Payment Security Archives - Digital Payments, Payment Security and Lending

Industry Insights, Product, Reading List, Stories

Beyond OTPs: Why India’s New Biometric Authentication Standards Are the Future of Digital Payments

Wibmo / February 9, 2026

The digital payments landscape in India is on the cusp of a revolutionary transformation. With the Reserve Bank of India’s groundbreaking mandate requiring two-factor authentication for all digital payments effective April 1, 2026, we’re witnessing the dawn of a new era where biometric-first authentication frameworks are set to replace traditional OTP-based security models. This shift represents more than just regulatory compliance; it’s a fundamental reimagining of how we secure digital financial transactions. The End of the OTP Era For decades, OTPs have been the cornerstone of digital security, but they’ve also been its weakest link. With over 80% of data breaches attributed to weak or compromised OTPs, and users experiencing delays and frustrations with SMS-based authentication, the traditional OTP system has become unsustainable. India’s digital payments ecosystem, processing over 8.5 billion transactions monthly, demands a security framework that can scale without compromising user experience. The RBI’s 2026 mandate recognizes this reality, pushing the industry toward authentication methods that are inherently more secure, user-friendly, and fraud-resistant. Why Biometric Authentication is Game-Changing Biometric authentication offers what OTPs never could: Truly unique, non-transferable, and always-available security credentials. Unlike OTPs that can be delayed, intercepted, or compromised, biometric identifiers are intrinsically linked to the individual user. The Security Advantage Biometric authentication provides multiple layers of security that traditional methods cannot match: The User Experience Revolution Biometric authentication eliminates friction from the payment process. No more waiting for OTP messages or carrying physical tokens. A simple fingerprint scan, facial recognition, or voice authentication completes transactions securely and instantly. RBI’s Vision for Secure Digital Payments The RBI’s mandate for two-factor authentication by April 2026 creates a payments ecosystem that can support India’s digital economy aspirations while addressing critical challenges: Fraud Prevention at Scale: India’s proactive approach to authentication standards positions the country as a leader in secure digital finance. Consumer Confidence: Strong authentication standards build trust in digital payments, encouraging broader adoption across demographics and geographies. Financial Inclusion: Biometric authentication removes barriers preventing rural and elderly populations from adopting digital payments. Unlike OTPs requiring phone access and network connectivity, biometric authentication is intuitive and universally accessible. The Technology Behind the Transformation Modern biometric authentication leverages multiple biometric modalities, advanced AI, and risk-based authentication (RBA) to create comprehensive security frameworks that balance protection with user experience. Multi-Modal Biometric Authentication Robust systems combine multiple biometric factors: Risk-Based Authentication: The Smart Layer Risk-based authentication enables systems to make intelligent decisions about authentication requirements in real-time. Rather than applying uniform security measures, RBA analyzes each transaction’s risk profile and adapts authentication accordingly. Real-Time Risk Scoring: Transactions are analyzed using advanced fraud detection engines combining rules and AI/ML models to assess: Intelligent Decision Making: Based on risk assessment, systems determine appropriate authentication paths: Configurable Business Rules: Organizations can define policies that instantly adapt to match risk appetite and market conditions for different card types, transaction amounts, or merchant categories. Out-of-Band Authentication Options Modern RBA systems support multiple authentication methods: Adaptive Authentication in Action Adaptive systems intelligently adjust security measures by evaluating transaction amount and type, user location and device, historical behavior patterns, and network security conditions to make real-time decisions. This approach ensures EMV 3-D Secure and PSD2 SCA compliance while providing analytics dashboards for data-driven insights. The result is increased sales through improved customer experience, reduced fraud through intelligent risk-based decisions, and real-time decision-making using best-in-class machine learning. Leading the Transition with Intelligent Authentication As organizations prepare for the 2026 mandate, comprehensive authentication solutions combine cutting-edge biometric technologies with intelligent risk assessment, creating experiences that are both highly secure and remarkably user-friendly. Comprehensive Biometric Support: Full spectrum support ensures compatibility across diverse user preferences and device capabilities. Regulatory Compliance by Design: Solutions built with RBI guidelines ensure institutions can meet 2026 requirements while positioning for future regulatory developments. Seamless Integration: API-driven architecture enables implementation without disrupting current operations. The Broader Impact on India’s Digital Economy The shift to biometric-first authentication will have implications far beyond payment security: Accelerated Digital Adoption: Simplified, secure authentication will remove barriers preventing many Indians from embracing digital financial services, significantly accelerating financial inclusion. Innovation Catalyst: Robust authentication standards create foundations for sophisticated financial services. With strong identity verification, institutions can confidently offer advanced products through digital channels. Global Leadership: India’s proactive approach positions the country as a global fintech innovation leader, potentially influencing international standards and creating expansion opportunities for Indian fintech companies. Preparing for the Future The transition to biometric-first authentication isn’t just about meeting regulatory requirements; it’s about preparing for the future of digital finance. Organizations embracing this shift early will gain significant competitive advantages: The Road Ahead As we approach the April 2026 implementation deadline, financial institutions and payment service providers must begin preparing for this transformation. The shift to biometric authentication represents one of the most significant changes in digital payment security in decades, but also presents an unprecedented opportunity to create truly secure, user-friendly financial services. Together, we can navigate this change and move towards a safer digital payments ecosystem. We’re here to support you with Wibmo’s advanced Intelligent Authentication Suite – combining multi‑modal biometrics, risk‑based decisioning, and compliance by design – to implement the RBI mandate efficiently and at scale. To know more, write to us at [email protected].

