Professional Documents
Culture Documents
Risk-Based Authentication For "Frictionless" 3-D Secure: JB Dumerc 2017/5/23
Risk-Based Authentication For "Frictionless" 3-D Secure: JB Dumerc 2017/5/23
for
“Frictionless” 3-D Secure
JB Dumerc
2017/5/23
ThreatMetrix Introduction
• Headquarters: Silicon Valley (San Jose, USA)
• CEO : Reed Taussig
• Employee: Around 200
• Offices: New York, London, Paris, Tokyo,
Hong Kong, Singapore, Sydney
• Customers: More than 5000
(Including through partners)
• Installed base: eCommerce, eBanking, Payment,
Fintech, Social Networking, Telecommunications
• Installations: More than 30,000 web site
and mobile applications
• Transactions volume: More than 2 Billion /month
• Database : 4.5 billion devices / 1.8 billion Personas
eCommerce ?
Payment
✓
Persona
? Brokerage Sign-up OK
Behavior
Loans
Login Step-Up
Device Travel Digital Identity
Intelligence
Dynamic Decision
Platform
Smart
Authentication
&Location Payment NG
Insurance
Malware
Media
SNS
Gaming
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 5
Valuable eco-system partners throughout
the world and across industries
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 6
Constraints with Legacy 3D-Secure
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 7
Typical “High Friction” Authentication Prompt
Cardholders are
inconvenienced by
suddenly being
prompted for
additional
authentication,
leading to high level
of abandonment and
call center support
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 8
Impact of 3-D Secure on Conversion Rate
Positive
(More transactions)
Negative
(Abandonment)
-60% +30%
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 11
Today’s Cross-Border fraud
cannot be tackled solely at national level
Source: ThreatMetrix Q4, 2016 Cybercrime Report
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 13
Increased Coverage / Reduced Friction
Limited Systematic
Coverage Challenge
Enrolled
Cardholders Legacy ACS ACS server
(No risk based)
User ID
Selective Password
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 15
Selective Authentication Prompt
The cardholder experience has come
under criticism and some merchants
complain that Verified by Visa can have
a negative impact on conversion rates.
Consequently, Verified by Visa is evolving
– and one of the big breakthrough is Risk-
Based Authentication.
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 16
Less Friction => Higher Purchase Conversion
Source: Visa UK
(Frictionless Experience in Verified by Visa)
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 17
Example of Service Improvement
X6 Source: Visa UK
(Frictionless Experience in Verified by Visa)
Improvement
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 18
Result on VISAʼs in-house operated ACS (VCAS)
Integrating ThreatMetrix intelligence with
Visa network data provided a more
accurate risk score for cross-border and
global transactions, helping reduce friction
and abandonment
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 19
Migrating with ThreatMetrix
To Risk-Based Authentication
from your legacy 3-D Secure
1) Your current ACS 1.0.2
2) Next Generation ACS 2.0
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 20
Legacy “High Friction” 3-D Secure
(3DS1.0.1 – No Risk-Based Authentication)
Cardholder
EC Site (PSP)
1
Shopping
Payment Page
4 3
User ID / Authentication
Password Prompt
Issuer ACS
the “Friction” of
Authentication! Authentication page
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 21
Introducing “Frictionless”
Risk-Based Authentication (3DS1.0.2)
Cardholder
EC Site (PSP)
4 1
Shopping
Profiling
Payment Page
Shopping
API Call 3
5
Payment Page
6
Profiling Data
Digital Identity Network
8 Authentication
9 8 Result
(3DS Method)
10
Issuer ACS Issuer ACS
ACCEPT 11 User ID
CHALLENGE
From now on, EC DENY Authenti Password
cation
Merchants and Prompt
their PSP need to Inline Pop-Up Page Authentication Page
take care of
Profiling!
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 23
ACS
ACS Server ThreatMetrix
Authentication
Step-up
Challenge
15. Determine
Challenge Outcome
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 24
Correlation with
3D-Secure Method
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 25
Two Profile Detection Methods in 3-DS 2.0
2. Optional Profiling from the ACS
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 29
Next Generation Integrated Layered Profiling
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 30
What Makes the Digital Identity?
Digital Identity
Understanding Device 2
complex behavior Userna
me
and profile of a
Phone 1
persona and its
relationships between
associated devices,
credentials, threats Phone 2
Your
Company
Shared Intelligence
Analyzing more than 80 million daily transactions across 30,000 web or mobile
applications and across 4.5 billion devices in 240 countries
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 31
Our Customers Contribute to The Network to
Create Share Intelligence about Global Digital Identities
Th
e Digital Identity score, The
reasons and attributes out imag The
imag
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 32
Wider Set of Attributes for Higher Risk Assurance
Profiling Scoring
600 Attributes
Standard Data Input +100
Hashed or clear .
.
•Agent .
•Cardholder + 30
Rules PASS
•Context
•Merchant engine + 20
•Account + 10
•Brand >100
rules 0
•Transaction
Additional OOB Data - 10
- 20 REVIEW
•Behavior
•Threat - 30 REJECT
•Persona Real Time and .
.
•Device, Network & Fully Customizable .
Location Rule Engine
- 100
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 33
Example of Rules Weighting
Rule Name Rule Score
DeviceCountriesNotAllowed -50
HiddenProxy -25
3EmailPerDeviceDay -25
SatelliteProxyISP -25
3DevciePerAccountNumberDay -15
3DevciePerEmailDay -15
NoDeviceID -15
AnonymousProxy
FlashImagesCookiesDisabled
-15
-15
All rules are
3CreditCardPerDeviceDay
ComputerGeneratedEMail
-15
-10
customizable
PossibleVPNConnection -10
DeviceNegativeReputation -10
ProxyNegativeReputation
AnonymousProxy
-10
-10 Each score is
3ProxyPerDeviceDay
3EmailPerDeviceWeek
-10
-10 tunable
3AccountNumberPerDeviceWeek -10
3DevciePerAccountNumberWeek -10
DeviceProxyGeoMismatch -10
DeviceAccountGeoMismatch -10
3DevciePerEmailWeek -10
LanguageMismatch -10
SatelliteISP -10
DialupProxy -10
UnusualProxyAttributes -10
3DevicePerCreditCardDay -10
DeviceGlobalBlacklist .. -10
FlashCookiesDisabled
3CreditCardPerDeviceWeek
. -10
-10
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 34
Smart Analytics
Smart Rules
+ Smart Learning
Integration Hub
PASS
REJECT
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 36
Expanding Beyond 3-D Secure
Portal Login
PSP Payment
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 37
Shared Intelligence & Consistency
Wider variety of profiling attributes
• Each attribute (Standard & Optional) is an independent source of inherent risk.
• ThreatMetrix will process the independent inherent risk attributes using: Shared
intelligence, Threat Intelligence, link analysis, behavior analytics, machine learning, etc
AReq consistency checks
• ThreatMetrix will perform cross correlation between AReq attributes and correspondent
attributes contained in Device_info (Mobile App) or 3DS Method URL (Browser).
AReq optional attributes
• ThreatMetrix platform has the flexibility to monitor optional data fields which may not be
consistent or uniform across merchants / agents:
1.3DS Requestor Authentication Information
2.Cardholder Account Information
3.Merchant Risk Indicator
4.3DS Requestor Challenge Indicator
Transaction Profiling Completeness
• The completeness of Device_info depends on the Mobile app SDK implementation.
ThreatMetrix provides the flexibility to include the ThreatMetrix SDK on top of the 3DS SDK
to ensure the quality and completeness of the risk profiling and risk score
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 38
Thank You!