Authentication Archives - Digital Payments, Payment Security and Lending

Industry Insights, Product, Reading List, Stories

Beyond OTPs: Why India’s New Biometric Authentication Standards Are the Future of Digital Payments

Wibmo / February 9, 2026

The digital payments landscape in India is on the cusp of a revolutionary transformation. With the Reserve Bank of India’s groundbreaking mandate requiring two-factor authentication for all digital payments effective April 1, 2026, we’re witnessing the dawn of a new era where biometric-first authentication frameworks are set to replace traditional OTP-based security models. This shift represents more than just regulatory compliance; it’s a fundamental reimagining of how we secure digital financial transactions. The End of the OTP Era For decades, OTPs have been the cornerstone of digital security, but they’ve also been its weakest link. With over 80% of data breaches attributed to weak or compromised OTPs, and users experiencing delays and frustrations with SMS-based authentication, the traditional OTP system has become unsustainable. India’s digital payments ecosystem, processing over 8.5 billion transactions monthly, demands a security framework that can scale without compromising user experience. The RBI’s 2026 mandate recognizes this reality, pushing the industry toward authentication methods that are inherently more secure, user-friendly, and fraud-resistant. Why Biometric Authentication is Game-Changing Biometric authentication offers what OTPs never could: Truly unique, non-transferable, and always-available security credentials. Unlike OTPs that can be delayed, intercepted, or compromised, biometric identifiers are intrinsically linked to the individual user. The Security Advantage Biometric authentication provides multiple layers of security that traditional methods cannot match: The User Experience Revolution Biometric authentication eliminates friction from the payment process. No more waiting for OTP messages or carrying physical tokens. A simple fingerprint scan, facial recognition, or voice authentication completes transactions securely and instantly. RBI’s Vision for Secure Digital Payments The RBI’s mandate for two-factor authentication by April 2026 creates a payments ecosystem that can support India’s digital economy aspirations while addressing critical challenges: Fraud Prevention at Scale: India’s proactive approach to authentication standards positions the country as a leader in secure digital finance. Consumer Confidence: Strong authentication standards build trust in digital payments, encouraging broader adoption across demographics and geographies. Financial Inclusion: Biometric authentication removes barriers preventing rural and elderly populations from adopting digital payments. Unlike OTPs requiring phone access and network connectivity, biometric authentication is intuitive and universally accessible. The Technology Behind the Transformation Modern biometric authentication leverages multiple biometric modalities, advanced AI, and risk-based authentication (RBA) to create comprehensive security frameworks that balance protection with user experience. Multi-Modal Biometric Authentication Robust systems combine multiple biometric factors: Risk-Based Authentication: The Smart Layer Risk-based authentication enables systems to make intelligent decisions about authentication requirements in real-time. Rather than applying uniform security measures, RBA analyzes each transaction’s risk profile and adapts authentication accordingly. Real-Time Risk Scoring: Transactions are analyzed using advanced fraud detection engines combining rules and AI/ML models to assess: Intelligent Decision Making: Based on risk assessment, systems determine appropriate authentication paths: Configurable Business Rules: Organizations can define policies that instantly adapt to match risk appetite and market conditions for different card types, transaction amounts, or merchant categories. Out-of-Band Authentication Options Modern RBA systems support multiple authentication methods: Adaptive Authentication in Action Adaptive systems intelligently adjust security measures by evaluating transaction amount and type, user location and device, historical behavior patterns, and network security conditions to make real-time decisions. This approach ensures EMV 3-D Secure and PSD2 SCA compliance while providing analytics dashboards for data-driven insights. The result is increased sales through improved customer experience, reduced fraud through intelligent risk-based decisions, and real-time decision-making using best-in-class machine learning. Leading the Transition with Intelligent Authentication As organizations prepare for the 2026 mandate, comprehensive authentication solutions combine cutting-edge biometric technologies with intelligent risk assessment, creating experiences that are both highly secure and remarkably user-friendly. Comprehensive Biometric Support: Full spectrum support ensures compatibility across diverse user preferences and device capabilities. Regulatory Compliance by Design: Solutions built with RBI guidelines ensure institutions can meet 2026 requirements while positioning for future regulatory developments. Seamless Integration: API-driven architecture enables implementation without disrupting current operations. The Broader Impact on India’s Digital Economy The shift to biometric-first authentication will have implications far beyond payment security: Accelerated Digital Adoption: Simplified, secure authentication will remove barriers preventing many Indians from embracing digital financial services, significantly accelerating financial inclusion. Innovation Catalyst: Robust authentication standards create foundations for sophisticated financial services. With strong identity verification, institutions can confidently offer advanced products through digital channels. Global Leadership: India’s proactive approach positions the country as a global fintech innovation leader, potentially influencing international standards and creating expansion opportunities for Indian fintech companies. Preparing for the Future The transition to biometric-first authentication isn’t just about meeting regulatory requirements; it’s about preparing for the future of digital finance. Organizations embracing this shift early will gain significant competitive advantages: The Road Ahead As we approach the April 2026 implementation deadline, financial institutions and payment service providers must begin preparing for this transformation. The shift to biometric authentication represents one of the most significant changes in digital payment security in decades, but also presents an unprecedented opportunity to create truly secure, user-friendly financial services. Together, we can navigate this change and move towards a safer digital payments ecosystem. We’re here to support you with Wibmo’s advanced Intelligent Authentication Suite – combining multi‑modal biometrics, risk‑based decisioning, and compliance by design – to implement the RBI mandate efficiently and at scale. To know more, write to us at [email protected].