Industry Insights, Product, Reading List

South Africa’s Banking & Fintech Moment: Mandates, Challenges, and How Wibmo Can Help

Ashley Mathura / September 1, 2025

South Africa’s payments landscape is undergoing a significant upgrade. With the Rapid Payments Programme (RPP) / PayShap rolling out real-time, low-cost account-to-account payments, and long-standing rules like 3D Secure for e-commerce, banks and PSPs have a clear direction: safer, faster, interoperable digital money movement. The task now is execution at scale, with resilience, and without friction. The Regulatory Backbone: Who Sets the Rules (and Why It Matters) South African Reserve Bank (SARB) oversees the National Payment System and has set out Vision 2025 goals i.e. competition, innovation, inclusion, and regional interoperability. PASA (Payments Association of South Africa) mandated 3D Secure for online card transactions (initially by 2014), making strong customer authentication a baseline for CNP risk. FIC Act / Prudential Authority anchors AML/CFT obligations with risk-based programmes and supervisory teeth. POPIA (data protection) requires lawful processing and security of personal data; banks also adhere to a sector code of conduct aligned to POPIA. Market Shifts to Watch PayShap (RPP) is South Africa’s real-time payments layer aimed at displacing cash with instant, irrevocable, interoperable payments, and it’s gaining traction year over year. Card-Not-Present (CNP) risk remains elevated: SABRIC reports show CNP is the dominant component of card fraud losses, underscoring the need for better authentication and smarter fraud controls. Conduct & crypto reforms: the FSCA’s 3-year plan progresses the COFI Bill (market conduct), while broader licensing rules will keep evolving for digital assets and new models. The Execution Gap: Key Challenges for Banks & PSPs Balancing real-time speed with real-time risk Faster rails compress decision windows; fraud, scams, and mule activity migrate to instant channels. CNP fraud & authentication fatigue 3DS is necessary, but a clunky customer experience or static rules can dent approvals and merchant revenue. Fragmented data & legacy integration Risk signals live across devices, IPs, behaviors, and internal systems; normalizing them without backend rewrites is challenging. Operational overhead Investigations, rule tuning, and change management drag teams away from strategy. Compliance by design POPIA and AML/CFT require explainability, auditability, and governance beyond “black-box” scoring. South Africa’s Strategic Position in the Payments Ecosystem South Africa’s unique position as a gateway to African markets, combined with its sophisticated banking infrastructure, creates specific opportunities for scalable fraud management solutions. The country’s regulatory maturity and digital payment adoption rates make it an ideal testing ground for innovative payment technologies that can subsequently be deployed across the continent. While established players currently serve major institutions like PayInc (formerly known as BankservAfrica), the market opportunity for specialized, agile solutions remains significant, particularly for institutions seeking more flexible, cost-effective alternatives that can adapt to local market dynamics. Where Wibmo Fits: A Product Stack Built for SA Priorities Wibmo, a PayU company works with issuers, acquirers, processors, and large merchants across digital payments. With proven deployments across emerging markets and growing traction with South African Tier 1 and Tier 2 banks, our solutions address the specific challenges facing the SA market. 1) Trident FRM — Real-time Fraud & Risk Management What it solves: Instant risk decisions across carded and A2A flows, especially CNP fraud and real-time scams. How it helps the SA context: • Aligns with PASA’s 3DS mandate by complementing authentication with risk-based decisioning before, during, and after auth. • Handles burst traffic from PayShap/RPP-driven volumes, with millisecond scoring to avoid payment latency. Capabilities you can deploy: • AI/ML ensemble (10+ models) with enriched device/IP/behavioural signals • Sub-100ms decisioning at scale; 1500+ TPS proven, scaling toward 3500+ TPS • 99.99% uptime architecture for “always-on” payment windows • DIY rule authoring & simulation, plus a configurable case manager to reduce investigation time • Flexible data ingestion—plug in orthogonal data without backend rewires 2) 3D Secure & Contextual Authentication Suite What it solves: Strong step-up only when needed, preserving approval rates and user experience. How it helps the SA context: • Delivers ACS / 3DS Server / RBA components built to meet PASA’s 3D Secure requirement while curbing friction. • Contextual (risk-based) authentication reduces unnecessary OTPs and cart abandonment. 3) Tokenisation & Data Security Services What it solves: Lowers PAN exposure and supports POPIA and scheme requirements via vaulting, network tokens, and lifecycle controls. How it helps the SA context: Minimises sensitive data processing and aids privacy-by-design obligations under POPIA and the banking industry code. 4) Prepaid/Stored-Value Platform (Financial Inclusion & Control) What it solves: Issuing and managing controlled-spend instruments for payroll, disbursements, youth, or thin-file segments. How it helps the SA context: Supports inclusion targets in SARB’s Vision 2025 by enabling safe digital value stores and spend controls. 5) Acquiring & Acceptance Enablement What it solves: Smarter approvals and fewer false declines for merchants; enhanced dispute/fraud handling. How it helps the SA context: Risk-based approvals can lift merchant revenue and trust in e-commerce while keeping CNP risk in check, given SABRIC’s fraud trends. The Value of Local Partnership Working with local fintech providers brings unique advantages to South African institutions: Rand-based Pricing & Forex Protection: • Mitigate currency fluctuation risks with local currency invoicing • Predictable budgeting without USD exchange rate volatility • Contract terms that protect against significant rand depreciation Local Regulatory Expertise: • Deep understanding of SARB, PASA, and POPIA requirements • Compliance support aligned with South African banking regulations • Local legal framework navigation and contract flexibility Regional Market Understanding: • Solutions customized for African market dynamics • Understanding of local fraud patterns and payment behaviours • Gateway to broader African expansion opportunities Agile Implementation & Support: • Faster decision-making without complex international approval chains • Local timezone support and cultural alignment • Flexible contract terms designed for emerging market needs What Good Looks South Africa’s policy environment already rewards safer, faster digital payments. The opportunity is to combine real-time rails (PayShap/RPP) with real-time risk—without sacrificing user experience or uptime. Wibmo’s Trident FRM, Authentication, Tokenisation, Prepaid, and Acquiring solutions are built to meet those mandates and close the execution gap – from CNP fraud today to instant A2A at scale tomorrow. With local partnership advantages and proven success across emerging markets, we’re positioned to support South African financial institutions in their digital

