Risk-Based Authentication For "Frictionless" 3-D Secure: JB Dumerc 2017/5/23

Risk-Based Authentication
for
“Frictionless” 3-D Secure
JB Dumerc
2017/5/23
ThreatMetrix Introduction
• Headquarters: Silicon Valley (San Jose, USA)
• CEO : Reed Taussig
• Employee: Around 200
• Offices: New York, London, Paris, Tokyo,
Hong Kong, Singapore, Sydney
• Customers: More than 5000
(Including through partners)
• Installed base: eCommerce, eBanking, Payment,
Fintech, Social Networking, Telecommunications
• Installations: More than 30,000 web site
and mobile applications
• Transactions volume: More than 2 Billion /month
• Database : 4.5 billion devices / 1.8 billion Personas
Uniquely Helps Differentiate Good Users from Bad Criminals

On web or mobile – At account opening, login or transaction
ThreatMetrix Confidential Information – Do Not Copy or Distribute Without Express Written Permission 2
2
Business Model = Shared Intelligence
Analyzing more than 80 million daily transactions

across 30,000 web or mobile applications
Across 4.5 billion devices in 200+ countries
Trusted World leading fraud detection

users？
“Frictionless” user experience
Mutually collected and
shared intelligence
Cyber Protection of corporate
criminal？
value and customers
World’s Largest Digital Identity Network
Up to 95% recognition rate / 70% reduction in false-positive rates

200% authorization increase / 90% reduction in fraud
3 Solutions Portfolio
Intelligence – Decision - Authentication
Digital Identity Dynamic Decision Smart

Intelligence Platform Authentication
User Profiling Global Shared Real Time and

with about 600 Intelligence of Customizable Rule Step-up to
Attributes Anonymous Digital Engine with machine Multi-factor
Identities learning & case Authentication
management
Smart & Frictionless Authentication
Block Fraudsters without Inconveniencing Good Customers
グローバル化する不正を集合知で迎え撃ちましょう！
eBanking SMS OTP
eCommerce ?
Payment
✓
Persona
? Brokerage Sign-up OK
Behavior
Loans
Login Step-Up
Device Travel Digital Identity
Intelligence
Dynamic Decision
Platform
Smart
Authentication
＆Location Payment NG
Insurance
Malware
Media
SNS
Gaming
Valuable eco-system partners throughout
the world and across industries
Constraints with Legacy 3D-Secure
Typical “High Friction” Authentication Prompt
Cardholders are
inconvenienced by
suddenly being
prompted for
additional
authentication,
leading to high level
of abandonment and
call center support
Impact of 3-D Secure on Conversion Rate
Positive
(More transactions)
Negative
(Abandonment)
-60% +30%
Source: Adyen and Edgar, Dunn & Company - 2014

3-D Secure Adoption per Country
Enrollment
Percentage
Source: Ingenico 2014

Conclusion: Low Usage Rate of 3-D Secure
3DS
authenticated
transactions
Today’s Cross-Border fraud
cannot be tackled solely at national level
Source: ThreatMetrix Q4, 2016 Cybercrime Report
Borderless Cybercrime complicates fraud and authentication decisions.

ThreatMetrix solves global challenges to defend domestic customers.
Introducing Risk-Based Authentication
Shared Intelligence and Real Time Decisioning
Increased Coverage / Reduced Friction
Limited Systematic
Coverage Challenge
Enrolled
Cardholders Legacy ACS ACS server
(No risk based)
User ID
Selective Password
Risk-Based Auth. Challenge

Ready ACS
High Risk Prompt page
Not Enrolled （Less than 5%）
Full Low Risk
coverage （Above 95%）
• Authentication possible for 100% of
Cardholder enrollment Frictionless cardholders, even for cardholders not
in 3-D Secure Authentication enrolled in 3-D Secure program
• Authentication is frictionless for more
than 95% of the transaction in an
invisible manner to the cardholder
Authenticating Non-enrolled Cardholders
Selective Authentication Prompt
The cardholder experience has come
under criticism and some merchants
complain that Verified by Visa can have
a negative impact on conversion rates.
Consequently, Verified by Visa is evolving
– and one of the big breakthrough is Risk-
Based Authentication.
Less Friction => Higher Purchase Conversion
Source: Visa UK
(Frictionless Experience in Verified by Visa)
Example of Service Improvement
Simulation with statistics from Japan

• Coverage improved from 17.6% to 100%
• Abandonment rate reduced from 8% to 1%
Simulation Before After

