Reading List Archives - Page 3 of 4 - Digital Payments, Payment Security and Lending

Transforming Online Payments: The Evolution and Impact of Facial Recognition on Identity Verification and Authentication

Wibmo / January 3, 2024

The digital era has witnessed remarkable advancements in technology, especially in the realm of online payments. One such transformative innovation that has reshaped the landscape of identity verification and authentication is facial recognition. This blog delves into the evolution, applications, benefits, challenges, and the profound impact of facial recognition on the world of online payments. Evolution of Facial Recognition in Online Payments: The journey of facial recognition in online payments traces back to its early stages as a biometric authentication method. Traditionally, online transactions relied on conventional methods like passwords and PINs, which presented challenges such as security vulnerabilities, user inconvenience, and the risk of unauthorized access. Facial recognition emerged as a solution to these challenges, offering a unique and secure way to verify identities. In its nascent phase, facial recognition technology focused on basic facial feature detection. However, rapid advancements in artificial intelligence (AI) and deep learning revolutionized facial recognition algorithms. These sophisticated algorithms could now analyze intricate facial contours, landmarks, and unique patterns, making facial recognition a reliable and efficient method for identity verification in online payments. Applications of Facial Recognition in Online Payments: Biometric Authentication: Facial recognition serves as a robust biometric authentication method for online payments. Users can securely authenticate transactions by simply looking at their device’s camera, eliminating the need for passwords or PINs. Secure Login and Transaction Authorization: Online banking and payment applications leverage facial recognition to enhance security during login and transaction authorization. Users can seamlessly access their accounts and authorize payments through a quick facial scan. E-commerce Verification: Facial recognition is integrated into e-commerce platforms for user authentication during the checkout process. This ensures that only authorized users can make purchases, reducing the risk of fraudulent transactions. Mobile Wallets and Digital Payments: Mobile wallets and digital payment apps incorporate facial recognition to facilitate secure transactions. Users can link their facial biometrics to their payment accounts, adding an extra layer of security to mobile-based payments. Fraud Prevention: Facial recognition contributes to fraud prevention by adding a layer of identity verification that is difficult to replicate. This is particularly valuable in mitigating the risks associated with unauthorized access and fraudulent transactions. Benefits of Facial Recognition in Online Payments: Enhanced Security: Facial recognition significantly enhances the security of online payments by providing a unique and biometrically secure method of identity verification. This reduces the risk of unauthorized access and identity fraud. User-Friendly Authentication: Compared to traditional authentication methods, facial recognition offers a user-friendly experience. Users can complete transactions with a simple facial scan, eliminating the need to remember complex passwords. Convenience and Speed: The speed at which facial recognition systems operate contributes to the overall convenience of online payments. Quick and non-intrusive, the technology streamlines the authentication process for users. Reduced Dependency on Passwords: Facial recognition reduces the dependency on passwords or PINs, addressing the challenges of password fatigue and the potential for security breaches due to weak passwords. Seamless Integration: Facial recognition seamlessly integrates into existing online payment platforms and applications. Its compatibility with mobile devices and web interfaces ensures a smooth and consistent user experience. Challenges and Considerations: Privacy Concerns: The widespread adoption of facial recognition in online payments raises concerns about privacy. Users may worry about the collection and storage of facial data, emphasizing the need for transparent policies and ethical practices. Accuracy and Bias: Ensuring the accuracy of facial recognition systems, especially across diverse demographics, remains a challenge. Developers must continuously address biases in algorithms to ensure fair and reliable authentication. Security Vulnerabilities: Facial recognition systems are not immune to security vulnerabilities. Safeguarding against hacking attempts and unauthorized access to facial data is crucial to maintaining the integrity of online payment security. Regulatory Compliance: The evolving regulatory landscape surrounding facial recognition technology requires adherence to ethical and legal standards. Striking a balance between innovation and compliance is essential for responsible deployment. Impact on User Experience and Security: Enhancing Trust and Confidence: Facial recognition contributes to building trust and confidence among users by providing a secure and user-friendly authentication method. This is particularly crucial in the competitive online payment market. Reducing Friction in Transactions: The seamless and quick nature of facial recognition reduces friction in the transaction process. Users can complete payments effortlessly, contributing to a positive and efficient online shopping experience. Addressing Security Concerns: By offering a biometrically secure method of identity verification, facial recognition addresses security concerns associated with traditional authentication methods. This reassures users about the safety of their financial transactions. Adapting to Changing Consumer Behavior: As consumers increasingly seek convenient and secure payment methods, facial recognition aligns with changing preferences. Its integration into various devices and platforms caters to the evolving needs of tech-savvy consumers. Future Trends and Innovations: Multimodal Biometrics: The future of facial recognition in online payments may witness the integration of multimodal biometrics, combining facial recognition with other biometric methods for enhanced security. Continuous Authentication: Innovations in continuous authentication using facial recognition may become more prevalent. This involves ongoing verification during a session, adding an extra layer of security. Blockchain Integration: Blockchain technology may be integrated with facial recognition for enhanced data security. Decentralized identity verification could mitigate concerns related to centralized storage of facial data. Augmented Reality (AR) Enhancements: Augmented reality features may enhance facial recognition experiences, providing interactive and engaging authentication methods for users. Facial recognition has undergone a remarkable evolution in the world of online payments, revolutionizing identity verification and authentication. Its applications span across various sectors, from biometric authentication to secure login processes and fraud prevention. The benefits, including enhanced security, user-friendly authentication, and reduced dependency on passwords, have positioned facial recognition as a key player in the future of online payments. However, challenges such as privacy concerns, accuracy, security vulnerabilities, and regulatory compliance must be continually addressed to ensure responsible and ethical deployment. As facial recognition technology continues to advance, its impact on user experience and security remains profound, contributing to a safer, more convenient, and efficient online payment ecosystem. BaaS