Industry Insights, Reading List, Stories

The Philippines Takes a Bold Stand Against Financial Scams: Understanding AFASA

Shatrughan Sharma / July 8, 2025

How New Legislation is Reshaping Digital Financial Security The Philippines has declared war on financial scammers. With the signing of the Anti-Financial Account Scamming Act (AFASA) in July 2024, the country has taken one of the most comprehensive approaches globally to combat the rising tide of digital financial fraud. But what does this mean for you as a consumer, and how will it change the way banks and financial institutions operate? The Perfect Storm: Why AFASA Was Necessary Picture this: You wake up to find your bank account emptied overnight. Your phone buzzes with transaction alerts showing transfers to accounts you’ve never heard of. Sounds like a nightmare? For thousands of Filipinos, this became reality as financial scams exploded alongside the country’s digital payment revolution. The numbers tell a sobering story. Between 2020 and 2024, the Philippines witnessed: – A 200% increase in phishing attacks targeting bank customers – Over 154% rise in account takeover incidents – An estimated ₱15 billion in annual losses to financial fraud – Thousands of victims losing their life savings to sophisticated scammers The COVID-19 pandemic accelerated digital adoption, but it also created a generation of new digital users who weren’t fully prepared for the sophisticated tactics of modern cybercriminals. Traditional approaches—warning customers to “be careful” and educating them about scams—weren’t enough. Something more decisive was needed. Enter AFASA: Republic Act No. 12010, a game-changing piece of legislation that shifts responsibility for fraud prevention squarely onto the shoulders of financial institutions. What Makes AFASA Different? Unlike previous anti-fraud initiatives that primarily focused on consumer education, AFASA takes a different approach: it makes financial institutions legally responsible for implementing robust fraud prevention measures. Think of it as requiring banks to build stronger vaults rather than just telling customers to guard their money better. The Three Pillars of AFASA 1. Real-Time Fraud Detection: Always Watching, Always Protecting Under AFASA, banks must implement sophisticated AI-powered systems that monitor every transaction in real-time. These aren’t your grandfather’s banking systems that process transactions overnight—these are high-tech guardians that can spot suspicious activity in milliseconds. Imagine a system that knows your spending patterns so well it can instantly flag when someone tries to make a ₱50,000 transfer from your account at 3 AM when you’re typically asleep. That’s the level of protection AFASA mandates. 2. Multi-Factor Authentication: Because Passwords Aren’t Enough Remember when a simple password was enough to protect your bank account? Those days are officially over. AFASA requires banks to implement multi-factor authentication (MFA) for all customer accounts. This means you’ll likely need to provide: – Something you know (like a PIN) – Something you have (like your phone) – Something you are (like your fingerprint) The law specifically restricts the use of SMS-based one-time passwords (OTPs) due to SIM swap fraud concerns. Instead, banks are pushing toward more secure methods like biometric authentication and app-based verification. 3. Anti-Money Laundering: Closing the Criminal Highway AFASA specifically targets “money mules”—people who allow their bank accounts to be used for transferring stolen money, often for a small fee. By criminalizing this practice and requiring banks to detect it, the law aims to close down the highways that criminals use to move stolen funds. What This Means for Different Stakeholders For Consumers: Better Protection, Some New Friction The Good News: Your money is about to become much safer. Banks will be investing billions in fraud prevention technology, and they’ll be legally liable if they fail to protect your accounts adequately. The Reality Check: Logging into your banking app might take a few extra seconds as new security measures kick in. You might need to verify your identity more frequently, especially for large transactions. But think of it this way: would you rather spend an extra 30 seconds logging in or lose your life savings to a scammer? Pro Tip for Consumers: Embrace the changes rather than fighting them. Set up your biometric authentication, keep your banking apps updated, and learn how the new security features work. The small inconvenience is worth the massive protection upgrade. For Banks: A Massive Transformation Challenge Filipino banks are facing one of the largest compliance challenges in recent memory. The requirements aren’t just about purchasing new software—they require fundamental changes to how banks operate. The Investment Reality: Large banks are investing ₱100-300 million each to meet AFASA requirements. Smaller institutions are either partnering with fintech companies or considering consolidation to share costs. The Opportunity: Forward-thinking banks are positioning their AFASA compliance as a competitive advantage. “Bank with us—we’re the most secure” is becoming a powerful marketing message. For Fintech Companies: A Golden Opportunity AFASA has created a massive market opportunity for fintech companies specializing in fraud prevention, authentication, and compliance technologies. Companies offering AI-powered fraud detection, biometric authentication, and compliance monitoring solutions are seeing unprecedented demand. Real-World Impact: Early Success Stories Since AFASA’s implementation, early adopters are already seeing results. One major Philippine bank reported a 70% reduction in successful phishing attacks after implementing advanced behavioral biometrics. Another institution saw account takeover attempts drop by 65% following their multi-factor authentication rollout. But perhaps most importantly, consumer confidence in digital banking is beginning to recover. Surveys show that 78% of customers feel more secure knowing their banks have strengthened fraud prevention measures, even if it means occasional additional verification steps. The Global Context: Philippines as a Leader AFASA positions the Philippines as a global leader in financial cybersecurity legislation. While other countries have piecemeal regulations, few have implemented such comprehensive requirements for financial institutions to actively prevent fraud. Singapore and the UK have similar initiatives, but AFASA’s scope and enforcement mechanisms are among the most robust globally. International observers are watching the Philippines’ implementation closely, with several countries considering similar legislation. Challenges on the Horizon Despite its promise, AFASA implementation isn’t without challenges: Technical Complexity: Integrating advanced fraud detection systems with decades-old banking infrastructure is like performing surgery on a patient while they’re running a marathon. It’s possible, but it requires extraordinary skill and planning. Customer Education: While