Coverage 17.6% 100%
Abandonment 8.0% 1%
Completion 16.2% 99%
X6 Source: Visa UK
(Frictionless Experience in Verified by Visa)
Improvement
Result on VISAʼs in-house operated ACS (VCAS)
Integrating ThreatMetrix intelligence with
Visa network data provided a more
accurate risk score for cross-border and
global transactions, helping reduce friction
and abandonment
Eliminate friction and Less than 5% of cardholders

improve overall card usage challenged with
while reducing fraud. authentication request
Every event analyzed in the
context of pattern of 70% reduction in
trusted user behavior authentication abandonment
“Our partnership with ThreatMetrix has allowed us to augment our network

level data with device analytics to make better fraud decisions” Visa Inc.
Migrating with ThreatMetrix
To Risk-Based Authentication
from your legacy 3-D Secure
1) Your current ACS 1.0.2
2) Next Generation ACS 2.0
Legacy “High Friction” 3-D Secure
(3DS1.0.1 – No Risk-Based Authentication)
Cardholder
EC Site (PSP)
1
Shopping
Payment Page
4 ３
User ID / Authentication
Password Prompt
Issuer ACS
All cardholders User ID
have to suffer Password
the “Friction” of
Authentication! Authentication page
Introducing “Frictionless”
Risk-Based Authentication (3DS1.0.2)
Cardholder
EC Site (PSP)
４ 1
Shopping
Profiling
Payment Page
Digital Identity Network

５３ 8 Authentication
result
Issuer ACS 7 Issuer ACS

６
ACCEPT User ID
CHALLENGE <５％
EC Merchants DENY Authenti Password
and their PSP cation
Prompt
benefit of
Inline Pop-up Page
increase Authentication Page
<TAG>
Business!
New Generation EMVCo 3-D Secure
(3DS２.0)
Cardholder <TAG> EC Site (PSP)
Profiling ４ 1
Shopping
API Call ３
５
Payment Page
６
Profiling Data
8 Authentication
9 8 Result
(3DS Method)
10
Issuer ACS Issuer ACS
ACCEPT 11 User ID
CHALLENGE
From now on, EC DENY Authenti Password
cation
Merchants and Prompt
their PSP need to Inline Pop-Up Page Authentication Page
take care of
Profiling!
ACS
ACS Server ThreatMetrix
8a. API Call Risk-based

8c. 8a. Risk Scoring
Authentication
& Response
11a. Challenge Request
Authentication
Step-up
Challenge
15. Determine
Challenge Outcome
Correlation with
3D-Secure Method
Two Profile Detection Methods in 3-DS 2.0
2. Optional Profiling from the ACS
Mandatory In-Band profiling:

Merchant MI collects
attributes from browser
(3DS Method)
session and adds them to the

Areq transaction as
Standard Areq fields
Optional Out-Of-Band profiling:

• Issuer ACS publishes 3DS Method URL in DS and merchant must execute HTTP POST
to the 3DS Method URL with Transaction ID
• This is basically the same as Risk-based Authentication in current 3-D Secure 1.0.2
3DS Method Spec Extract
Term Definition
3DS Method A scripting call provided by the 3DS Integrator that is placed on the
3DS Requestor website. Optionally used to obtain additional browser
information to facilitate risk-based decisioning.
Step 4 Browser and the ACS