Reading List, Stories

Unveiling the Unseen: eCommerce Fraud Prevention Secrets You Need to Know

Animesh Jha / December 14, 2023

As the popularity of eCommerce grows, so does the risk of fraud targeting online firms. The digital sphere offers enormous prospects for expansion, but it also attracts clever fraudsters looking to exploit flaws in payment systems and transactions. In this blog article, we’ll delve into the lesser-known parts of eCommerce fraud prevention, revealing the methods, technologies, and best practices that may protect your business and foster client trust. The Evolving Landscape of eCommerce Fraud eCommerce fraud comes in various forms, from stolen credit card information and account takeovers to sophisticated phishing attacks. As businesses adapt to new technologies and consumer preferences, fraudsters adjust their tactics accordingly. Understanding the dynamic nature of eCommerce fraud is the first step toward building a resilient prevention strategy. Account Takeovers (ATO): ATO occurs when fraudsters gain unauthorized access to customer accounts. This can lead to unauthorized purchases, misuse of stored payment information, and identity theft. Preventing ATO requires robust authentication mechanisms, including multi-factor authentication and behavioural analytics. Card-Not-Present (CNP) Fraud: With the rise of online shopping, CNP fraud has become a significant concern. Fraudsters use stolen card details to make online purchases where the physical card is not required. Address Verification System (AVS), 3D Secure, and machine learning algorithms are essential tools for preventing CNP fraud. Friendly Fraud: Contrary to its name, friendly fraud is far from friendly. It occurs when a legitimate cardholder disputes a transaction, often claiming they didn’t make the purchase. Friendly fraud can be mitigated by clear communication, transparent billing descriptors, and comprehensive transaction records. Synthetic Identity Fraud: Synthetic identity fraud involves creating fake identities using a combination of real and fictitious information. These synthetic identities are then used to open accounts and make fraudulent transactions. Advanced identity verification methods and data analysis are crucial for detecting synthetic identity fraud. eCommerce Fraud Prevention Strategies Multi-Factor Authentication (MFA): Implementing MFA adds an extra layer of security by requiring users to provide multiple forms of identification. This could include passwords, biometric data, or one-time passcodes, significantly reducing the risk of unauthorized access. Machine Learning and Artificial Intelligence (AI): Leveraging machine learning and AI enables real-time analysis of vast datasets to identify patterns and anomalies indicative of fraudulent activities. These technologies continually learn and adapt to new fraud tactics, staying one step ahead of cybercriminals. Geolocation and Device Fingerprinting: Examining the geolocation of transactions and creating unique device fingerprints help in detecting suspicious activities. Unusual transaction locations or device behaviors can trigger alerts for further investigation. Behavioral Analytics: Analyzing user behavior helps create a baseline for normal activity. Deviations from this baseline, such as sudden changes in spending patterns or the use of unfamiliar devices, can be indicative of fraudulent behavior. Real-Time Transaction Monitoring: Implementing real-time monitoring systems allows businesses to spot and respond to suspicious transactions instantly. Automated alerts can be set up to trigger when certain criteria associated with fraud risk are met. 3D Secure Authentication: 3D Secure is an additional layer of security for online credit and debit card transactions. It adds an extra step of authentication, often requiring a one-time passcode sent to the cardholder’s mobile device, enhancing the security of online transactions. Fraud Scoring Systems: Employing fraud scoring systems assigns a risk score to each transaction based on various parameters. Transactions with high-risk scores can be subjected to additional scrutiny or declined altogether. Customer Education: Educating customers about safe online practices, secure password management, and recognizing phishing attempts can significantly reduce the risk of account takeovers and fraud. Clear communication builds a sense of security and trust. Best Practices for eCommerce Fraud Prevention Regularly Update Security Protocols: Stay ahead of evolving fraud tactics by regularly updating and enhancing your security protocols. This includes adopting the latest encryption standards, security patches, and fraud prevention technologies. Secure Payment Gateways: Choose reputable and secure payment gateways that prioritize the protection of sensitive customer data. Secure Sockets Layer (SSL) encryption is fundamental for securing online transactions. Monitor Chargeback Rates: High chargeback rates can be indicative of fraud or customer dissatisfaction. Monitoring chargeback rates allows businesses to identify and address issues promptly. Data Encryption: Implement end-to-end encryption to safeguard customer data throughout the entire transaction process. This ensures that even if intercepted, sensitive information remains unreadable. Regularly Train Staff: Educate your staff on the latest fraud trends, prevention techniques, and the importance of adhering to security protocols. An informed and vigilant team is an essential component of your fraud prevention strategy. Implement Device Authentication: Device authentication ensures that transactions are initiated from trusted and recognized devices. Unfamiliar devices may trigger additional verification steps to confirm the legitimacy of the transaction. Bottomline As eCommerce continues to thrive, so does the need for robust fraud prevention measures. By understanding the evolving landscape of eCommerce fraud, implementing cutting-edge technologies, and adopting best practices, businesses can significantly reduce the risk of falling victim to cybercriminals. A comprehensive fraud prevention strategy not only protects the business but also fosters trust and confidence among customers, contributing to long-term success in the dynamic world of online commerce. Stay informed, stay secure, and empower your eCommerce venture to flourish in the digital age. Author: Animesh Jha, Vice President, Engineering — Fraud & Risk Management Wibmo A PayU/Naspers FinTech Company Ecommerce, Fraud Prevention, Online Fraud, Online Fraud Detection, Online Payment Fraud

