PINs are past their prime. Signatures? Forget it. With criminals increasingly on the prowl, much more robust technology is needed. The good news is such tech is available. But will consumers tolerate it?
Despite a now almost 3-year-old decision by the four major U.S. card brands to make signatures optional for many of their transactions, the signature persists at the point of sale. It’s a habit—for consumers and merchants—even though its value in ensuring the authorized cardholder is the individual making the transaction decreases each day.
The days of simple authentication tools are limited, especially when they are the only ones being used. In today’s increasingly digital world of payments, a signature or PIN is being relegated to lesser roles. As more companies develop ways to better identify individuals, authentication is adopting a more digitized stance, just as payments are.
In 2018, 40% of retail executives surveyed by the National Retail Federation said they had already dropped signature requirements for payment card transactions or planned to do so by year’s end. Another 13% anticipated doing so in 2019. All four major U.S. card brands announced in 2017 they would make signatures optional for many transactions.
“Signature is not an effective form of customer verification and it [is] hard to see its utility moving forward,” says Nandan Sheth, senior vice president of global digital commerce at Fiserv Inc., the Brookfield, Wis.-based core processor that bought First Data Corp. in 2019. “PIN, on the other hand, has several effective use cases as it relates to debit, or even transactions like EBT.”
Fiserv is the parent company of the Accel electronic funds transfer network and, via First Data, operates the Star debit network.
Even when signature is combined with the vaunted EMV card—where the chip makes counterfeiting difficult—it lacks some authority, says Kevin King, head of marketing at ID Analytics LLC, a San Diego-based fraud-prevention services company. And even PINs are less than ideal nowadays, he adds.
“While … ‘chip-and-signature’ is inherently less secure than chip-and-PIN—signatures fall short of the ‘something you know’ criteria for authentication—the truth is that PINs are still far from perfect from a security standpoint due to how easily fraudsters are able to compromise them,” King says in an email.
“Bottom line, signatures don’t even really qualify as a form of authentication (they mostly exist for a liability debate after-the-fact), and PINs are an increasingly outdated form of authentication whose use will continue to decline in the coming years,” he adds.
Of course, signature authentication has never been a component of e-commerce, but these merchants have their own authentication issues. Account takeovers—where a criminal gains control of a legitimate consumer account—and synthetic identities—accounts created using a combination of actual consumer identification information, such as a Social Security or driver’s license number, with fictitious birthdates, names, or addresses, resulting in the fabrication of a new identity—are now common headaches.
The problem is exacerbated by the billions of pieces of personally identifiable consumer information worldwide that already have been stolen and made available to criminals. With a little bit of work, and some keen purchases on the dark Web, a criminal can create a fictional iteration of a legitimate consumer, and no organization would be wiser.
“Authentication technologies are outdated, both at financial institutions and merchants,” says Krista Tedder, director of payments at Javelin Strategy & Research, a Pleasanton, Calif.-based advisory firm. “With account takeover continuing to grow for both bank and nonbank accounts, the authentication is weak. Using out-of-wallet questions, static passwords, and CAPTCHA does not meet the demands.”
CAPTCHA is an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart, a technology to determine if an application is being completed by a human or a bot.
The Layered Approach
The need for change in authentication practices and technology is clear. “The technology must change because crime changes,” Tedder says. “Unfortunately, criminals are more adaptive than companies, and that is why you see large-scale trends. Right now, takeover of rewards programs and merchant accounts seems to be topping everyone’s list of challenges.”
“These are generally programs that use weaker authentication methods,” she adds. “But as [artificial intelligence] and deep fakes are used in social media for propaganda, so can the technology be used [with] facial recognition and voice modification to bypass authentication capabilities,” Tedder says. “It is important that as criminal technology advances, so do the prevention methods.”
Others agree. “There is no single technology today that’s adequate as a standalone,” says Sanjay Gupta, vice president of product management and corporate development at Mitek Systems Inc., a San Diego-based company that offers mobile verification and related services. It also is one of the established providers of mobile remote deposit capture services.
“What’s best for both businesses and their consumers is to use layers of technology,” Gupta says. “Given the rate and pace of breaches today, merchants are increasingly cautious and demand higher standards of certainty.”
Even recent authentication tools may be outpaced by criminal advances. “Broadly speaking, passwords and shared secrets (‘tell me the name of your high school’) are extremely vulnerable and ineffective protections on their own,” says King.
“They improve when you layer on additional authentication measures—technologies which assess the risk of mobile devices or which securely contact a known device can help develop comfort that the user possesses something the organization knows the true consumer possesses,” King says.
Still, he adds: “Even these multifactor authentication strategies—which pair together technologies to examine at least two of the three authentication factors (something you are, something you know, something you possess)—ultimately have gaps fraudsters can exploit.”
Post-PIN Authentication
If signature’s days are over and the value of PINs has eroded, how might authentication technologies develop to ensure the integrity of electronic payments?
Many consider the introduction of biometrics as a significant step forward. “The most impact has been the usage of biometrics,” says Gupta.
He notes that Mitek classifies biometric technology as either physical, such as face, fingerprint, palm, and iris, or behavioral. The behavioral aspect is “how the individual interacts with their device,” he says. That might include how fast a person types her password, the number of contacts on a device, or which Web sites are visited, he says, adding, “The way a consumer interacts with their device is their unique signature.”
That type of interaction generates data that can be used in the background to augment the authentication process. “A lot of this in-the-background stuff will have the biggest impact,” says Vijay Sondhi, chief executive of NMI, a Roselle, Ill.-based payment-technology provider.
