By Maddie Vagadori, Solutions Consultant, Forter and Alyssa Huitema, Solutions Consultant, Forter
With constant news of data breaches exposing user credentials, traditional username and password authentication is not secure enough. According to a Spycloud study at the beginning of 2022, 64% of users repeat passwords and apply the same set of credentials across many sites, giving bad actors relatively easy ways to gain unauthorised access to their accounts. The National Cyber Security Centre (NCSC) recently published guidance for retailers in particular to “move beyond password authentication” – in order to protect both brand reputation and customers.
This rising threat underscores the importance of protecting digital identities — ensuring a user is indeed who they say they are prior to granting sensitive access. Multi-factor authentication (MFA) is the industry-standard for securing accounts and supplementing traditional username and password authentication, adding a second layer of defence. There are three main buckets of factors:
- Something you know (e.g., security questions)
- Something you have (e.g., a text message sent to your device)
- Something you are (e.g., biometric authenticators).
MFA drastically reduces the likelihood of account takeover, safeguards sensitive data and makes consumers feel like their online information is more secure. But MFA is not infallible, and not all factors are created equal, as there are varying degrees of man-in-the-middle resistance, susceptibility to social engineering, etc. Moreover, attackers are reaching new levels of sophistication that transcend what passwords and MFA can effectively handle.
Indiscriminate use of MFA can also cause customer frustration and abandonment. In an environment of shrinking attention spans and heightened consumer expectations, a friction-filled authentication flow can lead to significant churn.
MFA solutions have become more adaptive in nature as many efforts have been made to bridge the gap between security and usability. A combination of rules is often used to inform when to prompt for MFA (e.g., prompt based on device, IP, or geolocation). The ultimate goal is to give users the experience they deserve; optimising account-specific experiences for good customers while thwarting bad actors.
3DS and PSD2 in EMEA
Customer authentication and MFA have not just become accepted practices in online eCommerce, they’ve also been codified into law in various regions and countries. In 2015, the EU introduced PSD2, a revised directive intended to regulate payment services and protect consumers throughout the EU and European Economic Area (EEA). The most important component of PSD2 is the requirement of Strong Customer Authentication (SCA), which means that a consumer must be authenticated using additional methods or parameters. One of those methods is called 3-D Secure (3DS), which was introduced as a secure authentication method for online transactions.
3DS allows an issuing bank to try and authenticate the buyer on the merchant checkout page. A successful processing of a 3DS transaction shifts liability from the merchant to the issuer. And while there have been some improvements made to 3DS (3DS2 v. 3DS1), it’s not exactly a “silver bullet.”
Some positives to 3DS are that it provides an added layer of security, shifts the liability off the merchant, raises a shopper’s confidence in their online security and allows merchants to maintain compliance under regulations like PSD2. But there are drawbacks; it can cause added friction in the consumer’s journey, which can lead to cart abandonment and false declines. Forter’s projections warn that merchants who apply 3-D Secure (3DS) authentication to all of their UK transactions are likely to lose 8-10% of revenue due to 3DS authentication failure, and authorisation failure.
In this current economic climate, it is perhaps even more important for retailers to minimise friction and reduce lost revenue. Merchants who take a blanket approach and deploy 3DS to everyone are losing up to 30% of transactions to failure or abandonments. But when 3DS, like all MFA, is applied intelligently, the positives far outweigh the negatives and merchants have the opportunity to reduce lost revenue by up to 80%.
Where are we? How can we improve?
Thanks to Forter’s vast network and close working relationships with our customers, Forter was able to leverage data and enumerate trends in security/identity incidents. In 2021, there was a 109% increase in fraudulent accounts created around the world, with up to 4% of attempts to create new accounts being fraudulent attempts. With regard to customer experience, 19% of consumers stated they would not shop at a retailer again if their personal information was hacked.
But there is a way forward: when merchants reduce or remove authentication friction, it leads to an increase in conversion rates by more than 35%. More importantly, it makes a consumer feel that their online security is taken seriously and only solidifies and strengthens a long-term relationship with your business.
The pandemic-accelerated shift to eCommerce has increased the opportunities for fraudsters. Sophisticated bad actors are more than capable of circumventing two factor authentication (2FA) by spoofing mobile phone numbers to intercept the one-time-passcodes needed to verify transactions. We are also seeing fraud-as-a-service proliferating as fraudsters monetise their efforts, offering simple access for low-skilled criminals.
In the next 3-5 years, when PSD3 is forecast to be implemented, the digital payments legislation must simultaneously raise fraud prevention capability to a level commensurate to the escalating threat, but crucially without compromising the buying experience for genuine customers. It should add a level of flexibility for the entire payments’ ecosystem, allowing customers and merchants control over how transactions are secured. And the speed at which the eCommerce environment is evolving strongly suggests that PSD3 should be scoped and defined as quickly as possible, to avoid becoming obsolete before it can be implemented.