Reading List, Stories

Empowering the Unbanked: Offline Digital Payments and Financial Inclusion in India

Wibmo / November 30, 2023

India, with its vast and diverse population, has made significant strides in the realm of digital payments in recent years. However, a considerable segment of the population still remains unbanked or underbanked, primarily due to limited access to financial services. Offline digital payments have emerged as a promising solution to bridge this gap, fostering financial inclusion and empowering individuals who have been on the fringes of the formal financial system. Understanding Financial Inclusion Financial inclusion is a multifaceted concept that goes beyond merely having a bank account. It encompasses access to a range of financial services, including savings, credit, insurance, and payment services. The goal is to provide individuals and businesses, particularly those in underserved and remote areas, with the tools and resources needed to participate fully in the economy. Challenges to Financial Inclusion in India Several challenges have historically hindered financial inclusion in India: 1. Limited Access to Banking Infrastructure: Many rural areas lack physical banking infrastructure, making it challenging for individuals to access basic financial services. The cost and effort required to establish brick-and-mortar branches in these areas have been significant barriers. 2. Low Financial Literacy: A significant portion of the population, particularly in rural and remote areas, lacks financial literacy. Understanding the nuances of traditional banking services can be a barrier to entry into the formal financial system. 3. Documentation Requirements: The documentation required to open a bank account can be a hurdle, especially for those who may not have the necessary identification papers. This often excludes a substantial portion of the population from mainstream financial services. 4. Technological Barriers: While the penetration of smartphones has increased, a considerable number of individuals still use feature phones or have limited access to the internet. This poses a challenge to the adoption of traditional digital payment solutions. Offline Digital Payments: A Catalyst for Inclusion Offline digital payments have emerged as a transformative force, overcoming many of the barriers to financial inclusion in India. These solutions leverage technology to enable transactions without the need for a continuous internet connection, making them particularly relevant in areas with intermittent connectivity. Let’s delve into the ways in which offline digital payments are contributing to financial inclusion. 1. Access Anytime, Anywhere: Offline digital payment solutions empower users to conduct transactions regardless of their location or the availability of internet connectivity. This is especially crucial in remote and rural areas where traditional banking infrastructure is limited. 2. Reduced Reliance on Physical Infrastructure: By eliminating the need for physical branches or ATMs, offline digital payments reduce the cost and logistical challenges associated with building and maintaining banking infrastructure. This is a game-changer for reaching unbanked populations in geographically dispersed regions. 3. Simplified User Experience: Offline payment methods are designed to be user-friendly, requiring minimal technical know-how. This simplicity is key in overcoming the barrier of low financial literacy, enabling individuals with varying levels of education to participate in the formal financial system. 4. Biometric Authentication: Leveraging biometric authentication methods, such as fingerprints or iris scans, offline digital payment solutions offer a secure and convenient way for individuals to access their financial accounts. This is particularly beneficial in areas where traditional identification documents may be scarce. 5. Financial Inclusion for Merchants: Offline digital payments extend beyond individual users, providing opportunities for small businesses and merchants. By accepting offline digital transactions, even in areas with intermittent internet connectivity, merchants can expand their customer base and participate more actively in the digital economy. 6. Government Initiatives: Recognizing the potential of digital payments to drive financial inclusion, the Indian government has launched initiatives like Aadhaar Pay and UPI (Unified Payments Interface). These initiatives leverage biometrics and mobile numbers to facilitate secure offline digital transactions. 7. Financial Products and Services: Offline digital payments pave the way for the delivery of a range of financial products and services to previously underserved populations. This includes access to credit, insurance, and savings products tailored to the unique needs of different segments of the population. Challenges and Considerations While offline digital payments hold immense promise for financial inclusion, certain challenges and considerations need to be addressed: 1. Security Concerns: Ensuring the security of offline transactions, especially in areas with limited connectivity, is paramount. Robust security measures, including encryption and biometric authentication, are essential to protect users from potential risks. 2. Infrastructure Development: While offline digital payments reduce the reliance on physical banking infrastructure, there is still a need for ongoing efforts to enhance digital infrastructure, including the development of reliable networks and the availability of affordable smartphones. 3. Regulatory Framework: A conducive regulatory framework is crucial for the widespread adoption of offline digital payments. Clear guidelines and policies that foster innovation while ensuring consumer protection will play a pivotal role in shaping the future of these solutions. 4. Collaboration Among Stakeholders: Successful implementation of offline digital payment solutions requires collaboration among various stakeholders, including government agencies, financial institutions, technology providers, and local communities. A coordinated effort is essential to address the multifaceted challenges of financial inclusion. Bottom line: Offline digital payments represent a transformative force in the journey towards financial inclusion in India. By addressing the challenges of limited access to banking infrastructure, low financial literacy, and intermittent connectivity, these solutions empower individuals and businesses to participate fully in the formal financial system. As we move forward, it is imperative to continue innovating, address security concerns, and foster a collaborative environment that embraces the diverse needs of the population. The vision of a financially inclusive India can be realized through the thoughtful integration of offline digital payment solutions, ensuring that no one is left behind in the digital era. BaaS