Industry Insights, Product, Reading List

From Mandate to Mastery: How Wibmo Helps LFIs Comply with CBUAE’s Authentication Guidelines

Nelson De Souza / June 24, 2025

Wibmo’s Authentication Suite is purpose-built to help LFIs navigate this regulatory transformation. Our platform enables secure, seamless, and intelligent authentication across both issuing and acquiring operations — empowering banks and fintechs to comply with CBUAE mandates while enhancing customer trust.

The solution combines biometric verification, passkey-based login, and AI/ML-driven RBA, integrated via lightweight SDKs and APIs. This makes it easy for financial institutions to embed strong security directly into their mobile and web applications — without overhauling existing infrastructure.

From logins to lifecycle events to high-value transactions, Wibmo makes every touchpoint secure, compliant, and frictionless.

Product, Reading List

The Real Story Behind False Declines and How Wibmo Trident FRM Secures Transactions

Animesh Jha / October 21, 2024

In today’s fast-evolving digital economy, businesses rely heavily on seamless online transactions to drive growth and customer satisfaction. However, false declines — legitimate transactions mistakenly flagged as fraudulent — have become a growing concern. These incidents lead to customer frustration and significant revenue loss. As fraudsters continue to innovate, businesses must deploy advanced security measures that both combat fraud and minimize false declines. In this blog, we explore the causes and impact of false declines and how Wibmo’s Trident FRM (Fraud Risk Management) system helps businesses reduce these risks while providing secure, frictionless payment experiences. What Are False Declines? False declines, also called false positives, occur when valid transactions are incorrectly rejected due to fraud detection systems being overly cautious. These rejections can be triggered by unusual spending patterns, technical errors, or overly strict fraud detection algorithms. While these systems aim to block fraudulent activity, they can sometimes hinder genuine transactions. In 2023, false declines have been an expensive issue for businesses, costing global eCommerce firms an estimated $81 billion in lost revenue. This highlights the need for more advanced fraud detection systems that balance security with customer convenience. The Impact on Businesses and Consumers False declines affect both businesses and consumers alike. For businesses, the immediate loss of revenue from rejected transactions is just the beginning. Customer churn is a serious consequence, as 47% of customers who experience a false decline may not return, leading to long-term revenue loss. Additionally, false declines contribute to operational inefficiencies as businesses deal with disputes and chargebacks, further affecting profitability. For consumers, having a legitimate transaction rejected can damage trust and loyalty. The frustration caused by a false decline often leads to customers turning to competitors, affecting future engagement. How Wibmo Trident FRM Reduces False Declines To address these challenges, Wibmo’s Trident FRM (Fraud Risk Management) provides a sophisticated solution that combines machine learning, real-time data analysis, and behavioural analytics to accurately assess transaction risk. Key Features of Wibmo Trident FRM: Trident FRM continuously monitors user behaviour, detecting anomalies and signs of potential fraud. This advanced fraud detection helps block fraudulent transactions while allowing legitimate ones to be processed without interruption. Unlike traditional fraud detection systems, Wibmo Trident FRM adapts to emerging fraud patterns. It fine-tunes authentication requirements based on transaction risk, ensuring a balance between fraud prevention and customer experience. Leveraging AI-powered data analytics, Wibmo Trident FRM offers real-time fraud detection, blocking fraudulent transactions as they occur. This ensures that businesses can process legitimate transactions smoothly while preventing unauthorized activities. Combating Online Fraud The global rise of eCommerce has seen an increase in online fraud, with $48 billion in eCommerce fraud losses globally in 2023. Businesses must adopt proactive fraud prevention strategies to avoid these significant financial losses. Wibmo Trident FRM provides a robust solution that not only protects businesses but also reduces the frustration caused by false declines. Best Practices for Fraud Prevention: Benefits of Wibmo Trident FRM Wibmo Trident FRM allows businesses to strike the right balance between security and customer experience. By reducing false declines, businesses can protect their revenue and build long-term customer trust and loyalty. Its adaptive approach ensures that customers enjoy a seamless and secure payment journey, even in a high-risk online environment. Customer Experience Impact: With fewer interruptions and smoother transactions, Wibmo Trident FRM enhances the overall customer experience, helping businesses maintain customer loyalty while ensuring secure payments. Conclusion As online fraud continues to rise, it’s crucial for businesses to adopt advanced fraud management solutions. False declines can cause both financial losses and customer dissatisfaction, making it essential to minimize them through intelligent risk management. Wibmo Trident FRM offers an effective solution that provides real-time, adaptive fraud prevention while ensuring legitimate transactions are processed smoothly.

