Harness the power of your data
Support and investigations
Support services for Ravelin
Online payment fraud
Deep dives on fraud & payments topics
API & developer docs
APIs, glossary, guides, libraries and SDKs
Global Payment Regulation Map
Track PSD2 & more with a full report
The latest fraud & payments updates
In-depth guides to fraud, payments &
Discover the story about Ravelin
Join our dynamic team
Read more about our happy customers
Get the latest Ravelin news
Support & investigations
Accept more payments securely
Protect your customer accounts
Stop policy abuse to protect your bottom line
Ravelin for marketplace fraud
Ravelin 3DS & SDKs
Global Payment regulation map
In-depth guides to fraud, payments & security
Read more about our happy custmomers
Account takeover & voucher abuse continue to grow in e-commerce due to the inability of the industry to effectively associate an account with a real identity. Here we explain how can ML be used to solve this issue.
Share this article:
Authentication has become an area of ever-increasing importance in the battle against fraud for merchants and fraud vendors. Online commerce’s long battle for new customers has often been facilitated at the expense of properly validating the identities of those that have signed up. The ‘frictionless’ buying experience has come the cost of security.
Experience has shown that decoupling accounts from real identities opens up a rich playground for fraudsters. The increasing frequency of account takeover, voucher abuse and payment fraud in e-commerce can be directly linked to the inability of the industry to effectively associate an account with a real identity or effectively spot when that identity has been compromised. So what can be done?
Authentication is the process of authenticating someone's claim to an identity. Recent PSD2 legislation has neatly laid out strong customer authentication as someone having at least two of the following claims to that identity - read more about this here:
• Something you have (e.g. device, USB security key)
• Something you know (e.g. password, mother’s maiden name)
• Something you are (e.g voice, biometrics, iris scan, fingerprint)
Largely as a result of innovation in the financial sector there are a host of clever emerging technologies that consumers are becoming exposed to through our mobile phones, online banking accounts and other areas of identity innovation. None are perfect. All can be breached by a determined enough fraudster. However, they probably cannot be breached at scale, or at least not yet. However, each of them require a level of user engagement that is not realistic for most businesses and certainly not as a first step.
For instance, to access the features on my mobile device I am willing to provide a fingerprint. As a second factor of authentication to access my Macbook, I carry around a USB security key. To access my online banking I use a one time password generator. However each of these are things I need to do my job or to function in my life.
Would I be willing to carry around a key to order a pair of sneakers from a site I use twice a year? What if I want to place a bet on horse race starting in two minutes and I am asked to to recover an SMS message sent to my phone to validate who I am? Not likely to use that site again as I watch a horse I wanted to bet on ease home without my money on it.
The issue in the industry right now is that authentication is either too lax or too stringent. Where it is too lax, it’s because the merchant wants to absolutely minimise the friction from sign-up to purchase. And even after registration the ability to re-login is as easy as possible.
Where it is too stringent, companies have either been forced to or have decided to add in multiple registration steps and hoops resulting in a horrible customer experience and/or a failed business.
Where the industry needs to get to is developing smarter authentication, where we challenge appropriate users at the appropriate time with the appropriate challenge.
Machine learning has a significant role to play here in suggesting who the appropriate users to challenge are, at which point in the user journey and with the appropriate challenge. The era of “one challenge fits all” is over.
Most merchants have the data within their systems to see patterns amongst their users to tell them which are risky and the degree to which they are risky. This is fertile ground for building algorithms that can suggest when a user requires additional security.
At Ravelin, we have an increasing number of clients who use it to invoke a 3D Secure challenge for certain markets under certain conditions. In the past, these orders may have been rejected due to the fraud probability. Now however, there is the opportunity for a legitimate customer to continue with the purchase.
The vast majority of users never see this challenge, which is critical for ensuring that for most people the frictionless buying experience is intact. There is no value in challenging good customers due to poor data use.
3D Secure is only one kind of challenge, of course. And fraud risk is only one potential reason to invoke a challenge. Suspected account takeovers are a growing issue so a challenge based around confirmation of ownership of a device is a strong method to deter this issue.
We are only starting to uncover the possibilities here in terms of anomaly detection that will indicate an at-risk account. The good news is that the increasing availability and consumer-familiarity with these authentication challenges means we can make really secure experiences increasingly frictionless too.
So the technical pieces are in place to build a smarter authentication process into our online commerce practices. We understand the problem set and are confident that we can build models that will identify those customers who require challenges. What we need is increased adoption and experimentation of the options available to make ecommerce both safer and smoother for all genuine users.
And it’s increasingly apparent that we have to. The inability to authenticate online identities risks undermining the credibility of online commerce itself - a vista too dark to contemplate.
To learn more about PSD2 and SCA visit our insights page.
Gerry Carr, CMO
Blog / PSD2
How we’ve balanced fraud risk and friction: Deliveroo's journey with rule experimentation to reduce 3DS use by 40%...
Jack Dai, Data Scientist at Deliveroo
Blog / News
E-commerce CFOs need to understand the scale of the fraud risk that their businesses face. Our survey dives deep on where smart CFOs are directing investment to keep their companies secure...
Blog / Account Takeover
Two-factor authentication (2FA) is a widely used security measure designed to prevent account takeover (ATO). But there are very real gaps and limitations in its effectiveness that fraudsters can exploit...
Clayton Black, Product Manager
Subscribe to our newsletter to get the latest fraud & payments updates
sent direct to your inbox.