Reading List

Browser Fingerprinting- Part 2

Vaibhav Chandel / June 16, 2023

Are you all set to find out more about browser fingerprinting? We bring you Part 2 of this series. Types of Fingerprinting Techniques: Canvas Fingerprinting: The browser fingerprinting technique uses the HTML5 canvas element to identify variances in a user’s GPU, graphics drivers, or graphics card. Steps- First, the script draws an image, often overlaid with text. Then, the script captures how the user’s web browser has rendered the image and text. Naturally, every device with different hardware and drivers will render the image slightly differently, distorting its colour and shape. A hash is then computed using the rendered image’s data, which serves as the ‘canvas fingerprint.” The scripts used for canvas fingerprinting operate in the background to keep the user from realizing that the fingerprinting is occurring. This fingerprinting technique is accurate and not too processing-intensive, making it one of the most commonly employed script techniques. The visitor’s specific browser and device render images, which can be narrowed down to a pool of fewer than 0.01% of total visitors. WebGL Fingerprinting: WebGL fingerprinting is very similar to Canvas fingerprinting, as they both use the browser to render images off-screen. The WebGL API can be used to render 3D forms in the browser. With the help of the three.js JavaScript library, many 3D forms can be rendered, such as Sphere Cube Precomposed geometric shapes The test is not that reliable because it is too sensitive to changes in the environment, such as the size of the browser window or the use of the browser console. These changes caused the dimensions of the rendering context to be updated, which resulted in different rendering results when the page was reloaded. The methodology is still to use images to distinguish users based on their graphics drivers and device hardware. Media Device Fingerprinting: This technique uncovers a list of all the connected media devices and their respective IDs on a user’s laptop or PC. This includes all internal media components like video cards and audio cards, as well as all connected or linked devices like headphones. Media device fingerprinting is not widely used for fingerprinting functions. This is because it requires the user to grant access to their microphone and camera to get a complete list of connected devices. Audio Fingerprinting: While other fingerprinting techniques force browsers to render a text or image, this technique checks how their devices play sound. The browser vendor and version used impact minute differences in sound waves generated by a digital oscillator and differences in CPU architecture. Clock Skew: Clock skew is a measure that can be used to identify the hardware specifications of a machine by analyzing the uneven arrival of electrical signals from a clock generator at different components. These differences can be affected by temperature variations in the hardware and can be analyzed with sufficient data and numerical analysis. This is considered an extreme measure in the field of fingerprinting. Browser fingerprinting workflow: Utilizing browser fingerprinting for authentication during payments as an additional layer of security and protection against fraud is helpful, but it has to be coupled with a two-factor authentication process. Two-factor authentication involves verifying a user’s identity using two different methods, such as a password and a fingerprint or a code sent to their mobile device. By adding browser fingerprinting as a third factor, Wibmo’s Trident FRM solution uses canvas fingerprinting and creates a more secure and reliable payment authentication process. It is important to ensure that proper privacy protections and data security measures are in place, as browser fingerprinting data is unique to each user and can be used to track and identify individuals across different websites and devices. Additionally, it’s important to comply with data privacy regulations such as GDPR, CCPA, and the upcoming Digital Personal Data Protection Bill when collecting and storing browser fingerprint data. Fingerprinting and Online Fraud Detection: Browser fingerprinting techniques can be useful for identifying and targeting visitors with a pattern of fraudulent behaviour on a website. These techniques can be particularly effective in identifying users who use identity concealing techniques such as disabling cookies, using a VPN, or browsing in incognito mode. 1.In cases of account takeover, where malicious users try to hack a legitimate user’s account, fingerprinting and other user identification technologies can be used to add additional security measures to the login process for suspicious traffic only. 2.To prevent brute force or bot attacks, it is best practice to require users to solve a CAPTCHA after a certain number of failed login attempts and to lock out the user for a set time after a certain number of attempts, as such attacks often rely on automation and thus may not have the unique browser configurations of genuine users. a. Browser fingerprinting can detect bots through their unusual browser configurations. b. Multiple login attempts with the same fingerprint can signal a brute-force attack. c. Bots that either lack a unique fingerprint or use identical fingerprints can be spotted and investigated. d. It can improve CAPTCHA systems by triggering a CAPTCHA when a fingerprint is linked to suspicious activity. 3.For phishing scams, requiring email or two-factor authentication for new fingerprints attempting to log in and blocking repeatedly visited fingerprints can also be effective measures. Conclusion: Limitations and current scenario of browser fingerprinting: Author: Vaibhav Chandel, Product Manager Wibmo A PayU/Naspers FinTech Company BaaS

