Editor’s Note: This is a guest post by Seth Ruden, a Certified Fraud Examiner and Certified Anti-Money Laundering Specialist who has been working with banks and their compliance departments in the detection and mitigation of financial crimes since 2004. He has also worked with Law Enforcement, Regulators, Executives and Analysts in consulting positions beyond the United States, extending to financial services organizations in Asia, the Middle East and North and South America.
Q: How might Virtual Reality (VR) and Augmented Reality (AR) authentication actually manifest in a payments scenario?
A: As VR and AR technology crosses the threshold from innovation to maturation, they have the potential to shake up both customer experience and the broader retail industry as we know it.
Notably, VR and AR are prime mechanisms for enabling a wider range of payment authenticators that can be deployed in constant rotation to confuse possible fraudsters. For example, the end-user might anticipate a retina scan to confirm their identity and the validity of the payment, only to be prompted with a voiceprint or a hand motion instead.
The concept of ‘adaptive authentication’ is especially ideal for instances where authenticators are prompted because an anomaly is detected, such as a high-profile/high-risk transaction, the addition of a new demographic element or an account change concerning email address and/or phone number details.
Q: What are some of the drivers behind traditional authentications mechanisms (such as passwords) being rendered less secure?
A: Several reasons exist for why the username and password combination is weak.
Passwords are typically shared by users between sites, and this is acknowledged by fraudsters. In a data breach scenario, it is typical for the attacker attempting an account takeover to use the compromised known passwords in their archives first. Fraudsters have found this to be a consistently successful approach to gaining access.
In many cases, passwords can be “brute force” broken by hacker tools if the site allows it. Further, passwords can be weak and may not be difficult to guess.
Given that passwords are one of the weakest authentication mechanisms that we have in inventory, it is of little surprise that this particular authentication technology is in decline.
Q: What techniques should consumers and gaming companies consider to safeguard private data transferred over AR and VR devices?
A: There are three types of transaction controls that should be evaluated by gaming services providers, especially given that the industry has emerged as a favorite target for fraudsters over the last decade. The ‘buy in-game’ transaction method has only strengthened this trend:
- Point-to-Point Encryption uses a combination of hardware, software and processes to codify credit card data in-transit between the initial point of interaction and the destination. This is achieved by transforming plain text information into a non-readable form called ciphertext using an algorithm that prevents deciphering by unauthorized parties without an encryption key. Any organization or merchant that accepts, transmits or stores cardholder information must comply with the Payment Card Industry Data Security Standard. New order-preserving, format-preserving and searchable encryption schemes are some of the data structures making it easier for businesses to protect sensitive information without damaging the application’s functionality for the end-user.
- Tokenization is another effective data-scrambling technique that is used in tandem with, or in place of, encryption to secure the end-to-end process. This is common in mobile wallets such as Apple Pay and Samsung Pay. The process masks plain text containing sensitive information by replacing it with non-sensitive data, referred to as a ‘token.’ This random value has no discernable meaning and the mapping string to convert information back to normal is usually stored in a separate location. Successful data exchange requires direct access to the vault that maps token values. Unlike encryptions, there is no way for fraudsters to ‘convert’ tokenized data back into proprietary data. As enterprise data is moved over to cloud storage technology, encryption and tokenization are being used together on a more frequent basis.
- 3DSecure is an authentication standard used by commercial credit card issuers and eCommerce merchants accepting card-not-present payments. 3DSecure covers the cardholder, the merchant and the system operator by prompting buyers for a one-time PIN or password when making a purchase to protect against fraud risk in the event of an illicit transaction dispute.
Q: What criteria should financial institutions and other businesses consider when selecting third parties to assist with AR and VR integration?
A: Several criteria should be assessed in moderation, including but not limited to:
- Location of the biometric in storage. How easily can the identifier, or identifying technology, be compromised by a third party?
- Ability to change the authenticator in agile fashion. How fast can an authenticating mechanism change from fingerprint to retina scan, based on other variables such as location, time of day and frequency of use?
- The lifecycle of the authenticator is also significant. How long should an authenticator be used before it is considered obsolete due to compromises or a decline in performance?
Q: How might the introduction of AR/VR technology as a payments authenticator generate more business within entertainment industries such as online gaming?
A: Any opportunity to reduce friction in the customer authentication experience is a positive one. This is the most critical element in conversion, with high-friction access points carrying higher potential to interrupt the consumer’s gameplay and/or shopping cart experience.
In “passive” authentication, this experience is made transparent, or more immersive, to the end-user by issuing painless and rapidly enabled authenticators. These provide the customer with instant information in a user-friendly format that results in faster decision-making and increased sales. Such gains have already been documented in the experience-centric real estate and tourism industries.
VR and AR might have their origins in gaming, but each passing day reveals a new use case for the new technology as developers face growing demand for enhanced, unique experiences in an age of consumerism. Strong two-factor authentication will soon be the new normal. As part of this evolving process, “who you are” will only be one component, with a second factor placed on the front end of the session, a password, PIN or one-time code for example. Prioritizing security is one way to increase conversion rate and maintain a low-impact authentication process.
Q: What needs/challenges does the introduction of VR present for financial institutions and merchant IT departments?
A: While VR and AR present opportunities to enhance and secure the customer engagement experience, the full breadth of use cases has not quite been defined yet. There is still much to be done to encourage investment in the technology as a payments authenticator that integrates within other company operations. This is an indication of the early stages we’re in, but only illustrates one pillar of the development challenge.
Significant challenges also exist in the technology’s ability to ingest large volumes of new information too, which requires new hardware to hit the market, ubiquity among different providers, as well as the introduction of software development kits (SDKs) that command the software to speak to the hardware and the APIs to connect to applications. Taking inventory of the authentication elements available, the limited number of vendors active in the space and their need to scale up to meet demand are further considerations to account for.
We are still in the theoretical and prototype stages of rolling out this technology. While the above considerations put several hurdles in front of us, we are confident that AR and VR as transaction authenticators will come to market at an accelerated pace over time.
This is a guest post not produced by the UploadVR staff. No compensation was exchanged for the creation of this content.
Tagged with: Fraud