Industry Insights, Product, Reading List

South Africa’s Banking & Fintech Moment: Mandates, Challenges, and How Wibmo Can Help

Ashley Mathura / September 1, 2025

South Africa’s payments landscape is undergoing a significant upgrade. With the Rapid Payments Programme (RPP) / PayShap rolling out real-time, low-cost account-to-account payments, and long-standing rules like 3D Secure for e-commerce, banks and PSPs have a clear direction: safer, faster, interoperable digital money movement. The task now is execution at scale, with resilience, and without friction. The Regulatory Backbone: Who Sets the Rules (and Why It Matters) South African Reserve Bank (SARB) oversees the National Payment System and has set out Vision 2025 goals i.e. competition, innovation, inclusion, and regional interoperability. PASA (Payments Association of South Africa) mandated 3D Secure for online card transactions (initially by 2014), making strong customer authentication a baseline for CNP risk. FIC Act / Prudential Authority anchors AML/CFT obligations with risk-based programmes and supervisory teeth. POPIA (data protection) requires lawful processing and security of personal data; banks also adhere to a sector code of conduct aligned to POPIA. Market Shifts to Watch PayShap (RPP) is South Africa’s real-time payments layer aimed at displacing cash with instant, irrevocable, interoperable payments, and it’s gaining traction year over year. Card-Not-Present (CNP) risk remains elevated: SABRIC reports show CNP is the dominant component of card fraud losses, underscoring the need for better authentication and smarter fraud controls. Conduct & crypto reforms: the FSCA’s 3-year plan progresses the COFI Bill (market conduct), while broader licensing rules will keep evolving for digital assets and new models. The Execution Gap: Key Challenges for Banks & PSPs Balancing real-time speed with real-time risk Faster rails compress decision windows; fraud, scams, and mule activity migrate to instant channels. CNP fraud & authentication fatigue 3DS is necessary, but a clunky customer experience or static rules can dent approvals and merchant revenue. Fragmented data & legacy integration Risk signals live across devices, IPs, behaviors, and internal systems; normalizing them without backend rewrites is challenging. Operational overhead Investigations, rule tuning, and change management drag teams away from strategy. Compliance by design POPIA and AML/CFT require explainability, auditability, and governance beyond “black-box” scoring. South Africa’s Strategic Position in the Payments Ecosystem South Africa’s unique position as a gateway to African markets, combined with its sophisticated banking infrastructure, creates specific opportunities for scalable fraud management solutions. The country’s regulatory maturity and digital payment adoption rates make it an ideal testing ground for innovative payment technologies that can subsequently be deployed across the continent. While established players currently serve major institutions like PayInc (formerly known as BankservAfrica), the market opportunity for specialized, agile solutions remains significant, particularly for institutions seeking more flexible, cost-effective alternatives that can adapt to local market dynamics. Where Wibmo Fits: A Product Stack Built for SA Priorities Wibmo, a PayU company works with issuers, acquirers, processors, and large merchants across digital payments. With proven deployments across emerging markets and growing traction with South African Tier 1 and Tier 2 banks, our solutions address the specific challenges facing the SA market. 1) Trident FRM — Real-time Fraud & Risk Management What it solves: Instant risk decisions across carded and A2A flows, especially CNP fraud and real-time scams. How it helps the SA context: • Aligns with PASA’s 3DS mandate by complementing authentication with risk-based decisioning before, during, and after auth. • Handles burst traffic from PayShap/RPP-driven volumes, with millisecond scoring to avoid payment latency. Capabilities you can deploy: • AI/ML ensemble (10+ models) with enriched device/IP/behavioural signals • Sub-100ms decisioning at scale; 1500+ TPS proven, scaling toward 3500+ TPS • 99.99% uptime architecture for “always-on” payment windows • DIY rule authoring & simulation, plus a configurable case manager to reduce investigation time • Flexible data ingestion—plug in orthogonal data without backend rewires 2) 3D Secure & Contextual Authentication Suite What it solves: Strong step-up only when needed, preserving approval rates and user experience. How it helps the SA context: • Delivers ACS / 3DS Server / RBA components built to meet PASA’s 3D Secure requirement while curbing friction. • Contextual (risk-based) authentication reduces unnecessary OTPs and cart abandonment. 3) Tokenisation & Data Security Services What it solves: Lowers PAN exposure and supports POPIA and scheme requirements via vaulting, network tokens, and lifecycle controls. How it helps the SA context: Minimises sensitive data processing and aids privacy-by-design obligations under POPIA and the banking industry code. 4) Prepaid/Stored-Value Platform (Financial Inclusion & Control) What it solves: Issuing and managing controlled-spend instruments for payroll, disbursements, youth, or thin-file segments. How it helps the SA context: Supports inclusion targets in SARB’s Vision 2025 by enabling safe digital value stores and spend controls. 5) Acquiring & Acceptance Enablement What it solves: Smarter approvals and fewer false declines for merchants; enhanced dispute/fraud handling. How it helps the SA context: Risk-based approvals can lift merchant revenue and trust in e-commerce while keeping CNP risk in check, given SABRIC’s fraud trends. The Value of Local Partnership Working with local fintech providers brings unique advantages to South African institutions: Rand-based Pricing & Forex Protection: • Mitigate currency fluctuation risks with local currency invoicing • Predictable budgeting without USD exchange rate volatility • Contract terms that protect against significant rand depreciation Local Regulatory Expertise: • Deep understanding of SARB, PASA, and POPIA requirements • Compliance support aligned with South African banking regulations • Local legal framework navigation and contract flexibility Regional Market Understanding: • Solutions customized for African market dynamics • Understanding of local fraud patterns and payment behaviours • Gateway to broader African expansion opportunities Agile Implementation & Support: • Faster decision-making without complex international approval chains • Local timezone support and cultural alignment • Flexible contract terms designed for emerging market needs What Good Looks South Africa’s policy environment already rewards safer, faster digital payments. The opportunity is to combine real-time rails (PayShap/RPP) with real-time risk—without sacrificing user experience or uptime. Wibmo’s Trident FRM, Authentication, Tokenisation, Prepaid, and Acquiring solutions are built to meet those mandates and close the execution gap – from CNP fraud today to instant A2A at scale tomorrow. With local partnership advantages and proven success across emerging markets, we’re positioned to support South African financial institutions in their digital