Reading List, Stories

BIN Attack Fraud

Wibmo / June 1, 2023

Card not present (CNP) transactions are those where the purchase is made without presenting the physical card to the merchant at the point of sale. As more and more physical stores are using EMV-compliant terminals, Javelin Strategy & Research credit card fraud statistics report that card-not-present fraud is now 81% more likely to happen than card-present fraud. Card-not-present transactions can be done via online merchants, telephone orders, or mail. There are various modus operandi to commit CNP fraud, such as account takeover using phishing scams, malware infection to capture keystrokes, or friendly fraud. In such scenarios, the cardholder is involved in the fraud, and it is kind of a personalised attack. However, today we will talk about an impersonal attack where a fraudster exploits a BIN (bank identification number) and uses distributed computing power to automatically generate the remaining numbers and test these combinations to see which card numbers are correct and if the cards are active. This kind of attack is called BIN attack fraud. The subtlety of BIN Attack fraud is that it does not involve any data breach or ID theft; it is just a pure random coincidence that a victim’s card number is chosen. The compromised cards can have a significant impact on issuing banks in terms of chargebacks, call c entre volume spikes, and re-issuance expenses. Furthermore, any cardholder disruption or friction during this tenure leads to a loss of interchange revenues. The damage to the bank’s reputation could lead to cardholders switching the bank’s services to another, more secure bank. A merchant involved in BIN attack fraud faces increased disputes or chargebacks, additional fees, and regulatory fines. Depending on the nature of the attack and risk profile, the acquiring bank may choose to suspend support for the merchant’s site. The cardholder’s bank may restrict purchases from your site, resulting in further financial losses. Refunding any fraudulent transactions is an operational challenge, not to mention the reputational loss. Thus, BIN attack fraud is a problem both for issuers and merchants. Preventing a BIN Attack Fraud To prevent BIN attack fraud, the merchant or the issuing bank can deploy a few techniques: Enable 3D security. The latest version of EMV 3DS 2.x is an additional security layer for online credit and debit card transactions that aims to achieve a balance between security and user convenience. As a merchant, enable a CAPTCHA test to tell humans and bots apart. While this may create friction for genuine customers, it’s an effective deterrent against BOT scripts. Deploy an anti-fraud solution that can look at many aspects and block transactions or alert your fraud analyst. A good anti-fraud solution should have: Ability to spot multiple low-value transactions (unusually low for the merchant’s business). Multiple declines within a short period The timing of transactions may be unusual for the merchant, business, or cardholder. A large number of transactions from the same BIN were attempted in a short period of time (a few seconds apart). IP Velocity Checks: Even though these days, through proxy and spoofing, fraudsters can make it seem that the transactions are coming from different IPs, Use an anti-fraud solution that deploys good device fingerprinting techniques to solve this issue, as fingerprinting is impervious to IP proxies. Unusually large volume of international transactions for a given merchant or for a cardholder. Look for patterns, cards with sequential numbers, the same card number but different expiration dates, or CVV codes. Ability to create a profile for the merchant and cardholder and alert in case of any significant deviations. There are a few additional measures that the industry could take, such as creating advisory, actionable intelligence, and a listing of sites that anti-fraud tools can take advantage of. EMV 3DS 2.x allows merchants and acquirers to do a risk assessment prior to making an EMV 3DS authentication call to the issuer. A combined risk assessment from both the acquiring and issuing sides acts as a strong deterrent to fraudsters. Both issuers and acquirers can pool their intelligence and create a shared intelligence pool of fraud markings to identify common points of fraud. Information on declines on the switch side during authorization when fed into 3DS authentication ACS gives actionable intelligence to anti-fraud tools. BIN attack fraud is still a crude brute-force attack vector that is detectable, and preventive measures can be taken to interrupt it. A well-informed merchant and bank implementing a defensive anti-fraud solution that keeps itself abreast of the latest advisories combined with continuous monitoring of anomalous behaviour can stay a step ahead of this kind of fraudulent attack. Author: Ajit Nair, Director Product Management Wibmo A PayU/Naspers FinTech Company Cnp, Fraud, Fraud Prevention, Payment Fraud, Payments

Reading List

Browser Fingerprinting- Part 1

Vaibhav Chandel / April 12, 2023

Overview: 1. A user’s device’s hardware, operating system, browser, and configuration are all included in a set of data called a “browser fingerprint.” 2. Via a simple script running inside a browser, a server can collect a wide variety of information from public interfaces called application programming interfaces (APIs), HTTP headers, device information, etc. 3. The method of gathering data from a web browser to create a device fingerprint is known as “browser fingerprinting.” Cookies vs Browser Fingerprinting: Cookies Fingerprinting: Small pieces of data are stored on a user’s computer by a web browser when they visit a website. They are used to store information about the user, such as preferences and browsing history, and to track user behaviour on the website. They are typically used to improve the user experience by remembering information about the user and their preferences, but they can also be deleted, blocked, or turned off entirely. Cookie tracking involves placing a unique identifier on a person’s web browser, and fingerprinting occurs when a company (the website owner) creates a profile of the device’s unique characteristics. The General Data Protection Regulation (GDPR) regulates the rules for covert data collection, which is why websites often ask users to approve or disapprove of cookies. Browser Fingerprinting: Information includes details about the browser, network, and device, such as the language used, keyboard layout, time zone, cookie settings, operating system version, etc. By combining all this information into a fingerprint, advertisers can recognise a user as they move from one website to another. Studies have shown that around 80–90% of browser fingerprints are unique. This is done by advertising technology companies that insert their code onto websites and collect data about online activity. Once established, a fingerprint can potentially be linked with other personal information, such as data held by brokers. GDPR: Browser fingerprinting also falls under the purview of the GDPR to protect user privacy. However, nothing has been explicitly mentioned about it. The GDPR establishes six legal grounds that enable the processing of data, including user consent and the “legitimate interest” or consent of the person doing the tracking: In the context of browser fingerprinting, these general rules apply as follows: Companies using fingerprinting must ensure that their interests in tracking user information do not override the user’s fundamental rights and freedoms, including their privacy. The website must also provide detailed information to the user about the scope, purposes, and legal basis of the data processing. Fingerprinting should be transparent when using and processing data about anonymous visitors. *Browser fingerprint technology has enabled marketers to run targeted campaigns on the internet at any stage of the marketing funnel. Parameters and the Math: Uniqueness: It means to provide enough ground for identification; the more unique a fingerprint, the more identifiable it is. When the fingerprint has an attribute, whose value is only present once in the whole dataset or when the combination of all its attributes is unique in the whole dataset. Stability: This links the browser fingerprints that belong to the same device. For stability, the quantity of modified information (each time the user’s fingerprint is obtained) should be as small as possible. Entropy: Defines the amount of uniqueness that a specific property exposed by the browser (such as the User-Agent header) introduces into a browser fingerprint. Usually expressed in bits, the higher the entropy, the more unique and identifiable a fingerprint will be. After the new dataset is tested repeatedly, giving similar correlated probability outputs, we can say that a technique is effective in terms of its ability to say that a fingerprint is unique! Blueprint: Using Browser Fingerprinting for Authentication Information gathered: Browser fingerprinting can gather a lot of information (more than 100 data attributes) from a browser, for example: Device model Operating system Browser version User time zone Preferred language settings Keyboard layout Ad blocker used Screen resolution Tech specs of the CPU graphics card, etc. The logic is to have enough specifics about a user’s device and settings to pinpoint them in a sea of internet users. A specific fingerprinting technology employs several cutting-edge browser identification methods to gather over 100 individual signals. These signals are combined with server-side analysis and deduplication to generate a visitor ID, providing a persistent and valuable abstraction of a browser fingerprint, which can be volatile if a user changes settings or updates software on their device. Watch out this space for Part 2! Author: Vaibhav Chandel, Product Manager Wibmo A PayU/Naspers FinTech Company BaaS

