The EMV 3DS specification (3DS-2) secures browser payments and, for the first time, in-app mobile payments; different capabilities between the browser and mobile app platforms require different security methods.
EMV 3DS VERSION 2 SDK FEATURING mSIGNIA ENHANCEMENTS
For 3DS version 1 and 2, the processing flows for transactions performed in the browser are similar; whether it is a browser on a laptop or a mobile device. As shown in Figure 1, the issuing bank is allowed to directly connect to the browser and extract any propietary device data it requires to authenticate the device and user.
Nearly all of today’s issuing banks use proprietary data (i.e. tags or cookies) which ID the device and score risk. Issuing banks, or their vendors, have different proprietary tags and data sets.
Figure 1 also shows there is no 3DS-2 specification allowing the issuing bank to directly collect data through the merchant’s mobile app. When an issuing bank requires proprietary data or tags from an app to score and approve the transaction, it must either:
- Challenge the transaction (directly or out-of-band) which introduces friction and causes cart abandonment, or
- Require a proprietary iOS or Android SDK be integrated within the merchant’s app to either collect the data or open a nearly invisible iFrame browser session for communication.
It is not likely that every bank needs its own 3DS-2 SDK, but various 3DS ACS and risk engine vendors may create their own SDK to support their data requirements. It could then be the responsibility of the merchants, payment gateways or 3DS vendors to collect all the required SDKs and integrate them within the merchant’s app.
Since this will cause industry confusion, large SDK code sizes, create issues like battery drain and generate excessive network overhead, an enhanced 3DS-2 distribution model is required. Otherwise, unnecessary transaction challenges and complications will certainly reduce the success of 3DS-2. mSIGNIA has created a universal SDK framework, or uSDK, to enable the payment ecosystem to benefit from the mobile environment rather than be limited by it.
As shown in Figure 2, mConfig Manager enables a uSDK to be configured to collect any specialized data which is required by an issuing bank’s risk scoring engine. mSIGNIA’s patented mConfig Manager leverages a compliant EMV 3DS browser method which maintains the same interface to an issuing bank’s risk engine; thus, no changes are required by the issuing bank. mSIGNIA’s uSDK supports multiple mConfig Managers which may run as web services at various entities.
MERCHANT 3DS PAYMENTS FEATURING mSIGNIA ENHANCEMENTS
mSIGNIA provides a complete EMV 3DS merchant solution that is compliant with available payment network specifications. This environment includes the EMV 3DS Server, 3DS Requester and 3DS v1 merchant plug-in capabilities that facilitate hybrid functionality between 3DS v1 and v2.
mSIGNIA’s universal SDK, or uSDK, is mSIGNIA’s 6th-generation SDK; designed first for mobile and privacy, and certified EMV 3DS compliant for all six payment networks (i.e. Amex, Discover, JCB, Mastercard, UnionPay & Visa). The uSDK enables merchants to integrate a single SDK into their website, iOS app or Android app and support the data requirements of any issuing bank’s risk-engine… ensuring the necessary data and device tags are passed on the initial, frictionless request so more transactions are approved without bothering the consumer.
Since the merchant website or app collects the data, ensuing a user’s privacy is critical to consumer trust and compliancy law. mSIGNIA’s multi-party, remotely configurable uSDK allows controlling which data is collected and passed according to international privacy laws and merchant rules. The uSDK is also designed to limit the number of off-device connections a merchant’s app initiates to control data exposure.
mSIGNIA’s EMV 3DS Server and Requester replaces the 3DS v1 merchant Plug-in. mSIGNIA offers a complete EMV 3DS merchant solution; or mSIGNIA’s mGateway can be easily integrated with other EMV 3DS compliant 3DS Servers. The merchant gateway pre-processes device and transaction data beforebeing sent for EMV 3DS processing. This enables the merchant to control the consumer data being used and enables 3DS enhancements, including:
mSIGNIA’s multi-factor, risk-based authentication can score on 4X the EMV 3DS standard data to improve reliability and even recognize a user on a new device to combat account takeover. Associated Push replaces SMS OTP for a more secure authentication with a better user experience. mSIGNIA’s EMV 3DS merchant solution can be run on-premise or hosted in mSIGNIA’s PCI DSS certified environment.
BANK 3DS PAYMENTS FEATURING mSIGNIA ENHANCEMENTS
mSIGNIA offers many features that an issuing bank can use to reliably improve security, so more transactions are approved as part of the bank’s EMV 3DS ACS functionality. mSIGNIA’s 3DS enhancements for issuing banks include:
mSIGNIA’s universal SDK, or uSDK, is mSIGNIA’s 6th-generation SDK; designed for mobile and privacy, and certified EMV 3DS compliant for all six payment networks (i.e. Amex, Discover, JCB, Mastercard, UnionPay & Visa). The uSDK and related configuration manager enable an issuing bank to register their data needs, including proprietary cookies or tags, so that a merchant’s app collects the required data and sends it in the initial EMV 3DS frictionless flow. Passing the required data in the initial exchange ensures more transactions are approved without challenging the consumer.