Technologies such as machine learning, artificial intelligence, and device fingerprinting all can contribute, Sondhi says. Other advanced technology has a role, too. Merchants can use technology that will check the HTML code of an online store to see if it matches another online store and then pass on data to the payment provider, like NMI, where they allow or block payment transactions. “Criminals will steal HTML code and create a fake store on a brand-new domain,” he adds.
One central component of post-PIN authentication will assuredly be the smart phone. “We’ll continue to see the most progression on technologies which better leverage phones,” King says.
Phones have the ability to drive two of the three factors of authentication. They can confirm a user’s possession of a device known to be controlled by the customer (“something you have”), and they can collect biometric authentication (“something you are”), he says.
“While technologies exist to do this today, they have gaps in effectiveness and shortcomings in customer experience that I expect new innovations to continually address and reduce in the coming years,” King says.
Analytics will also play a large role, says Rajat Jain, vice president of fraud risk management at American Express Co. It’s had its most significant impact in improving authentication for payments, the AmEx executive says. “For American Express, we are investing in data-analytics capabilities that help us create a more robust understanding of customers’ spending needs, so that we can shield them from emerging threats,” Jain says.
The emphasis on data analysis is raising the profile of artificial intelligence, says Fiserv’s Sheth. “I see artificial intelligence evolving and playing a larger role in the payments space,” he says.
He points to the recently updated 3-D Secure online authentication standard as a tool that harnesses AI for the benefit of merchants. The standard automatically captures more data from a transaction than is available from a non-3-D Secure transaction and can optionally include scores of other data.
The idea is to enable more approvals of transactions that otherwise might be declined or challenged. Merchants or merchant acquirers could set their own levels of tolerance to trigger authentication challenges, assess the authentication report, and apply their own risk algorithms, Sheth says.
Fretting Over Friction
Even with automation, behind-the-scenes data collection, deep analysis, and new identification tools, sound authentication practices must strike a balance between security and the customer experience, Sheth says.
“Avoiding and preventing risk [and] protecting your customers, clients, and partners should always be the number-one priority,” he says. “And, authentication practices should be implemented in a way that is frictionless, avoiding prompts [and] pop-up windows, and enabling a smooth customer experience and reducing cart abandonment.”
When assessing the value of authentication services, the customer experience should have parity with the actual costs. “Effectiveness (accuracy) and customer experience are the two critical elements of an authentication service’s performance, though price can eventually factor into any purchasing decision,” King says.
But accuracy and customer experience are often in opposition, King says. “The more effective an authentication service is at accurately confirming an individual’s identity, the more friction is often introduced to the process,” he adds.
In one unlikely example, a customer could be asked to bring a birth certificate and provide a biometric for each in-person interaction at a bank branch. “I’d feel pretty good that we had authenticated that transaction, but the customer experience would be wholly unacceptable,” King says.
Consumers, however, balk at far less friction than that. Even having to download a new app or take a photo of a driver’s license could provoke hesitation, King says. Some organizations may then adopt tools that have inherent weaknesses in order to preserve a lower-friction customer experience, King says, adding, “The better a technology delivers on a strong authentication with minimal impact to the customer experience, the more adoption it will get.”
For Mitek’s Gupta, one essential tradeoff is speed and convenience versus risk. “Balance what is important to the merchant’s consumers with the business impact to the merchant,” he says. “Use this information to determine what matters more: the speed of the customer’s transaction versus the reputation damage in case of a breach.”
Better securing the authentication process is not just a point of interest for consumer-facing organizations. NMI’s Sondhi says it’s also important on the merchant side to prevent the onboarding of fraudulent merchants.
For example, rapid merchant onboarding is vital for many acquirers pursuing the independent software vendor channel, he says. Some independent sales organizations, which are courting ISVs, want an onboarding process as quick and simple as what Square Inc. or Stripe Inc., both payments providers specializing in direct sales, can provide.
The risk, however, is that, without the proper process, a fraudulent merchant could just as easily be approved for a merchant account as a legitimate one, Sondhi says.
Multifactor Is a Must
The challenge for any organization wanting to authenticate its customers and conduct transactions with them is figuring out that process, especially considering the rapidly changing threat from criminals. The key is employing multifactor authentication tools.
“Best practices need to focus on multifactor authentication at the system-access point,” Javelin’s Tedder says. “This could be for digital wallets, device-based payments, point of sale, browser, or in-app. Moving away from one-time passwords, knowledge-based questions, and static passwords is needed.”
The increase in the number of data breaches only underscores the need to protect consumers, says Mitek’s Gupta. “Identity verification needs to combine both physical and behavioral with re-verification of the individual,” he says.
Re-verification involves reaching out to a consumer, especially when an authorized accountholder is being added. If a criminal can get approved as a secondary accountholder, he could reset the account settings and commit his crime unbeknownst to the primary accountholder, Gupta says. It’s such a problem in some parts of Europe that legislation requiring periodic re-verification is appearing, he says.
King agrees that a multifactor authentication process is necessary. For smaller payments, “that step-up authentication isn’t critical depending on an organization’s tolerance for the negative customer experience of rejecting payments,” he says. “For larger payments, you need multifactor authentication, you need strong interrogation of device hygiene (is the device compromised by malware?), you need an effective means of step-up authentication.”
Even with the latest authentication tools deftly applied, there remains a risk factor: the attitude of the consumer. “The greatest impacts will be how technology is communicated with a detailed, easy-to-understand description of how the technology adds protection and data privacy,” Tedder says.
Her example is the confusion some consumers express about biometric authentication. “Many people do not understand that the biometrics reduces their risk and does not increase it. Fingerprints have had the greatest impact, but there is much more to be done to get consumers off static and one-time passwords and into the technology.”