Industry Insights, Product, Reading List

UPI Fraud Trends and Their Possible Mitigation

Sujit Kumar Mahato / March 16, 2023

With over 2 billion transactions worth over INR 4.5 trillion processed every month, India’s United Payment Interface (UPI) has revolutionized the digital payment ecosystem. UPI has been emerging as the most preferred payment method among Indians. However, at the same time, we are witnessing a rise in fraudulent transactions in recent times. A total of 1,46,495 unified payments interface (UPI) fraudulent activities were reported on the National Cybercrime Reporting Portal (NCRP) during the first and second quarters of 2022, as per the Ministry of Home Affairs (MHA). Up until now, banks and financial institutions have predominantly relied on educating consumers against fraud. But, in cases of fraud, the consumer is at the mercy of the grievance process, which adversely affects the consumer experience and dents customer loyalty. Fraud Trends and Their Possible Mitigation Impersonating Sellers and Customer Care It is more of a habit to google customer care contacts when facing issues with our online purchases. Fraudsters are flooding the internet with fake customer care details to lure in consumers. After gaining the trust of gullible customers over the phone, refund collect requests are shared via QR codes, SMS links, and so on. Financial institutions can integrate with technological solutions that detect and alert the customer in the event that a payment is made over the phone. Spoofed VPA IDs In the name of disaster relief or support, fraudsters created multiple spoofed VPA IDs that are remarkably similar to the original ones. In recent times, we witnessed an unprecedented rise in VPA IDs, similar to the PM Cares Fund. Maintaining a list of suspicious keywords such as support, relief, care, disaster, army, minister,” etc. and running risk rules over transactions being made to VPA IDs containing high-risk keywords have the potential to curb fraudulent transactions. Screen mirroring apps and malware Through malicious links, fraudsters get consumers to download screen-sharing or remote-access apps or malware. Once installed, the fraudster gains access to confidential UPI details, which are then used in combination with other modus operandi, such as SIM-swapping. Payment apps should have the capability to detect potential malicious apps already downloaded on the device and restrict payments from going through. Collect Request Through classified ads, fraudsters initiate conversation with sellers they are impersonating as potential buyers. Creating a sense of urgency, the fraudster intends to make a quick payment without much negotiation and sends a collect request, sometimes in the form of a QR code. The VPA IDs used by fraudsters are generally gibberish and at times have numbers or alphabets in sequence. Banks or financial institutions’ apps should have the capability to detect such patterns on beneficiary VPA handles. UPI has made digital payments more accessible and convenient for millions of people in India, and it is expected to continue to play a significant role in India’s digital payments ecosystem in the coming years. With continued efforts of educating consumers against frauds, banks and financial institutions should leverage the technological advancements against the mushrooming UPI frauds. Author: Sujit Kumar Mahato, Product Manager Wibmo A PayU/Naspers FinTech Company BaaS

Industry Insights, Product, Reading List

Regulator asking your bank to migrate from SMS-based OTPs to more secure authentication options? Use the opportunity to derive multiple benefits

