presenter and do not necessarily reflect the positions or policies of the Federal Reserve Bank of Atlanta or the Federal Reserve System.

2 2 MAC is an organization of Bankcard professionals involved in the risk management side of Card Processing. We have members from Banks, ISOs, Card Associations and others related to the risk management side of the industry. MAC s mission is to strengthen the payment ecosystem through ongoing education, communication and cooperation among acquirers, card brands and enforcement agencies.

3 RETAIL PAYMENTS RISK FORUM We serve as a catalyst for collaboration in the consumer and commercial payments risk management arena. We: Conduct research and provide analysis Convene and share with interested parties Promote actions to mitigate risk 3 Take On Payments weekly blog Retail Payments Risk Forum webpage

4 AUTHENTICATION STAGES Pre-transaction Authenticating the customer During transaction Ensuring the transaction is not modified / altered Post-transaction Ensuring the transaction is securely stored to prevent alternation or erasure. 4

5 PROVING WHOM YOU ARE Authentication: A process that ensures and confirms a user s identity. - Techopedia Are you who you say you are? Authorization: The act of granting authority to undertake certain functions. - The Free Dictionary Are you allowed to do what you are asking? 5

6 IDENTITY AUTHENTICATION A Need As Old as Time 6

7 NEW CHALLENGES Passwords aren't dead, though maybe yours should be Despite all those "death to passwords" chants, some say it's still a solid form of authentication -- when users aren't being stupid about theirs. -CSO Online, By Taylor Armerding January 09,

8 AUTHENTICATION FACTOR OPTIONS Something you know Passwords; PINs; images; KBA Something you have Card; tokens; phone Something you are Finger; voice; facial; gesture; keystroke Where you are Geo-location Multi-factor versus Multi-layered 8

9 REGULATORY GUIDANCE - FFIEC Since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing high risk transactions, but rather institute a system of layered security - Supplement to Authentication in an Internet Banking Environment, 6/2011 Customer authentication should follow a risk based approach No single security solution covers all applications/transactions 9

10 FINDING THE RIGHT BALANCE Security/risk versus customer experience Financial liability protection for consumers in the U.S. provides disincentive for consumers to adopt strong security practices 10

11 PAYMENT TRANSACTIONS Checks and PIN-based transactions are the only ones where the authentication is embedded in the transaction For other transactions, process was designed to place liability on party in the best position to perform the authentication ACH: Originating FI Signature credit / POS: Issuer CNP: Merchant Wire: Originating FI 11

12 ENROLLMENT CRITICAL PHASE The enrollment process where the customer s account credentials are initially validated is absolutely critical Enroll a crook and you will only get unauthorized activity The high rates of fraud (10X) experienced by some of the early Apple Pay banks were due to a lack of a strong authentication process of the customer s payment credentials during enrollment Issue has largely been addressed although some FIs are experiencing higher than normal fraud levels 12

13 AUTHENTICATION METHODS Person-to-Person Visual Documents Challenge-Response- Countersign Electronic Passwords KBA Security tokens Online PIN Biometrics 13

14 ELECTRONIC AUTHORIZATION Passwords Outside the commercial environment, strong passwords and change frequency are almost impossible to enforce Easiest to implement although costs for password change and retrieval can easily add up Knowledge Based Answers Dynamic process is more secure but more expensive and likely to have higher rejection rate 14

15 ELECTRONIC AUTHORIZATION 3-D Secure / Randomized PIN Data consistently shows that PIN-based transactions have a significantly lower fraud rate Revised 3-DS process should be more effective Security Tokens Hardware/software used as part of a multi-factor authentication environment 15

16 BIOMETRICS Finger / Palm Print Iris Recognition / Retinal Scan Facial Recognition Signature / Handwriting 16 Voice Recognition Thermogram DNA