Industry Insights, Product, Reading List

From Mandate to Mastery: How Wibmo Helps LFIs Comply with CBUAE’s Authentication Guidelines

Nelson De Souza / June 24, 2025

Wibmo’s Authentication Suite is purpose-built to help LFIs navigate this regulatory transformation. Our platform enables secure, seamless, and intelligent authentication across both issuing and acquiring operations — empowering banks and fintechs to comply with CBUAE mandates while enhancing customer trust.

The solution combines biometric verification, passkey-based login, and AI/ML-driven RBA, integrated via lightweight SDKs and APIs. This makes it easy for financial institutions to embed strong security directly into their mobile and web applications — without overhauling existing infrastructure.

From logins to lifecycle events to high-value transactions, Wibmo makes every touchpoint secure, compliant, and frictionless.

Reading List, Tech Bytes

The Role of AI and ML in Averting Fraud in Real Time

Sudhindra Magadi / October 3, 2024

Fraudsters are becoming increasingly sophisticated, leveraging advanced technologies to exploit vulnerabilities. As a leading provider of secure payment solutions, Wibmo understands the critical role that artificial intelligence (AI) and machine learning (ML) play in averting fraud in real-time. This blog explores how AI and ML are transforming fraud prevention, the benefits of these technologies, and how Wibmo’s innovative products are at the forefront of this battle. The Growing Threat of Fraud Fraud is a pervasive issue that affects individuals and organizations worldwide. According to a report by Juniper Research, global losses from online payment fraud are expected to exceed $206 billion between 2021 and 2025. This staggering figure underscores the urgent need for effective fraud prevention measures. How AI and ML Combat Fraud AI and ML are revolutionizing the way we detect and prevent fraud. These technologies enable systems to analyse vast amounts of data, identify patterns, and make real-time decisions. Here are some keyways AI and ML are used in fraud prevention: The Benefits of AI and ML in Fraud Prevention The integration of AI and ML in fraud prevention offers numerous benefits: Wibmo’s AI and ML Solutions At Wibmo, we leverage AI and ML to provide cutting-edge fraud prevention solutions. Our products are designed to protect users and organizations from a wide range of fraudulent activities. Here are some of our key offerings: Real-World Impact of AI and ML in Fraud Prevention The impact of AI and ML in fraud prevention is evident in various industries. For instance, banks using AI-powered fraud detection systems have reported a 50% reduction in false positives and a 30% increase in fraud detection rates. Similarly, e-commerce platforms have seen a significant decrease in chargebacks and fraudulent transactions by implementing AI and ML solutions. The Future of AI and ML in Fraud Prevention As AI and ML technologies continue to advance, their role in fraud prevention will become even more critical. Here are some trends to watch for: In the fight against fraud, AI and ML are powerful allies. These technologies enable real-time detection and prevention, ensuring that individuals and organizations can stay one step ahead of fraudsters. At Wibmo, we are committed to leveraging AI and ML to provide innovative fraud prevention solutions that protect our users and enhance their security. By staying informed about the latest trends and continuously improving our systems, we can create a safer digital environment for everyone. By understanding the role of AI and ML in fraud prevention and adopting advanced solutions like those offered by Wibmo, you can significantly reduce the risk of falling victim to fraud. Stay vigilant, stay informed, and stay secure.