Reading List, Tech Bytes

The Role of AI and ML in Averting Fraud in Real Time

Sudhindra Magadi / October 3, 2024

Fraudsters are becoming increasingly sophisticated, leveraging advanced technologies to exploit vulnerabilities. As a leading provider of secure payment solutions, Wibmo understands the critical role that artificial intelligence (AI) and machine learning (ML) play in averting fraud in real-time. This blog explores how AI and ML are transforming fraud prevention, the benefits of these technologies, and how Wibmo’s innovative products are at the forefront of this battle. The Growing Threat of Fraud Fraud is a pervasive issue that affects individuals and organizations worldwide. According to a report by Juniper Research, global losses from online payment fraud are expected to exceed $206 billion between 2021 and 2025. This staggering figure underscores the urgent need for effective fraud prevention measures. How AI and ML Combat Fraud AI and ML are revolutionizing the way we detect and prevent fraud. These technologies enable systems to analyse vast amounts of data, identify patterns, and make real-time decisions. Here are some keyways AI and ML are used in fraud prevention: The Benefits of AI and ML in Fraud Prevention The integration of AI and ML in fraud prevention offers numerous benefits: Wibmo’s AI and ML Solutions At Wibmo, we leverage AI and ML to provide cutting-edge fraud prevention solutions. Our products are designed to protect users and organizations from a wide range of fraudulent activities. Here are some of our key offerings: Real-World Impact of AI and ML in Fraud Prevention The impact of AI and ML in fraud prevention is evident in various industries. For instance, banks using AI-powered fraud detection systems have reported a 50% reduction in false positives and a 30% increase in fraud detection rates. Similarly, e-commerce platforms have seen a significant decrease in chargebacks and fraudulent transactions by implementing AI and ML solutions. The Future of AI and ML in Fraud Prevention As AI and ML technologies continue to advance, their role in fraud prevention will become even more critical. Here are some trends to watch for: In the fight against fraud, AI and ML are powerful allies. These technologies enable real-time detection and prevention, ensuring that individuals and organizations can stay one step ahead of fraudsters. At Wibmo, we are committed to leveraging AI and ML to provide innovative fraud prevention solutions that protect our users and enhance their security. By staying informed about the latest trends and continuously improving our systems, we can create a safer digital environment for everyone. By understanding the role of AI and ML in fraud prevention and adopting advanced solutions like those offered by Wibmo, you can significantly reduce the risk of falling victim to fraud. Stay vigilant, stay informed, and stay secure.

Industry Insights, Reading List, Stories

Securing Digital Transactions During the Festive Season with Wibmo: A Trusted Partner for Seamless and Safe Payments