Included in the uSDK’s enhanced data exchange is a real-time, deep-scan integrity check of both the consumer’s mobile device and the merchant’s mobile app, including the detection of bots and emulators. The same uSDK can be integrated into the banking app to offer it protection. When client integrity is compromised, data being sent from there has a higher risk.
As an enhancement to any vendor’s certified-compliant EMV 3DS ACS, mSIGNIA offers microservices which leverage mobile capabilities and improve risk-scoring using advanced, patent-protected data analytics; mSIGNIA’s microservices include:
mSIGNIA’s patented Digital Biometrics can score 4X the EMV 3DS standard data to improve reliability and even recognize a user on a new device to combat account takeover.
Associated Push, also patented, leverages the bank’s app to increase data for risk scoring. This can be useful when the merchant’s app does not have sufficient permissions to access required data and even enables improved authentication in 3DS v1 hybrid transactions. Associated Push is a mobile-first design that improves the user experience and can be performed in-line with an EMV 3DS frictionless flow.
mSIGNIA’s microservices can be run on-premise or hosted in mSIGNIA’s PCI DSS certified environment.
Multi-Factor Authentication Using Digital Biometrics
Multi-factor authentication (MFA) is becoming the industry de facto standard to reduce risks which exist when using only passwords for identifying a user. These risks include identity theft, synthetic identities, account takeover and fraud. MFA historically added the verification of a physical device to the user’s knowledge of a password or PIN. Mobile devices, such as iPhones, are replacing PINs with physical biometrics such as fingerprints or facial recognition. The newest form of authentication identifies a user by their behavioral patterns such as the way the user types or changes in data collected (such as location and connections) as the user goes about their normal, daily routine.
The increase in security is balanced against additional user effort using risk-based authentication (RBA). RBA matches the level of security required based on the risk of the action being taken, enabling a frictionless user experience for most actions… challenging the user only on high-risk or abnormal activity.
mSIGNIA’s iDNA platform provides a suite of patented, financial-grade, risk-based, multi-factor authentication options so that merchants can reliably recognize their customer without adding friction to the user experience. These options feature Digital Biometrics, Contextual Device Recognition and Associated Push.
mSIGNIA invented and patented the concept of a Digital Biometric; leading to Gartner recognizing mSIGNIA as a Cool Vendor in 2016 for Behavioral Analytics, Fraud Detection and User Authentication.
Digital Biometrics is a privacy-compliant authentication method which leverages machine learning and data analytics to analyze the data a user adds to their device. Both the data and how the data changes over time are analyzed. With nearly 1000 available attributes, Digital Biometrics analyzes enough data to provide the security equivalent of a 65-character password that changes daily, making the user profile extremely difficult to replicate. Moreover, even if a user’s data is stolen, the stolen copy of the data will not change according to the learned user behavior and, thus, the imposter will be detected.
A Digital Biometric does not require special hardware like a physical biometric (i.e. fingerprint, facial recognition); Digital Biometrics can identify a user on any device. In addition to being device agnostic, Digital Biometrics can recognize a returning user across any of their personalized device – even when it is a new device – because a user’s Digital Biometric data is synchronized between their devices and included as part of the setup for a new device.
Digital Biometrics represents a critical first-line-of-defense in identifying users; providing features such as:
- Mobile by Design, frictionless Multi-factor authentication replaces the need of always entering passwords
- Designed for Privacy, collects no PII and features anonymized Machine Learning analytics
- Analyzes about 1000 data signals, 4x times the data scored by 3DS v2, analyzing more data approves more transactions and reduces shopping cart abandonment
- Protects against account takeover by recognizing a user across their devices and even on new devices
- Recognizes returning customers whether they shop anonymously or through another omnichannel
- Layers with other security methods like FIDO, mSIGNIA’s range of SmartNet data (analysis of network and other risk data from off the device) and Associated Push (frictionless escalation to replace SMS OTP)
Device authentication is usually done by a key stored on the device. The accuracy is directly related to the difficulty in copying the key off the device. If a fraudster can copy the key, then the device has been effectively cloned and any security compromised. Contextual device recognition adds the validation of data beyond a key; more data (such as geolocation) provides additional means to validate the device and detect any cloning of the device.
Since the data verified as part of mSIGNIA’s patented Digital Biometric is sourced from the device, this data represents the widest possible validation of contextual device data. In addition to static device values like serial numbers being validated, the validation of changing data enables a continuous authentication capability that detects any malicious copying of data in an attempt to clone the device.
As an added safeguard, mSIGNIA validates the operational integrity of the device itself using App-Point Protection (described in another section). This ensure the data being validated truly came from the device being recognized.
Account Takeover Solutions
One of the costliest online threats is account takeover (ATO), where a fraudster typically uses a stolen password to bypass proper authentication and register their device to a victim’s existing account.
Many authentication methods – such as device fingerprints, identifier tags or cookies and even physical biometrics like fingerprints and facial recognition – are not useful against ATO because these authentication values are present on the old device but not available from the new device.