Reading List

Browser Fingerprinting- Part 1

Vaibhav Chandel / April 12, 2023

Overview: 1. A user’s device’s hardware, operating system, browser, and configuration are all included in a set of data called a “browser fingerprint.” 2. Via a simple script running inside a browser, a server can collect a wide variety of information from public interfaces called application programming interfaces (APIs), HTTP headers, device information, etc. 3. The method of gathering data from a web browser to create a device fingerprint is known as “browser fingerprinting.” Cookies vs Browser Fingerprinting: Cookies Fingerprinting: Small pieces of data are stored on a user’s computer by a web browser when they visit a website. They are used to store information about the user, such as preferences and browsing history, and to track user behaviour on the website. They are typically used to improve the user experience by remembering information about the user and their preferences, but they can also be deleted, blocked, or turned off entirely. Cookie tracking involves placing a unique identifier on a person’s web browser, and fingerprinting occurs when a company (the website owner) creates a profile of the device’s unique characteristics. The General Data Protection Regulation (GDPR) regulates the rules for covert data collection, which is why websites often ask users to approve or disapprove of cookies. Browser Fingerprinting: Information includes details about the browser, network, and device, such as the language used, keyboard layout, time zone, cookie settings, operating system version, etc. By combining all this information into a fingerprint, advertisers can recognise a user as they move from one website to another. Studies have shown that around 80–90% of browser fingerprints are unique. This is done by advertising technology companies that insert their code onto websites and collect data about online activity. Once established, a fingerprint can potentially be linked with other personal information, such as data held by brokers. GDPR: Browser fingerprinting also falls under the purview of the GDPR to protect user privacy. However, nothing has been explicitly mentioned about it. The GDPR establishes six legal grounds that enable the processing of data, including user consent and the “legitimate interest” or consent of the person doing the tracking: In the context of browser fingerprinting, these general rules apply as follows: Companies using fingerprinting must ensure that their interests in tracking user information do not override the user’s fundamental rights and freedoms, including their privacy. The website must also provide detailed information to the user about the scope, purposes, and legal basis of the data processing. Fingerprinting should be transparent when using and processing data about anonymous visitors. *Browser fingerprint technology has enabled marketers to run targeted campaigns on the internet at any stage of the marketing funnel. Parameters and the Math: Uniqueness: It means to provide enough ground for identification; the more unique a fingerprint, the more identifiable it is. When the fingerprint has an attribute, whose value is only present once in the whole dataset or when the combination of all its attributes is unique in the whole dataset. Stability: This links the browser fingerprints that belong to the same device. For stability, the quantity of modified information (each time the user’s fingerprint is obtained) should be as small as possible. Entropy: Defines the amount of uniqueness that a specific property exposed by the browser (such as the User-Agent header) introduces into a browser fingerprint. Usually expressed in bits, the higher the entropy, the more unique and identifiable a fingerprint will be. After the new dataset is tested repeatedly, giving similar correlated probability outputs, we can say that a technique is effective in terms of its ability to say that a fingerprint is unique! Blueprint: Using Browser Fingerprinting for Authentication Information gathered: Browser fingerprinting can gather a lot of information (more than 100 data attributes) from a browser, for example: Device model Operating system Browser version User time zone Preferred language settings Keyboard layout Ad blocker used Screen resolution Tech specs of the CPU graphics card, etc. The logic is to have enough specifics about a user’s device and settings to pinpoint them in a sea of internet users. A specific fingerprinting technology employs several cutting-edge browser identification methods to gather over 100 individual signals. These signals are combined with server-side analysis and deduplication to generate a visitor ID, providing a persistent and valuable abstraction of a browser fingerprint, which can be volatile if a user changes settings or updates software on their device. Watch out this space for Part 2! Author: Vaibhav Chandel, Product Manager Wibmo A PayU/Naspers FinTech Company BaaS

Industry Insights, Product, Reading List

Regulator asking your bank to migrate from SMS-based OTPs to more secure authentication options? Use the opportunity to derive multiple benefits