Dinesh Kumar KN / September 23, 2024

The festive season brings an immense surge in online shopping and digital payments. In 2023, Diwali sales alone saw a 49% increase in online transactions, along with a 35% rise in website traffic, making it one of the most lucrative periods for businesses. However, with this rise comes a higher risk of fraud and security breaches. Securing seamless transactions is essential for protecting both revenue and customer trust during this busy season. Wibmo Protect is designed to address these challenges, offering a comprehensive solution that ensures secure and frictionless transactions, even during the peak of the festive rush. How Wibmo Protect Safeguards Festive Transactions 1. Multi-Layered Security with Adaptive AuthenticationWibmo Protect uses dynamic, multi-factor authentication (MFA) to safeguard transactions by adapting security measures based on real-time risk. This reduces the friction for legitimate customers while ensuring robust protection against fraud. Given that the 2023 festive season saw a 72% spike in online sales just two days before Diwali, adaptive authentication is crucial to maintaining a seamless shopping experience without compromising security. 2. Real-Time Fraud Detection & PreventionThe festive season also brings an increase in fraudulent activities. Wibmo Protect’s AI-driven fraud detection engine continuously monitors transactions, instantly identifying suspicious patterns and blocking unauthorized activities in real-time. With eCommerce fraud expected to rise during high-traffic periods like Diwali, proactive fraud detection minimizes losses and protects businesses from financial threats. 3. Seamless Integration with Payment EcosystemsBuilt on industry-standard 3D Secure protocols, Wibmo Protect easily integrates into existing payment ecosystems, ensuring secure transactions without disruption. This is particularly important as conversion rates during the 2023 festive season increased by 22%, emphasizing the need for a frictionless user experience while handling high volumes of transactions. 4. Scalability for High Transaction VolumesThe Indian eCommerce sector recorded significant growth, with over ₹3.75 lakh crore in retail trade during Diwali 2023. Wibmo Protect’s scalable infrastructure is built to handle such high transaction loads, ensuring that businesses can maintain security and efficiency even when managing millions of transactions daily. 5. Compliance with Global and Local RegulationsWibmo Protect adheres to global standards like PCI-DSS and complies with local regulations, such as the RBI’s Additional Factor Authentication (AFA) guidelines. This guarantees that businesses remain secure and compliant, reducing the risk of regulatory fines during peak transaction periods. 6. Advanced Machine Learning for Fraud Pattern RecognitionWibmo Protect leverages machine learning to stay ahead of emerging fraud patterns. During high-traffic periods like the festive season, when fraudulent activities spike, Wibmo Protect’s system identifies and prevents new fraud attempts, ensuring businesses stay protected. Why Businesses Trust Wibmo Protect As businesses gear up for the festive season, securing digital transactions is crucial to providing a seamless shopping experience while protecting against fraud. With Wibmo Protect, businesses can confidently manage high transaction volumes and safeguard their customers from evolving threats during the festive season. Keep your payments secure this festive season with Wibmo Protect, your trusted partner for secure, seamless transactions.

Industry Insights, Reading List

Transforming India’s Digital Payments: The Rise of AePS and Its Challenges

Gaurav Chimote / June 19, 2024

A Decade of Digital Evolution India’s digital landscape has undergone a remarkable transformation over the past decade. With the advent of digital payment channels such as UPI, IMPS, and net banking, the country has achieved unprecedented growth in digital transactions. Despite these advancements, one specific demographic—rural middle-aged to senior citizens—was not fully utilizing this ecosystem. To address this gap and make basic banking services accessible in areas with limited banks and ATMs, the government launched the Aadhaar Enabled Payment System (AePS). Introduction of AePS The Aadhaar Enabled Payment System, introduced by the NPCI in 2016, is a digital payment method based on the Unique Identification Number (UIN) linked to the Aadhaar card. It allows Aadhaar cardholders to conduct financial transactions via Aadhaar-based authentication without needing to visit a bank. Instead, these transactions are facilitated by business correspondents (Bank Mitras) using micro-ATMs. AePS empowers all sections of society by making financial and banking services accessible to everyone through Aadhaar. It supports seamless fund transfers, cash deposits, withdrawals, balance inquiries, and more. Additionally, AePS facilitates the disbursement of government welfare schemes such as NREGA, social security pensions, and old age/handicapped pensions. Exponential Growth Since its launch, AePS has seen a significant boost in utilization. In 2019, the revenue from AePS transactions was around INR 5 billion. Within five years, this figure skyrocketed to INR 51 billion in 2024, a tenfold increase. By 2025, it is projected to reach INR 67 billion. In 2023 alone, over 370 million customers conducted transactions through AePS, highlighting its widespread adoption and success. Rising fraud concerns However, the rapid growth of AePS has also attracted fraudsters, targeting the predominantly rural, middle-aged, and senior population. Over the past 2–3 years, numerous reports of AePS-related fraud have surfaced. For instance, in Hyderabad, a gang of cybercriminals was arrested for fraudulently withdrawing ₹14.64 lakh from 149 customers. Such incidents underscore the growing risk of cyber-financial scams associated with AePS. According to the Indian Cyber Crime Coordination Centre (I4C), AePS frauds accounted for 11% of cyber financial scams originating in India in 2023. Addressing Fraud: RBI and NPCI Initiatives In response to the increasing fraud cases, the RBI has instructed banks to streamline the onboarding process for AePS touchpoint operators, including mandatory due diligence. Additional fraud risk management requirements are also being considered. The NPCI has released circulars addressing customer withdrawal limits, account statements, and Business Correspondent (BC) onboarding procedures. Strengthening onboarding processes AePS providers must rigorously scrutinize the onboarding processes for business correspondent agents. This involves conducting comprehensive background checks to verify the authenticity and credibility of potential agents. Additionally, a risk-based categorization system should be implemented, where agents are classified based on an assessment of their history, including any previous instances of fraudulent activities or non-compliance. By adopting a detailed and systematic approach to onboarding, AePS providers can ensure that only trustworthy and low-risk agents are integrated into the system. Moreover, continuous monitoring and periodic reassessment of BC agents are crucial to maintaining high standards of integrity and security. Regular training and awareness programs should be conducted to keep agents updated on the latest security protocols and fraud prevention techniques. By strengthening these onboarding and monitoring processes, AePS providers can significantly reduce the risk of fraud and enhance the overall security and reliability of the payment system. This proactive approach not only safeguards the interests of users but also fortifies the reputation and operational efficiency of the AePS ecosystem. Common fraud scenarios One prevalent fraud scenario involves unauthorized cash withdrawals, where users receive no indication of the transaction. Fraudsters often impersonate fingerprints or deceive customers about the success of transactions. In some instances, BC agents have been known to use silica gel to replicate fingerprints, further complicating the detection of fraudulent activities. These sophisticated methods of fraud underscore the necessity for AePS providers to enhance their security measures and address these specific threats comprehensively. To combat these issues effectively, AePS providers need to strengthen their ecosystem and focus on specific patterns to identify and mitigate fraudulent activities. Key Areas of Focus Preparing for Future Challenges Currently, the primary issue revolves around cash withdrawals. However, with the increasing volume of fund transfers, there is a potential risk of anti-money laundering activities. As AePS providers continue to expand their services, they need to be adequately equipped to handle these emerging challenges. This involves not only detecting and preventing fraudulent activities but also complying with stringent regulatory requirements to ensure the integrity of the financial system. Conclusion The AePS industry is booming, and as it grows, fraudsters will seek new ways to exploit the system. To sustain growth and protect users, financial institutions must enhance fraud and risk management systems by investing in advanced technologies like artificial intelligence and machine learning for real-time monitoring and anomaly detection. Continuous education and training for users and service providers on potential risks and best practices are also crucial. By implementing robust security measures, the AePS ecosystem can mitigate fraud risks and continue to flourish, driving financial inclusion and transforming India’s digital payment landscape. Collaboration with regulatory bodies is essential to stay ahead of emerging threats and ensure a secure, seamless payment experience. With a concerted effort towards enhancing security and compliance, the AePS industry can thrive, paving the way for a more inclusive and digitally empowered India.