17 OTHER BIOMETRICS Behavioral biometrics Measureable behavioral patterns of various muscular and skill-based functions Signature/handwriting, typing, walking, gesture patterns Not as reliable as physical biometrics Soft biometrics Various physical elements that are not by themselves distinctive enough or with the permanence to distinguish an individual Gender, ethnicity, age, scars / tattoos, eye and hair color, etc. Useful in 1:Many systems to quickly narrow down the database 17

18 BIOMETRICS SYSTEM ACCURACY Key difference with biometrics against other electronic authentication methods - the presence of the gray area Password/KBA match is either Yes or No Since biometrics uses an algorithm to derive a calculated value there is rarely a complete match between the value of the original template and the live template value False positives; false negatives All a matter of level of risk one is willing to take 18

19 BIOMETRIC SYSTEM CHARACTERISTICS Characteristic Description Quantitative Measurement Robustness Distinctiveness Accessibility Availability Lack of change over time Large variation over the population Ease in taking measurements Entire population should be measurable Submitted sample does not match the enrolled template (false non-match) Submitted sample matches the enrolled template of another individual (false match) Number of individuals who can be enrolled in a given time period (throughput) Number of individuals who cannot be enrolled due to an inability to supply a readable measurement (failure to capture/enroll) Acceptability Financial Population does not object to having the measurements taken Cost of implementing and operating Attitudinal research Acquisition, implementation, and operating costs 19

20 BANKING SUITABILITY Biometric methods most suited for banking applications: Voice recognition Facial recognition Fingerprint Fingerprint Resolution on phone is 1:45,000 Sufficient for 1:1 matching False rejection rate can be an issue 20

21 BANKING SUITABILITY (CONT.) Voice recognition Various methods for capturing initial template Can be done overt or covertly More expensive to implement/operate but can be used for Call Center and other channels Facial recognition The acceptance of selfies has reduced feeling of invasiveness 1:1 matching provides acceptable results but camera limitations and external environment can impact 21

22 BIOMETRICS WITH PROMISE Iris recognition Near-infrared light scans vein pattern around the iris on the surface of the eyeball One of the fastest due to small byte size of template Provides up to 240 measurement points False acceptance rates of 1:1.2 million Currently used extensively in military and commercial applications Used in other countries for healthcare and national identification programs Biggest issue: requires separate device 22

23 PRIVACY CONCERNS While the use of templates should minimize privacy concerns, a significant level of consumer education will be required for any biometric authentication program System element questions: Overt vs. covert capture? Optional vs. mandatory? Template vs. image? Fixed vs. indefinite duration? User vs. institutional data ownership? Closed vs. open/shared? 23

24 BIOMETRIC PAYMENTS SUITABILITY Biometric Method Availability Distinctiveness Accessibility Robustness Acceptability Financial Fingerprint High High High High Moderate Moderate Facial Recognition Iris Recognition Hand Geometry Voice Recognition Signature Scan High Moderate Moderate Moderate Low Low High High Moderate High Moderate Low Moderate High High Moderate High Moderate Moderate High Moderate High Moderate Moderate High Moderate High Low Moderate High Moderate High Moderate 24

25 MOBILE AS STARTING POINT? Voice, facial recognition and fingerprint biometrics are being tested by a number of FIs Iris recognition is thought to be the best biometric in terms of capture ease and minimal false acceptance rates, but phones not currently equipped with the near-infrared light source required to support the methodology Voice and facial reliability are subject to environment issues of lighting, noise, etc. 25

26 QUESTIONS & DISCUSSIONS Dave Lott Working paper: Improving Customer Authentication 26

27 MAC Mission Statement Strengthen the payment ecosystem through ongoing education, communication and cooperation among acquirers, card brands and enforcement agencies. Who we serve: Acquiring Bank Acquiring Savings & Loan Acquiring Credit Union Gateway Provider Internet Service Provider ISO/MSP Merchant Acquirer Processor Risk Management Professional Your membership in MAC is an investment that should not be overlooked. If you are not a member of MAC JOIN TODAY! 27