Edward Chien / November 21, 2022

Central Banks are proactively taking steps to reduce the risk of banking/financial fraud The phrase “two sides of the same coin” applies to the world of digital banking and financial services as well. Internet/mobile based banking capabilities have undoubtedly enabled convenience and speed for consumers and reduced costs for service providers. Simultaneously, however, there has also been a steady rise in digital frauds and scams around the world. New ways of scamming consumers are constantly emerging because omni-channel digital first banking has given perpetrators more options based on how banking transactions are authenticated. Central banks around the world have regularly been raising the bar for digital security within their jurisdictions, given their responsibility for orderly conduct of a country’s banking and financial services system and ensuring the highest levels of consumer safety and protection. Individual banks and fintech players are proactively integrating new technologies and protocols to provide customers with the additional security of multi-factor authentication. About a month ago, Bank Negara Malaysia (BNM, the Malaysian central bank) announced that banks operating in that country needed to adopt authentication methods for online activities (opening accounts, making payments and other transactions) that go beyond SMS-based OTPs (One Time Passwords). BNM’s new measures also cover changes to default customer account settings, cooling off periods for new accounts, using just one device for authentication, etc. The rules pertaining to the detection of scams/frauds and the triggering of blocking actions are also being tightened. While many of the steps will kick in after suspicious transactions are detected, what is essential for banks is to strengthen measures that can minimize the occurrence of frauds and scams through superior digital authentication and the detection of risky transactions. OTPs and two-factor authentication are no longer adequate Over the past years, OTPs have become ubiquitous and deeply embedded in our lives as the primary means to authenticate all banking (and many other) transactions. But the two-factor authentication provided by OTPs is no longer enough to provide customers with the desired levels of safety and protection. Authentication is based on entering the 4 or 6 digits sent by the service provider to the customer’s mobile number. It does not verify the identity of the person who has entered the OTP. This means anyone with access to the OTP can easily impersonate a customer and complete transactions without the genuine customer being aware until it is too late. Think about three commonplace scenarios that customers might routinely face: a lost or stolen mobile phone, an unlocked phone on their office desk while they briefly step out, or a phone given for repairs (where unscrupulous staff members have the chance to copy/access personal data). In each of these situations, unauthorized persons can easily access OTPs and other transaction-related messages sent by banks to the phone and essentially “authenticate” transactions that will go through as legitimate transactions initiated/approved by you. If such impersonation risks are not bad enough, think about phishing frauds and scams where users are induced to click on links that they believe have come from their bank or other service providers via SMS. A world of non-banking digital payment apps and platforms gives fraudsters even more opportunities to scam customers by voluntarily giving out information that is needed to complete unauthorized financial transactions. In such a high-risk environment, online authentication must necessarily be made a more rigorous and fool-proof process that is inherently harder to circumvent. Rather than relying on an OTP that can be entered by anyone (and not just the genuine customer), banks must adopt authentication protocols that use multiple data points that can be collectively used to establish customer identity and authenticity of transactions. Multi-factor authentication can make a big difference to the reliability of your authentication and hence customer experience Banks need to balance secure and reliable authentication with the associated costs and impact on customer experience. Working even when there is mobile network latency (or lack of network coverage) is another requirement. Compliance with the bank’s own security norms and complete adherence to prevailing regulatory requirements also needs to be considered. The solution must be such that it can be used seamlessly with mobile banking as well as internet banking. Multi-factor authentication (MFA) solutions tick all these boxes. A robust MFA solution uses a combination of three distinct sets of data points for authentication: · Knowledge- what the customer knows (e.g., password, security question); · Ownership/access- what the user has (e.g., mobile device, USB token); and · Inherence- something that is inherent to the customer (e.g., fingerprint or other biometrics) A world-class MFA solution must provide banks (and other organizations) the option to authenticate customers and transactions based on a variety of authentication touchpoints that cater to customer preferences and risk profiles. It must be used either on a standalone basis or be capable of easily being integrated with a bank’s existing assets. It must support Out of Band (OOB) authentication- which means that the channel used for authentication must be distinct from the one used to sign in or perform a transaction. Ideally, the OOB authentication element must reside in the customer’s registered mobile phone, making it easier to leverage ownership- and inherence-based data points as well for authentication. The MFA solution must be compatible with EMV 3-D Secure and 3-D Secure 1.0 protocols and support CNP transactions as well. Wibmo’s Tridentity is an MFA solution that is designed to address the above needs and deliver the above capabilities. It supports authentication based on Push notifications, Offline OTP, and Biometrics. It is available as a simple SDK or downloadable as an Android/iOS app. Tridentity is compliant with the EU’s PSD2 initiative. Please click on https://www.wibmo.com/tridentity/ for more information on Wibmo’s Tridentity solution and how it can help your bank in Malaysia or elsewhere. If you have specific questions and would like to speak to one of our experts, write to us at [email protected]. Author: Edward Chien, Director- Sales, South-East Asia Wibmo A PayU/Naspers FinTech Company Authentication, Multi-Factor Authentication, Online Payments, Out of