The Browser will connect via the 3DS Method to the ACS or an entity designated by the
ACS to gather browser and Device Information. The manner in which the 3DS Method
obtains Device Information and which information is gathered is outside the scope of this
specification, however it is necessary to use the 3DS Server Transaction ID to identify the
Browser/Device Information for a later match at the ACS.
5.8.1 3DS Method Handling
The 3DS Method allows for additional browser information to be gathered by an ACS
prior to receipt of the AReq message to help facilitate the transaction risk assessment.
The use of the 3DS Method by an ACS is optional.
6.1.8 Link h: Browser—ACS (for 3DS Method)
The link between the Browser and the ACS for the 3DS Method is opened from a hidden
iframe loaded by the 3DS Server as part of the check-out page. It is used for the ACS to
load JavaScript which gathers device information to be returned to the ACS. This
includes the 3DS Server Transaction ID which enables the ACS to marry the information to
the correct transaction.
ThreatMetrix Specified Sequence of Profiling
1.Issuer ACS publishes a 3DS Method URL in the DS along with the card range data.
2.Merchant MI reads the DS data ahead of time and caches the data.
3.If the DS data contains a 3DS Method URL the Merchant MI must present that URL to the
cardholders browser prior to sending the Areq.
4.The 3DS Method URL must point to the ThreatMetrix profiling API as the “designated entity”.
5.The 3DS Method Data shall contain the following data :
a. 3DS Server Transaction ID (same as sent in the AReq message)
b. 3DS Method Notification URL (ThreatMetrix will write to this URL to tell the merchant MI
when profiling is done)
c. Create a JSON object with the 3DS Method data elements and then Base24 encode it.
d. Render a hidden HTML iframe in the Cardholder browser and send a form containing the
JSON Object via HTTP POST to the ACS’s 3DS Method URL (i.e. ThreatMetrix)
6.When 3DS Method profiling is done, the merchant can then complete the AReq & forward
to issuer ACS
7.The ACS will receive the AREQ from the Merchant MI
a. ACS can then make session query to ThreatMetrix with the Transaction ID and other
attributes from Areq
b. ThreatMetrix scores the combined 3DS Method attributes & Areq attributes
c. ThreatMetrix returns the risk score and reason codes
Two Independent Sets of Risk Attributes
72 Standard Attributes Up to 600 Optional Attributes
• Agent: 3DS Requestor & Server • Behavior: History, Correlation, Anomalies
• Cardholder: Name, addresses, • Personas: Anonymized identities &
phone number, account number Related events / associations
• Context: SDK, evice identifiers • Threat: Malware, Proxy, MitB, TOR
(Browser, user agent, accept • Device / Networks / Location
header, App ID, Device_info), IP
address • Monitoring optional data fields
• Merchant: Merchant ID, which may not be consistent or
Merchant Name, Merchant URL uniform across merchants / agents:
• Account type: Debit / credit • 3DS Requestor Authentication
Information
• Brand: DS ref. number, DS URL
• Cardholder Account Information
• Transaction: Amount, currency, • Merchant Risk Indicator
date • 3DS Requestor Challenge Indicator
• Etc …
Next Generation Integrated Layered Profiling
4th Layer Behavior Velocities & Correlations & Activity

Frequencies Anomalies Meta Data
3rd Layer Personas ?

Age & Anonymized Associations &
Attributes Identities Related Events
2nd Layer Threats

Proxy, VPN, TOR MitB & Malware Bots & Scripts
1st Layer Devices !

Fingerprinting True Location & Network Device Tampering
Global Shared Intelligence
What Makes the Digital Identity?
Digital Identity
Understanding Device 2
complex behavior Userna
me
and profile of a
Phone 1
persona and its
relationships between
associated devices,
credentials, threats Phone 2
and other personas…

Device 1
Email
Your
Company
Shared Intelligence
Analyzing more than 80 million daily transactions across 30,000 web or mobile
applications and across 4.5 billion devices in 240 countries
Our Customers Contribute to The Network to
Create Share Intelligence about Global Digital Identities
Encrypted + Hashed PII The

imag
The
imag
& Data in
The
imag The
imag
Th
e Digital Identity score, The
reasons and attributes out imag The
imag
Wider Set of Attributes for Higher Risk Assurance
Profiling Scoring
600 Attributes
Standard Data Input +100
Hashed or clear .
.
•Agent .
•Cardholder + 30
Rules PASS
•Context
•Merchant engine + 20
•Account + 10
•Brand >100
rules 0
•Transaction
Additional OOB Data - 10
- 20 REVIEW
•Behavior
•Threat - 30 REJECT
•Persona Real Time and .
.
•Device, Network & Fully Customizable .
Location Rule Engine
- 100
Example of Rules Weighting
Rule Name Rule Score
DeviceCountriesNotAllowed -50
HiddenProxy -25
3EmailPerDeviceDay -25
SatelliteProxyISP -25
3DevciePerAccountNumberDay -15
3DevciePerEmailDay -15
NoDeviceID -15
AnonymousProxy
FlashImagesCookiesDisabled
-15
-15
All rules are
3CreditCardPerDeviceDay
ComputerGeneratedEMail
-15
-10
customizable
PossibleVPNConnection -10
DeviceNegativeReputation -10
ProxyNegativeReputation
AnonymousProxy
-10
-10 Each score is
3ProxyPerDeviceDay
3EmailPerDeviceWeek
-10
-10 tunable
3AccountNumberPerDeviceWeek -10
3DevciePerAccountNumberWeek -10
DeviceProxyGeoMismatch -10
DeviceAccountGeoMismatch -10
3DevciePerEmailWeek -10
LanguageMismatch -10
SatelliteISP -10
DialupProxy -10
UnusualProxyAttributes -10
3DevicePerCreditCardDay -10
DeviceGlobalBlacklist .. -10
FlashCookiesDisabled
3CreditCardPerDeviceWeek
. -10
-10
Smart Analytics
Smart Rules
+ Smart Learning
Adaptive per-entity calculated Optimized rule creation,

behaviors and variables weighting & normalization
all real time and dynamics
Authentication Step-up / Identity Verification
In case of REVIEW, prompt for additional authentication or verification
Integration Hub
PASS
PROFILE REVIEW Third Party