Industry Insights, Product, Reading List

Wibmo Protect — Adaptive Multi-Factor Authentication Solution

Anand K Khanna / February 28, 2024

The Reserve Bank of India (RBI) has embarked on a transformative journey by proposing a Principle-Based Framework for the authentication of digital transactions. This pioneering initiative underscores the RBI’s commitment to fostering a secure, seamless, and customer-centric digital payments ecosystem. The primary objective of this framework is to propel the adoption of alternative authentication mechanisms, transcending the traditional SMS OTP paradigm. By embracing innovative authentication solutions, the RBI seeks to elevate the customer experience while fortifying the security infrastructure of digital payments. Furthermore, this strategic move is poised to empower businesses to embark on a journey of innovation, enabling them to explore cutting-edge solutions while upholding the highest standards of security and integrity. In essence, the Principle-Based Authentication Framework heralds a new era of digital transactions, characterized by enhanced security, heightened user experience, and unparalleled innovation. Challenges with OTP Authentication: Traditional SMS OTPs, while prevalent, present significant limitations and risks. They heavily rely on mobile service providers, are susceptible to interception, and contribute to transaction delays and failures, leading to user frustration and financial losses. Limitations of Traditional SMS-Based OTP Authentication: – Reliance on Mobile Service Providers: SMS OTPs are entirely dependent on mobile service providers, making them susceptible to network coverage issues and unable to support offline mode. – Inadequate Support for Cross-Border Transactions: Due to network dependencies, SMS OTPs face challenges in facilitating cross-border transactions and international access. – High Transaction Authentication Failure Rate: In the current scenario, the authentication failure rate for card transactions using SMS OTPs averages between 5% to 8%, primarily due to network dependencies. – Vulnerability to Cyber Threats: SMS OTPs are prone to interception, phishing, MITM attacks, and sim swapping, lacking robust protection for authorized access. – Rising Instances of Fraud: Cybercrimes, including fraud cases involving SMS OTPs, have surged, with approximately 1.1 million fraud cases registered in 2023, amounting to Rs 7,488.6 crore. Additionally, UPI fraud cases reached over 95,000 in the 2022–23 fiscal year. – User Experience Disruptions: Delays or delivery failures in SMS OTPs disrupt the user experience, leading to frustration and contributing to merchant conversion losses. – Increased Operational Costs: Constant intervention is required to manage authentication experiences across various channels, leading to additional costs. The average SMS cost per transaction is 12 paise, which escalates based on the chosen channels. Wibmo Protect: A Revolutionary Solution: Wibmo Protect, a cutting-edge platform, aligns seamlessly with the RBI’s framework. Utilizing a risk-based contextual authentication approach, it leverages machine learning and deep data analytics to detect and prevent fraudulent transactions in real-time. Contextual authentication further enhances security, enabling swift and secure payments without OTPs. Key Benefits of Wibmo Protect: Wibmo Protect offers a multitude of benefits, including: – Fraud Detection & Prevention – Dynamic Risk-based Authentication – Preference-based authentication with multiple modes – Multi-channel support for various transaction types – Reduced chargebacks and increased revenue growth – Merchant opt-out feature – Enhanced consumer authentication experience Wibmo Protect combines three powerful modules: 1. Access Control Server (Accosa ACS): A holistic payment authentication platform integrated with an intelligent risk engine. 2. Enterprise Trident FRM: A comprehensive cross-channel, self-learning risk assessment engine. 3. Tridentity: A multifactor out-of-band authentication solution offering secure, password less authentication. Wibmo Protect emerges as a game-changer in digital transaction security. By embracing innovative technologies and adaptive authentication methods, it sets new standards for security, efficiency, and customer satisfaction. With its comprehensive suite of modules, Wibmo Protect stands as a beacon of trust and reliability in the evolving landscape of digital transactions. Through continuous innovation and commitment to security, Wibmo paves the way for a secure and seamless digital future. Author: Anand K Khanna, Product Manager — Fraud & Risk Management Wibmo A PayU/Naspers FinTech Company Digital Payment, Fraud Detection, Multi-Factor Authentication, Payment Security, RBI