Industry Insights, Reading List

Moving beyond SMS OTP Authentication

Sujit Kumar Mahato / November 10, 2022

If you have ever transacted or purchased online, you must have come across the OTP Authentication. The system-generated code delivered through SMS on your device serves as a verification of the claim that you are the actual owner of the device as well as the account/card/wallet through which the transaction is initiated. The authentication or verification of our identity as who we claim ourselves to be is a part of our day-to-day lives. Be it checking in at the airport or going past the security desk of an office, though we identify ourselves with our name, we authenticate ourselves with some other form of ID card. With growing security concerns, both in the physical and digital worlds, authentication methods have evolved not only to protect but also to provide a seamless experience to users. The ways in which one can be authenticated fall into three categories: · Knowledge: Something the user knows (eg. Password) · Ownership: Something the user has (eg. ID card) · Inherence: Something the user is (eg. Fingerprint) The above categories are referred as the Authentication Factors and the use of the number of factors in an authentication process derives its name. · Single-factor Authentication: Requires providing only one piece of verifiable information such as a password · Two-factor Authentication(2FA): Requires providing two pieces of verifiable information such as a password and then proof of possession of their smartphone (through an SMS OTP delivered on that device) · Multi-factor Authentication: Required to provide two or more pieces of verifiable information. As in the case of 2FA, where two categories (factors) of information are required, it is also considered an MFA. The idea of an OTP was first suggested in the 1980s by Leslie Lamport. With growing attacks and increasing authentication requirements, many patented OTP algorithms were developed. Today, OTPs are synonymous with two-factor authentication and are thought to augment existing passwords with an extra layer of security. Yet, fraudsters manage to circumvent it every day. SIM SWAP: In this scenario, a fraudster uses the stolen identity (name, email, government ID, etc.) to trick a mobile service provider into issuing a new SIM card for an existing phone number. Once the new SIM card is active, the original SIM card will be shut down, and the fraudster will try to gain access to the user’s financial application. Once the fraudster has gained access, the last line of defense—2FA or SMS OTP, is compromised. JAILBREAK or ROOT: Removing software restrictions put in place by manufacturers, to gain full access to the device’s operating system is called “jailbreaking” for iOS and “rooting” for the Android operating system. Generally, it is aimed at customizing the user experience or gaining access to a greater variety of unofficial apps. Jailbroken and rooted devices are susceptible to malware and viruses due to the weakened built-in security features of the devices. This eliminates security controls made by the manufacturer, which enables hackers to steal personal information, attack the network, or introduce malware, spyware, or viruses to circumvent the authentication measures in place. Investigating the feasibility of implementing a code by financial institutions that checks if the device is rooted or jailbroken prior to the installation of the mobile application and disallows the mobile application to install or function if the phone is rooted or jailbroken, can save its customers from possible fraud. Increasing layers of security is not a feasible solution for financial institutions when consumers prefer speed and convenience, even when it comes to accessing financial services online. User experience has become one of the determining factors when it comes to user adoption in any industry globally. Not receiving an SMS OTP, is one of the most painful experiences one can have as a user. Latency, in addition to the SMS cost, is a challenge for financial institutions in the exponentially growing digital era. Maintaining a balance between fighting fraud and improving the consumer experience is a challenge. Leveraging inherence-based authentication, such as biometrics, or ownership-based authentication, such as push notifications on the registered device, are some of the authentication measures that cater to both security and the consumer experience. Technological solutions with multiple authentication measures other than SMS OTPs and device binding are the way forward for providing a delightful customer experience without compromising security. Author: Sujit Kumar Mahato, Product Manager Wibmo A PayU/Naspers FinTech Company Authentication, Fraud Prevention, Global Digital Payments, Payments

Industry Insights, Product, Reading List

Why is Biometric Authentication becoming the headline in the world of Digital Payments?

Shatrughan Sharma / March 24, 2022

The last decade has witnessed a progressive adoption of technology in almost all the industry. Few industries like banking and fintech have embraced the technology to grow in leaps and bounds. The revolutionizing spread of internet has ushered in an incredible increase in the number of the users and in turn the addressable market. The hitherto latent yet humongous body of rural population is today enabled with fintech services like online payment and transaction and even Ecom. The one word which has propelled the whole population into the digital payment however is rather old fashioned -TRUST Let’s dive deeper with an example. When a small business owner from a village in Bihar pays a vendor residing in another state, he needs be assured that the payment would indeed be done. Similarly, a migrant labourer, slogging in the southern state need to believe that his hard earned money is indeed going to reach his family in a matter of minutes if not seconds. However both the people also need assurances that it would be paid only to the intended parties and not to anyone else! Authentication: The foundation of trust in the digital payment space Authentication is used most commonly to assure the consumers of reliability. However, the question remains if the authentication mechanisms used currently produce the highest levels of trustworthiness. Let’s delve into the circumstances where multifactor authentication is the best option. The following two out of the three ways have proved to be a strong medium for payment authentications: · Possession: for example, a documented identify or device, etc. · Knowledge: for example, a password or secret, etc. · Inherence: for example, their fingerprint, hand, face, etc. History of Biometrics — An evolved tool used in payment securities Although biometrics go way back into human history, the contemporary commercial usage of biometric authentication began in the mid-nineteenth century using fingerprints by William James Herschel, a British administrator in India. Biometric authentication gained popularity among consumers and service providers with the rising usage of feature-rich smartphones and other devices enabled with high-resolution cameras. The instant gratification was stoked with the biometric authentication as it is based on the biological traits which are unique to every individual and cannot be faked. One of the most widely used examples of biometric usage is that of Aadhaar card in the Indian Market: All Indian residents are given an Aadhaar number, which is a 12-digit unique identification number. This figure is derived from their biographic and biometric data (a photograph, ten fingerprints, two iris scans). The concept was originally related to government subsidies and unemployment benefits, but as its authenticity is proved, it now includes a payment scheme. The growth of biometric payments in a post-pandemic world According to global surveys, the pandemic has heightened awareness and acceptance of biometric payments. This popularity doesn’t show any signs of abating as we step into the post-pandemic era, thanks to a focus on sanitation and contactless payments. Biometric authentication is popular due to the simple and uncomplicated process that it entails. Unlike the conventional authentication techniques, which suffer from glitches like not getting an OTP or issues with the strength of the internet network. Biometric payments are becoming more popular in large and densely populated countries such as Russia, South Africa, Kenya, Nigeria, Ukraine, India, and others. Consumers sense the simple and foolproof option of biometric authentication is safer, quicker, and simpler. Biometric authentication provides several advantages over knowledge-based and possession-based authentications: 1. It’s universal, as these metrics can be found in every human. 2. It is unique. 3. It is permanent, as metrics like fingerprint or dental don’t change. 4. It can be easily recorded if the consumer wants it to be so. 5. Finally, it can be measured for comparison and cannot be falsified. Conclusion: Though there have been cases where Biometric authentication based on statistical algorithms may occasionally provide false positives, resulting in erroneous results, the benefits of using biometric authentication for digital payments outweigh the drawbacks. This is causing a significant shift towards its adoption, and it seems to be continuously growing. In a diverse socioeconomic environment like India which has a population that is both cost-sensitive and aspirational, there is no other solution that can beat biometric authentication. Author: Shatrughan Sharma, Global Head- Payment Security Wibmo A PayU/Naspers FinTech Company Authentication, Biometric Authentication, Global Digital Payments, Payments, Secure Payment