3 Authentication
REJECT
Basic Menu Third Party Partner Menu

IVR OTP (Fixed Line) OTP Mobile OTP Postal Address
IVR OTP (Mobile) eMail OTP SNS
SMS SMS OTP (Mobile / 1 Way) Phone Verification Identity
Push OOB (Smart Phone） Biometrics Data Matching
Expanding Beyond 3-D Secure
New Account Opening

Portal Login
Payment
New Account Opening

Smart Authentication
Portal Login
PSP Payment
New Account Opening

3DSecure Login
New Account Opening New Account

Portal Login Opening
Portal Login
Shared Intelligence & Consistency
Wider variety of profiling attributes
• Each attribute (Standard & Optional) is an independent source of inherent risk.
• ThreatMetrix will process the independent inherent risk attributes using: Shared
intelligence, Threat Intelligence, link analysis, behavior analytics, machine learning, etc
AReq consistency checks
• ThreatMetrix will perform cross correlation between AReq attributes and correspondent
attributes contained in Device_info (Mobile App) or 3DS Method URL (Browser).
AReq optional attributes
• ThreatMetrix platform has the flexibility to monitor optional data fields which may not be
consistent or uniform across merchants / agents:
1.3DS Requestor Authentication Information
2.Cardholder Account Information
3.Merchant Risk Indicator
4.3DS Requestor Challenge Indicator
Transaction Profiling Completeness
• The completeness of Device_info depends on the Mobile app SDK implementation.
ThreatMetrix provides the flexibility to include the ThreatMetrix SDK on top of the 3DS SDK
to ensure the quality and completeness of the risk profiling and risk score
Thank You!
ThreatMetrix.com | sales@threatmetrix.com | partners@threatmetrix.com

1.408.200.5700 (Americas) | +61 2 9411 4499 (Asia Pacific) | +31 (0)20 800 0638 (EMEA)

Risk-Based Authentication For "Frictionless" 3-D Secure: JB Dumerc 2017/5/23

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk-Based Authentication For "Frictionless" 3-D Secure: JB Dumerc 2017/5/23

Uploaded by

Copyright:

Available Formats

Risk-Based Authentication

Uniquely Helps Differentiate Good Users from Bad Criminals

Analyzing more than 80 million daily transactions

Trusted World leading fraud detection

Up to 95% recognition rate / 70% reduction in false-positive rates

Digital Identity Dynamic Decision Smart

User Profiling Global Shared Real Time and

eBanking SMS OTP

Source: Adyen and Edgar, Dunn & Company - 2014

Source: Ingenico 2014

Borderless Cybercrime complicates fraud and authentication decisions.

Shared Intelligence and Real Time Decisioning

Risk-Based Auth. Challenge

Simulation with statistics from Japan

Simulation Before After

Eliminate friction and Less than 5% of cardholders

“Our partnership with ThreatMetrix has allowed us to augment our network

All cardholders User ID

have to suffer Password

Digital Identity Network

Issuer ACS 7 Issuer ACS

8a. API Call Risk-based

Mandatory In-Band profiling:

session and adds them to the

Optional Out-Of-Band profiling:

Step 4 Browser and the ACS

4th Layer Behavior Velocities & Correlations & Activity

3rd Layer Personas ?

2nd Layer Threats

1st Layer Devices !

Global Shared Intelligence

and other personas…

Encrypted + Hashed PII The

Adaptive per-entity calculated Optimized rule creation,

PROFILE REVIEW Third Party

Basic Menu Third Party Partner Menu

IVR OTP (Mobile) eMail OTP SNS

SMS SMS OTP (Mobile / 1 Way) Phone Verification Identity

Push OOB (Smart Phone） Biometrics Data Matching

New Account Opening

New Account Opening

Digital Identity Network

New Account Opening

New Account Opening New Account

ThreatMetrix.com | sales@threatmetrix.com | partners@threatmetrix.com

You might also like