Reading List

Browser Fingerprinting- Part 2

Vaibhav Chandel / June 16, 2023

Are you all set to find out more about browser fingerprinting? We bring you Part 2 of this series. Types of Fingerprinting Techniques: Canvas Fingerprinting: The browser fingerprinting technique uses the HTML5 canvas element to identify variances in a user’s GPU, graphics drivers, or graphics card. Steps- First, the script draws an image, often overlaid with text. Then, the script captures how the user’s web browser has rendered the image and text. Naturally, every device with different hardware and drivers will render the image slightly differently, distorting its colour and shape. A hash is then computed using the rendered image’s data, which serves as the ‘canvas fingerprint.” The scripts used for canvas fingerprinting operate in the background to keep the user from realizing that the fingerprinting is occurring. This fingerprinting technique is accurate and not too processing-intensive, making it one of the most commonly employed script techniques. The visitor’s specific browser and device render images, which can be narrowed down to a pool of fewer than 0.01% of total visitors. WebGL Fingerprinting: WebGL fingerprinting is very similar to Canvas fingerprinting, as they both use the browser to render images off-screen. The WebGL API can be used to render 3D forms in the browser. With the help of the three.js JavaScript library, many 3D forms can be rendered, such as Sphere Cube Precomposed geometric shapes The test is not that reliable because it is too sensitive to changes in the environment, such as the size of the browser window or the use of the browser console. These changes caused the dimensions of the rendering context to be updated, which resulted in different rendering results when the page was reloaded. The methodology is still to use images to distinguish users based on their graphics drivers and device hardware. Media Device Fingerprinting: This technique uncovers a list of all the connected media devices and their respective IDs on a user’s laptop or PC. This includes all internal media components like video cards and audio cards, as well as all connected or linked devices like headphones. Media device fingerprinting is not widely used for fingerprinting functions. This is because it requires the user to grant access to their microphone and camera to get a complete list of connected devices. Audio Fingerprinting: While other fingerprinting techniques force browsers to render a text or image, this technique checks how their devices play sound. The browser vendor and version used impact minute differences in sound waves generated by a digital oscillator and differences in CPU architecture. Clock Skew: Clock skew is a measure that can be used to identify the hardware specifications of a machine by analyzing the uneven arrival of electrical signals from a clock generator at different components. These differences can be affected by temperature variations in the hardware and can be analyzed with sufficient data and numerical analysis. This is considered an extreme measure in the field of fingerprinting. Browser fingerprinting workflow: Utilizing browser fingerprinting for authentication during payments as an additional layer of security and protection against fraud is helpful, but it has to be coupled with a two-factor authentication process. Two-factor authentication involves verifying a user’s identity using two different methods, such as a password and a fingerprint or a code sent to their mobile device. By adding browser fingerprinting as a third factor, Wibmo’s Trident FRM solution uses canvas fingerprinting and creates a more secure and reliable payment authentication process. It is important to ensure that proper privacy protections and data security measures are in place, as browser fingerprinting data is unique to each user and can be used to track and identify individuals across different websites and devices. Additionally, it’s important to comply with data privacy regulations such as GDPR, CCPA, and the upcoming Digital Personal Data Protection Bill when collecting and storing browser fingerprint data. Fingerprinting and Online Fraud Detection: Browser fingerprinting techniques can be useful for identifying and targeting visitors with a pattern of fraudulent behaviour on a website. These techniques can be particularly effective in identifying users who use identity concealing techniques such as disabling cookies, using a VPN, or browsing in incognito mode. 1.In cases of account takeover, where malicious users try to hack a legitimate user’s account, fingerprinting and other user identification technologies can be used to add additional security measures to the login process for suspicious traffic only. 2.To prevent brute force or bot attacks, it is best practice to require users to solve a CAPTCHA after a certain number of failed login attempts and to lock out the user for a set time after a certain number of attempts, as such attacks often rely on automation and thus may not have the unique browser configurations of genuine users. a. Browser fingerprinting can detect bots through their unusual browser configurations. b. Multiple login attempts with the same fingerprint can signal a brute-force attack. c. Bots that either lack a unique fingerprint or use identical fingerprints can be spotted and investigated. d. It can improve CAPTCHA systems by triggering a CAPTCHA when a fingerprint is linked to suspicious activity. 3.For phishing scams, requiring email or two-factor authentication for new fingerprints attempting to log in and blocking repeatedly visited fingerprints can also be effective measures. Conclusion: Limitations and current scenario of browser fingerprinting: Author: Vaibhav Chandel, Product Manager Wibmo A PayU/Naspers FinTech Company BaaS