Industry Insights, Stories

Identification, Authentication, Authorisation — Know the Difference

Sujit Kumar Mahato / February 21, 2022

We undergo the process of Identification, Authentication, and Authorization every day in both physical and digital worlds. Let’s first start with the physical world. You have been planning for a weekend vacation for a long time but have been stalling because of the busy work schedule. After months of long hours of work, you finally find a weekend for a getaway. After work hours you meticulously plan the vacation — the place to visit, the hotel to stay, the to-do activities, and whatnot. Finally, the getaway weekend has arrived and the first thing that you do after reaching your destination: is Check-in into the hotel 1. Identification — You walk to the hotel reception and mention that you have a prior booking at the hotel. The first thing the receptionist asks is for your name. The receptionist then checks through the register to confirm of your booking. By providing your name, you claimed your identity. Your name, more or less, is unique and used for identification. 2. Authentication — Once the receptionist has got your name in the booking register, you are asked to present an ID card. The ID card verifies that you are the person whose name is on the reservation Here, the ID card facilitates the process of authentication and verifies your identity. 3. Authorisation — After the receptionist has done the necessary authentication process/paperwork, you receive a guest keycard. The guest’s keycard grants you access to your room, the guest elevators, and the pool — but not other guests’ rooms or the service elevator. Hotel employees have a service keycard, authorized to access more areas of the hotel than guests are. You enjoy the next few days to the fullest and finally be well-rested and rejuvenated. It’s time to go back to your work and give your best. It’s time to check out and walk to the reception desk. You hand over your card to the receptionist to pay the bill. At this moment you have jumped into the digital world of identification, authentication, and authorization. 1. Identification — The receptionist puts your card through a POS terminal. The information stored on your magnetic strip/EMV chip enables the banking systems to identify your valid account details — a bank that has your account, your account details, etc. Here the information on your card’s magnetic strip/EMV chip is analogous to your name which you used during check-in. 2. Authentication — You are then requested to enter your card PIN. Your card PIN is confidential to you — only you know it (an ideal case). By providing the PIN, you establish the validity of you being the owner of the card, associated with the bank account. The PIN authenticates that you are the owner of the bank account, from which money would be transferred to the hotel for its services. 3. Authorisation — There are multiple stakeholders involved when you are making transactions through your card. The bank in which you have your account, the card networks — Visa/Mastercard/Amex/Diners, the bank which has the hotel account, the software provider for the POS terminal, etc. Each stakeholder has a specific role to play. For example, the bank — which has your account- confirms that your account has enough balance amount. It then authorizes the deduction of the bill amount from your bank account. It may seem that all three steps — identification, authentication, and authorization are inseparable. But that’s not true. Remember the last time you uploaded a file on your Google Drive/One Drive and shared a public link. Here, you have authorized anyone with the link to access that file without any prior identification or authentication. Probably, the value of the file is far less than the value of the money in your bank account. Hence, the banking world uses cutting-edge solutions to predict, prevent and detect fraudulent transaction attempts on your card. Author: Sujit Kumar Mahato, Product Manager Wibmo A PayU/Naspers FinTech Company Authentication, Authorization, Digital Payment, Identity Management, Security

Product, Stories

What is Risk-Based Authentication and why banks should implement it?