Edward Chien / November 21, 2022

Central Banks are proactively taking steps to reduce the risk of banking/financial fraud The phrase “two sides of the same coin” applies to the world of digital banking and financial services as well. Internet/mobile based banking capabilities have undoubtedly enabled convenience and speed for consumers and reduced costs for service providers. Simultaneously, however, there has also been a steady rise in digital frauds and scams around the world. New ways of scamming consumers are constantly emerging because omni-channel digital first banking has given perpetrators more options based on how banking transactions are authenticated. Central banks around the world have regularly been raising the bar for digital security within their jurisdictions, given their responsibility for orderly conduct of a country’s banking and financial services system and ensuring the highest levels of consumer safety and protection. Individual banks and fintech players are proactively integrating new technologies and protocols to provide customers with the additional security of multi-factor authentication. About a month ago, Bank Negara Malaysia (BNM, the Malaysian central bank) announced that banks operating in that country needed to adopt authentication methods for online activities (opening accounts, making payments and other transactions) that go beyond SMS-based OTPs (One Time Passwords). BNM’s new measures also cover changes to default customer account settings, cooling off periods for new accounts, using just one device for authentication, etc. The rules pertaining to the detection of scams/frauds and the triggering of blocking actions are also being tightened. While many of the steps will kick in after suspicious transactions are detected, what is essential for banks is to strengthen measures that can minimize the occurrence of frauds and scams through superior digital authentication and the detection of risky transactions. OTPs and two-factor authentication are no longer adequate Over the past years, OTPs have become ubiquitous and deeply embedded in our lives as the primary means to authenticate all banking (and many other) transactions. But the two-factor authentication provided by OTPs is no longer enough to provide customers with the desired levels of safety and protection. Authentication is based on entering the 4 or 6 digits sent by the service provider to the customer’s mobile number. It does not verify the identity of the person who has entered the OTP. This means anyone with access to the OTP can easily impersonate a customer and complete transactions without the genuine customer being aware until it is too late. Think about three commonplace scenarios that customers might routinely face: a lost or stolen mobile phone, an unlocked phone on their office desk while they briefly step out, or a phone given for repairs (where unscrupulous staff members have the chance to copy/access personal data). In each of these situations, unauthorized persons can easily access OTPs and other transaction-related messages sent by banks to the phone and essentially “authenticate” transactions that will go through as legitimate transactions initiated/approved by you. If such impersonation risks are not bad enough, think about phishing frauds and scams where users are induced to click on links that they believe have come from their bank or other service providers via SMS. A world of non-banking digital payment apps and platforms gives fraudsters even more opportunities to scam customers by voluntarily giving out information that is needed to complete unauthorized financial transactions. In such a high-risk environment, online authentication must necessarily be made a more rigorous and fool-proof process that is inherently harder to circumvent. Rather than relying on an OTP that can be entered by anyone (and not just the genuine customer), banks must adopt authentication protocols that use multiple data points that can be collectively used to establish customer identity and authenticity of transactions. Multi-factor authentication can make a big difference to the reliability of your authentication and hence customer experience Banks need to balance secure and reliable authentication with the associated costs and impact on customer experience. Working even when there is mobile network latency (or lack of network coverage) is another requirement. Compliance with the bank’s own security norms and complete adherence to prevailing regulatory requirements also needs to be considered. The solution must be such that it can be used seamlessly with mobile banking as well as internet banking. Multi-factor authentication (MFA) solutions tick all these boxes. A robust MFA solution uses a combination of three distinct sets of data points for authentication: · Knowledge- what the customer knows (e.g., password, security question); · Ownership/access- what the user has (e.g., mobile device, USB token); and · Inherence- something that is inherent to the customer (e.g., fingerprint or other biometrics) A world-class MFA solution must provide banks (and other organizations) the option to authenticate customers and transactions based on a variety of authentication touchpoints that cater to customer preferences and risk profiles. It must be used either on a standalone basis or be capable of easily being integrated with a bank’s existing assets. It must support Out of Band (OOB) authentication- which means that the channel used for authentication must be distinct from the one used to sign in or perform a transaction. Ideally, the OOB authentication element must reside in the customer’s registered mobile phone, making it easier to leverage ownership- and inherence-based data points as well for authentication. The MFA solution must be compatible with EMV 3-D Secure and 3-D Secure 1.0 protocols and support CNP transactions as well. Wibmo’s Tridentity is an MFA solution that is designed to address the above needs and deliver the above capabilities. It supports authentication based on Push notifications, Offline OTP, and Biometrics. It is available as a simple SDK or downloadable as an Android/iOS app. Tridentity is compliant with the EU’s PSD2 initiative. Please click on https://www.wibmo.com/tridentity/ for more information on Wibmo’s Tridentity solution and how it can help your bank in Malaysia or elsewhere. If you have specific questions and would like to speak to one of our experts, write to us at [email protected]. Author: Edward Chien, Director- Sales, South-East Asia Wibmo A PayU/Naspers FinTech Company Authentication, Multi-Factor Authentication, Online Payments, Out of

