Participants of the E-Commerce environment well understand that growth is always accompanied with increased threats and risks. As it becomes easier for merchants to list their products online, they are able to serve much more diverse targets.
Preventive measures and programs to protect merchants from online deceptions are not exactly new, as they have been introduced and encouraged by major card scheme Visa since the early 2000s. However, due to the fact that most related information is more industry focused, the technology remains unknown to many potential adopters out there.
In this article, we introduce the concept and mechanism of Risk Based Authentication (RBA), how it is deployed, its benefits, and give our suggestions for new adopters or businesses looking to use it as a fraud prevention technique.
Risk Based Authentication (RBA) is a mechanism that utilizes scoring systems and criteria to determine whether a particular user is considered trusted to proceed their navigation on a web page. The allowed actions could range from logging in, navigating the site, to making online payments within the page or on a redirected one.
The way these scores are calculated are based on a set of risk rules that analyze different factors. Risk rules can get very specific, from flagging a specific device in use, to permanently blocking an IP address or account that is deemed risky.
The objectives of Risk Based Authentication are to:
-Take action on preventing risky users
-Allow legitimate users to access online services more effortlessly
Although these rules can get rather complex, according to the authenticator's needs, users that are considered risky do not always result in a blockage, but instead, are required to key in extra authentication proof like one-time-passwords, answers to knowledge-based questions, or other means of identifying oneself. This additional step of verification ensures low risk and low false positive rates.
*A False positive is when a legitimate user or customer is wrongly deemed a risky one, based on their past behavior, device fingerprint, or simply is a mistake made by the system.
*A false positive rate can be simply understood as the ratio of false positives over the total number of cases that were examined by an RBA system.
RBA works by employing the collected data points and scoring them accordingly. This scoring task allows it to measure the risk level of each case. Parameters used for scoring may include IP addresses, the device in use, browser information, and online behavior historical records. Based on these data points, the system will be able to provide a score to determine whether or not the action and user are safe, and hence will proceed to approve or decline.
RBA came about as an innovation in the fight against online fraud and deception. In recent years, the mechanism has been growing in popularity among solution adopters, especially online merchants that are becoming more aware and concerned about protection against fraudsters. Stats-wise, in between 2019 and 2020, Intellicheck reported a 282% increase in account takeovers, which clearly indicates the quickly-rising fraudulent attempts.
Merchant Savvy's global fraud report found that payment fraud has tripled from 2011 to 2020, having risen from $9.84 billion to $32.39 billion. The institution also projected that global payment fraud will likely continue to cost $40.62 billion by 2027, which is about 25% higher than what was reported in 2020.
Implementation of an RBA solution supports businesses in saving on their fraud and management costs, while protecting users and customers from account takeovers and providing a more seamless user experience.
The seamless user experience seen as a result of RBA solutions deployment is explained by elimination of extra identification requests, which in turn reduces the direct pain points for end-users. This is believed to improve the shopping experience, customer satisfaction in general, and reducing cart abandonment rate in specific.
Below are the ways in which a deployment of Risk Based Authentication can help your business.
Owing to the complex online environment, businesses are driven to place more emphasis on fraud management. RBA simply provides a way to better determine and recognize visitors navigating your site, for both log-ins and payments.
Upon log-in, the site must check if the user is a real person. The minimum for verification is an ID linked with a username and internet address to identify the individual logging on to the site. When the on-site activities extend to include payments, certain rules are applied for identity verification, which is where Risk Based Authentication comes in handy.
With all these activated for your site, the user identity is properly assessed, ensuring that no risky user or transactions were allowed, which in turn reduces fraud rates. To simply put, RBA helps filter out accounts that have been created using falsified or stolen information, making sure the merchant does not become too vulnerable and suffer from fraudulent activities.
When inputting seamless user experience into the sequence, this is how the process is understood. First, the customer goes online to search for products, then proceeds to weigh out options and finally make the purchasing decision. After that, the customer will need to pay for the item added to cart, in which the process includes filling in account information, personal details, and shipping address.
Other than that, the customer will likely be prompted an authentication procedure that includes one-time passwords (OTPs), or other means of verifying that they are the rightful owner of the payable account or card, and this is where it gets more interesting. Upon being requested to provide an OTP, many customers shy away from being involved in the inconvenience of tab-switching and waiting for a code.
RBA works to take most of that away by thoroughly identifying and understanding who the customer is, in order to significantly reduce the unnecessary steps involved in an authentication. These benefits might not show themselves so clearly on the surface, but it is fundamental that solution adopters grasp the benefits of RBA to better protect and serve their end users and customers.
Apart from protecting merchants from fraud attacks, RBA also supports them to ensure that their legitimate users or customers are safe from fraudulent incidents. This is done using the data collected at the sign-up phase to compare with the log-in details, the RBA will be able to determine if those information are legitimate and that they belong to the right person.
The mechanism takes into account diverse data points, and when sudden changes happen, it is likely that the risk score increases. What should be inquired next is additional proof of account ownership.
Despite being widely known to help catch bad actors over the internet, RBA also works to provide legitimate users with an experience that inhabits less friction, simply explained as extra effort required from them.
When putting it into context, the removal of friction includes letting users sign up without any document verification or to log into their account without needing two-factor authentication. The threshold settings are upon your decision when adopting an RBA solution. It could be based on your (the merchant's) preferences or laws and regulations in your operating region.
Whether your objectives in adopting RBA lies in fraud prevention or friction reduction, the result from implementation is that a better user experience is created. In today's world of ceaseless developments and changes in the online environment, provision of a smooth and enjoyable customer or user experience appeals as a competitive advantage for merchants that are looking to win the market.
Risk Based Authentication solutions might require your institution to get ready for risk monitoring, calculation, and a mechanism to make preset automated decisions when the system decides to approve or reject a case.
All of this can be done using a risk management software, which is offered by many security solution providers at varying and affordable rates. Most of the time, the RBA solution provider should also be able to offer the same software management service for merchants. Within these tools, the adopters will be able to calculate risk based on past behaviors and activities such as transactions, and monitor risks via the system's work and reports without having to manually handle the data.
Like any other high-tech solutions designed for fraud prevention and management, Risk Based Authentication does its own magic when deployed, able to collect and process meaningful data points from users. Despite being a highly trusted mechanism for fraud fighters, RBA is not foolproof, since its effectiveness largely depends on the amount of data collected and it also requires constant development and reviews over time to maintain efficiency.
Implementation of an RBA program requires the merchant to establish a certain degree of knowledge and risk calculation and management. This is why we, as a security solution provider, highly encourage merchants to begin by looking into historical records of fraudulent attacks, calculate the existing risk to establish a better understanding before deploying an RBA solution.