Wibmo / November 18, 2021

Driven by the trifecta of smartphone penetration, low-cost data rates, and higher incomes, the Indian e-commerce market was expected to grow to US$ 200 billion by 2026. Covid-19 has caused an inflection point for the e-commerce market in India. A Bain & Company-PRICE survey of 3000 households across income groups and geographies which was conducted between April and June, revealed about 13% of respondents buying online for the first time, while about 40% buying more online. An NRF survey showed that nearly 6 in 10 consumers say they are worried about going to the store due to fear of being infected. Figure 1: Growth of credit cards in India (Source: RBI database, Bank-wise ATM/POS/Card Statistics various years) The majority of the growth is from online shoppers in Tier 2 tier 3 cities. The pandemic has also seen a surge in UPI transactions. While credit cards did a total of 185 million transactions delivering a value of INR 805K million, UPI delivered a staggering 3654 million transactions with a value of INR 6543K million as per RBI and NPCI statistics for Sep 2021. Key Challenges and Solutions: With the spectacular growth in the eCommerce market sophisticated online payment frauds and threats have mushroomed too. An e-commerce transaction involves multiple entities at various stages, such as the marketplace, merchants, payment gateways, financial institutions, apart from the end consumers, and each of them can act as a vulnerability or attack point for malicious actors. For example: The end customer fraud making fraudulent claims, chargebacks, fake buyer accounts, promotion/coupon abuse. Malicious fraudsters involved in account takeover, identity theft, card detail theft, etc. Data leaks compromise millions of consumer details every year contributing to digital fraud through impersonation globally. Fraudulent merchants who could deploy “bust out” merchant fraud and transaction laundering mechanisms to defraud acquirers. However, transactional and identity security is not the only concern of financial institutions. This must be balanced with customer experience. Customer loyalties now lie with merchants and banks that offer the best experience in terms of convenience, speed, and security. With the myriad of devices, payment authentication options, and processes every digital bank faces the ultimate challenge of balancing optimal security and a seamless customer payment experience. This is where Wibmo’s Trident FRM makes a difference. Trident FRM is a comprehensive, omni-channel, risk-based authentication (RBA) solution that identifies and manages fraud in real time. It does so by building a holistic customer profile from diverse data points. Figure 2: Risk-Based Authentication A customer’s transaction journey begins on a checkout page or a bill payment action or when a customer does a fund transfer (wire transfer). These actions result in the customer connecting to the bank’s server and the bank’s server is an integration point for Trident to evaluate the risk of every transaction done by the user in real-time. Trident uses the data it receives from multiple channels and devices. Data comes in various forms, like: Transactional data: Card number/account number/phone number, amount, currency, merchant or payee information, billing, and shipping addresses. Location data: Terminal id, IP address, approximate latitude and longitude, ISP data. Device data: (SDK App ID, Browser information, proprietary device-fingerprinting) User information: Time of the day for this transaction and any deviations from past customer behavior using historical data. With more than 100 data points (in the case of online e-commerce), and a powerful set of operators Trident can write rules for almost every fraud scenario using an intuitive rule builder screen. In addition, Trident employs advanced analytics and machine learning algorithms to generate a real-time score and decisions for every transaction. The decision can be one of the following: Low Risk: These are transactions that can be ALLOWED to proceed without challenging for OTP thereby delivering a seamless customer experience. In Wibmo’s experience, more than 90% of the transactions fall under this category. Medium Risk: Transactions that are suspected are risky enough to challenge using a multi-factor authentication method. High Risk: Transactions that are suspected to be very high risk and suggested to be declined. Any suspected fraudulent transaction is marked as a case for automated action or manual investigation and closure in the Case Management portal. An efficient case management portal drives both proactive and reactive fraud cases using consolidated data across channels. It also generates various reports that are required for regulatory and compliance purposes. Benefits of RBA are: Reduced financial losses due to fraud. Customer delight due to seamless payment experience. Improved compliance with local and global regulatory requirements. Reduced total cost of operations by managing fraud cases efficiently and limiting the number of cases routed for manual review. Impact Analysis: So, a frequently asked question is: What is the impact of doing risk-based authentication? For a credit card online purchase (card not present) scenario, RBA using Trident delivers almost 6–8% improvement in success rates for banks and almost 40% reduction in latency for completing the transaction for the end customers. To put this in perspective, as of Dec 2020 with an average ticket size of credit cards was Rs 3,653 and with 20 lakhs transactions per month for online transactions, for a given bank and assuming a 1% MDR, this is an additional uptick of 43 lakhs every month. Wibmo processes cards not present transactions for many of India’s largest banks. For a large bank with more than 150 lakh transactions, we were able to save close to Rs 5 lakhs in a month. Conclusion: As transaction volumes are set to grow in double digits year on year, and as customers expect to transact from anywhere using multiple devices, the threat of increased online fraud becomes more real. Customers want speed and convenience balanced with security, therefore, banks that deliver the most optimized services will win customer loyalty. Hence, it becomes imperative for issuers to be integrated with robust, omnichannel fraud detection and prevention risk engines. RBA solutions such as TRIDENT FRM is a cost-effective solution that empowers banks to stay one step ahead of fraudsters and deliver delightful customer experiences which they have come to expect in today’s digital world. Author: Ajit Nair, Director Product, and Programs Wibmo A