Beyond the often-stolen password, there are few authentication methods a web service can use to combat ATO, these include:
- Location, validating the new request originates from a historically familiar location
- Mobile Operator, validating the SIM and account data (if the device is connected to a mobile network)
- Behavioral Biometric, validating the way a user interfaces with the device
- Digital Biometric, validating the data synchronized to the new device is aligned with past data and change
As shown in the figure, Digital Biometrics is a fundamental tool in combatting ATO because it analyzes the most contextual data possible for the most accurate and safe user recognition.
Even if a fraudster was able to steal the data which comprises a Digital Biometric, the data would not change according to patterns learned from data collected in the past. For example, the fraudster might be able to disable or even spoof geolocation, but it becomes exponentially more difficult to mimic all the data of a Digital Biometric. If the user is in a known location, connected to a protected WiFi network, using a recently released model phone and personalization data on the new device is aligned with expected changes to data from the old device, then the user is reliability identified independently of the device.
With the amount of data that a Digital Biometric analyzes, the process of adding a device can even become frictionless to the user; where the user is not forced to enter a password, validate out-of-band or answer knowledge-based authentication questions.
Risk-Based Authentication Using Associated Push
Enables payment card issuers and 3DS providers to quickly, easily and cost-effectively integrate new EMVCo specifications into their own applications.
Standard risk-based authentication (RBA) first tries a frictionless authentication method, such as Digital Biometrics, before trying additional authentication methods which typically require the user to participate in some way. The most popular form today of an escalated authentication is a one-time password sent via SMS (i.e. SMS OTP). However, most national security standards bodies (e.g. NIST in the US) warn against the use of SMS OTP.
mSIGNIA’s patented Associated Push is a designed-for-mobile, RBA method that replaces SMS OTP by using NIST-recommended mobile push services. Using Associated Push to a mobile app improves security by enabling the receiving mobile app to perform a multi-factor authentication (MFA, such as Digital Biometric + Contextual Device ID) to ensure the message was received by the intended user. Associated Push also enables a range of escalated authentication options and features which can improve the overall user experience. With Associated Push, it is possible to perform:
- Out-of-Band authentication across two devices, it can often be done invisibly to the end user by comparing the MFA done on the first device (e.g. a laptop running a browser web session) with the MFA done via the app on the user’s mobile device
- Multi-party authentication, such as an issuing bank seeking to authenticate a user when they are making a purchase in a merchant’s website or mobile app, Associated Push enables the 3rd-party (e.g. bank) to use their own app to gather additional data for risk analysis
- Multi-user authentication, accounts with multiple users (e.g. Husband, Wife, Child), users can be configured to confirm transactions done by another user (i.e. Mom can confirm child’s transaction if over a threshold)
- A range of escalation options, the user experience on Android can be frictionless with Digital Biometrics, when a user event is required (such is the case with push on iOS), supported options include:Yes/No banner swipe, physical biometric confirmation, PIN, one-time password, password and knowledge-based auth.
Mobile App Point Protection
mSIGNIA’s App-Point Protection (mAPP) establishes a trustworthy connection between an iOS or Android mobile device and a merchant’s website by providing:
REAL-TIME OS and APP INTEGRITY GUARDS AGAINST MALWARE and ROGE APPS
Rogue apps are a serious mobile threat. Users are lured into downloading rogue app by stores offering free versions of legitimate apps, malicious device resellers pre-load illegitimate software as a ‘value-added-service’, and some rogue apps even get distributed by approved app stores. Regardless of how rogue apps get on the device, they look like the real app but they are designed to steal login credentials and other personal information.
Mobile malware now includes sophisticated, just-in-time attacks which compromise an OS and replace a valid app with malicious code during critical security events like password entry or financial transactions. To combat malware, mAPP continuously monitors the OS and protected mobile apps in real-time so a web service can immediately detect an attack that may jailbreak/root their device or steal a users’ data.
DETECTING EMULATORS, BOTS and HUMANS
With mSIGNIA, you don’t have to worry about an emulator or bot probing your website for information. mSIGNIA prevents automated attacks from attempting to access a website using patented Digital Biometric technology to detect whether a user is human.
The same patented technically continuously challenges the device with random queries that can only be properly answered by combining data uniquely found on the intended device. These challenge-and-response exchanges ensure the authenticated device continues to communicate with the merchant’s website; messages cannot be intercepted and correctly answered by a malicious, man-in-the-middle entity.
CONTEXTUAL KEY CONTAINER
With patented Contextual Key Crypto, mSIGNIA can use static andchanging data on the device to form cryptographic keys, often referred to as white-box crypto. Using machine learning and data analytics to understand how data changes according to the behavior of a specific user, a wider, extraordinary range of data becomes key material; making attacks much more difficult because key material in use is different among users. Before the crypto container is unlocked and data like keys and tokens is decrypted, the device integrity and multi-factor user authentication (Digital Biometrics) is used to ensure the data is being accessed on a safe, known device and by the proper user.