This opinion piece in The Paypers argues that behavioral biometrics added to a cardholder challenge would strengthen the step-up process. This is needed because an unsecured one-time password can be thwarted by criminals. Mercator Advisory Group suggests that issuers eliminate the use of unsecured channels for the OTP. Instead, provision the cardholder’s phone with a secured app that delivers a secured channel between the cardholder and the issuer and use that when step-up is needed.
Mercator agrees that behavioral biometrics has its place but it is equally important that the cardholder be comfortable and confident in the challenge the issuer deploys. Many issuers use a different authentication methods for each channel the customer interacts across (call center, online, card, etc.) which fails to establish customer confidence.
By implementing a secure channel to the customer using a mobile app as the preferred method across every channel the issuer re-enforces the consumer behavior and trains the cardholder what to expect. Without this training, the cardholder may decide to utilize a more trusted card for making online purchases. Here’s more from The Paypers’ article:
“The 3-D Secure system should be compliant with the EU’s Strong Customer Authentication regulation – so how do fraudsters still find a way in? During the risky transaction verification step of the 3-D Secure process, the card issuer sends a one-time password to a customer’s registered mobile device which they then have to type into a verification page to confirm their identity.
Firstly, one-time passwords are the main target for SIM swappers (fraudsters who exploit mobile service providers’ ability to switch a cardholder’s phone number over to their own SIM by impersonating their victim). This way they can intercept any one-time passwords sent to the victim via SMS and circumvent the security features of 3-D Secure. The system is also open to phishing attacks, as some users may mistake fraudulent phishing sites for the legitimate Mastercard or Visa pop-up window or inline frame. These and other user manipulation techniques show 3-D Secure is far from failproof.”
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group