Industry Insights, Reading List

Moving beyond SMS OTP Authentication

Sujit Kumar Mahato / November 10, 2022

If you have ever transacted or purchased online, you must have come across the OTP Authentication. The system-generated code delivered through SMS on your device serves as a verification of the claim that you are the actual owner of the device as well as the account/card/wallet through which the transaction is initiated. The authentication or verification of our identity as who we claim ourselves to be is a part of our day-to-day lives. Be it checking in at the airport or going past the security desk of an office, though we identify ourselves with our name, we authenticate ourselves with some other form of ID card. With growing security concerns, both in the physical and digital worlds, authentication methods have evolved not only to protect but also to provide a seamless experience to users. The ways in which one can be authenticated fall into three categories: · Knowledge: Something the user knows (eg. Password) · Ownership: Something the user has (eg. ID card) · Inherence: Something the user is (eg. Fingerprint) The above categories are referred as the Authentication Factors and the use of the number of factors in an authentication process derives its name. · Single-factor Authentication: Requires providing only one piece of verifiable information such as a password · Two-factor Authentication(2FA): Requires providing two pieces of verifiable information such as a password and then proof of possession of their smartphone (through an SMS OTP delivered on that device) · Multi-factor Authentication: Required to provide two or more pieces of verifiable information. As in the case of 2FA, where two categories (factors) of information are required, it is also considered an MFA. The idea of an OTP was first suggested in the 1980s by Leslie Lamport. With growing attacks and increasing authentication requirements, many patented OTP algorithms were developed. Today, OTPs are synonymous with two-factor authentication and are thought to augment existing passwords with an extra layer of security. Yet, fraudsters manage to circumvent it every day. SIM SWAP: In this scenario, a fraudster uses the stolen identity (name, email, government ID, etc.) to trick a mobile service provider into issuing a new SIM card for an existing phone number. Once the new SIM card is active, the original SIM card will be shut down, and the fraudster will try to gain access to the user’s financial application. Once the fraudster has gained access, the last line of defense—2FA or SMS OTP, is compromised. JAILBREAK or ROOT: Removing software restrictions put in place by manufacturers, to gain full access to the device’s operating system is called “jailbreaking” for iOS and “rooting” for the Android operating system. Generally, it is aimed at customizing the user experience or gaining access to a greater variety of unofficial apps. Jailbroken and rooted devices are susceptible to malware and viruses due to the weakened built-in security features of the devices. This eliminates security controls made by the manufacturer, which enables hackers to steal personal information, attack the network, or introduce malware, spyware, or viruses to circumvent the authentication measures in place. Investigating the feasibility of implementing a code by financial institutions that checks if the device is rooted or jailbroken prior to the installation of the mobile application and disallows the mobile application to install or function if the phone is rooted or jailbroken, can save its customers from possible fraud. Increasing layers of security is not a feasible solution for financial institutions when consumers prefer speed and convenience, even when it comes to accessing financial services online. User experience has become one of the determining factors when it comes to user adoption in any industry globally. Not receiving an SMS OTP, is one of the most painful experiences one can have as a user. Latency, in addition to the SMS cost, is a challenge for financial institutions in the exponentially growing digital era. Maintaining a balance between fighting fraud and improving the consumer experience is a challenge. Leveraging inherence-based authentication, such as biometrics, or ownership-based authentication, such as push notifications on the registered device, are some of the authentication measures that cater to both security and the consumer experience. Technological solutions with multiple authentication measures other than SMS OTPs and device binding are the way forward for providing a delightful customer experience without compromising security. Author: Sujit Kumar Mahato, Product Manager Wibmo A PayU/Naspers FinTech Company Authentication, Fraud Prevention, Global Digital Payments, Payments

Reading List, Stories

True Cost of Combating Payment Frauds

Sujit Kumar Mahato / September 14, 2022

A quick recap of major players involved in payment transactions : 1. Customer 2. Issuer Bank — holding the customer’s bank account 3. Payment Networks — Visa, Mastercard, NPCI, etc 4. Merchant 5. Acquirer Bank — holding the merchant’s bank account In simple terms, Payments Fraud is the one where someone made unauthorized payments/purchases. Though the liability of fraud differs(customer/merchant/banks etc) on a case-to-case basis, someone in the payment system has to finally bare the brunt and mark the money as lost in their respective books. Fraud is a global issue that affects not only individuals but also organizations — merchants, banks, insurance companies, and who so ever is dealing with payments. Payments frauds have been crippling every country across the globe and according to recent studies, the epidemic of payment fraud has been growing over the recent years. When it comes to payments, there are 2 major elements – 1. FALSE NEGATIVE — when an act of fraud goes undetected and through the payment system 2. FALSE POSITIVE — when a faulty fraud detection system blocks a legitimate transaction. Anti-fraud solutions and fraudsters are caught in a cat-and-mouse game. Both have been leveraging technological innovations to meet their underlying need and eventually adding to the cost of combating fraud. Whenever we come across the term COST, our first thought is that it’s a mere cumulation of expenses incurred in producing or building a product or service. However, in financial terms, the cost is segregated into — Direct Cost and Indirect Cost. The majority of the time, indirect costs are neglected when it comes to deriving the actual cost of a project due to the difficulty associated with deriving a cost-effective methodology for the assignment of indirect costs. When it comes to defining the cost associated with fraud, organizations generally tend to consider the amount lost in the fraud process. These numbers are a significant percentage of the topline revenue. Moreover, it’s a concerning fact that even less than 20% of businesses are able to fully recover the amount from unauthorized transactions and other fraudulent activities. Apart from the obvious Direct Cost — fraud amount value — associated with the transaction, the Indirect Cost often goes unnoticed. Cost of Combating Fraud: Huge infrastructure and resources — manual as well as technological are deployed by organizations in payment authentication and authorization. The cumulative loss arising from both False Positive and False negative scenarios burn a larger hole in terms of operational efficiency. Cost to Reputation: Businesses incurs huge cost when it comes to building a reputation of trust through the marketing function which employs varied techniques to increase the perceived value of a product or service over time. Undetected frauds and consequent delays in grievance redressal often leave the customer/merchant with a bad experience with their respective banks and also with the payment entities involved in the process. Cost of declining Genuine transactions: High False positive rates can leave the customers/merchants frustrated. Organizations leave no stone unturned through sales and marketing and customer support to acquire and retain a customer. In the era of fierce competition, if one thinks Customer acquisition is hard, think about the retention of a frustrated customer. It is somewhat now possible to measure fraud and error losses but one needs to surely factor in the Indirect Costs in order to make a proper judgment about a proportionate level of investment to be made in reducing them through the deployment of anti-fraud tools. Direct costs associated with fraud are just the tip of the iceberg and give even less than half a picture of the menace lying underneath. Author: Sujit Kumar Mahato, Product Manager Wibmo A PayU/Naspers FinTech Company Anti Fraud Management, Digital Payment, Fraud Detection, Fraud Prevention, Online Payments