Strong Authentication in a
Changing Payments Landscape
As technology advances, consumers demand new methods of making payments. However, this
demand for new technology creates an expectation for a high-quality user experience. Also, as
technology shifts, payment fraud continues to evolve and criminals have nearly unlimited avenues
of committing payment fraud both with physical cards (Card Present) and online (Card Not
Present). To combat this threat, regulatory bodies are implementing new measures to strengthen
payment processes and decrease financial losses for businesses and consumers.
Strong user verification fortifies all types of consumer interactions including service registration,
high value transactions, and mobile app sign-in. But businesses walk a fine line between providing
security and losing customers due to complicated and frustrating verification processes. To
address this dilemma, financial institutions and payment providers must carefully consider the
best method of payment verification for their business.
Phone number verification has emerged as the clear leader in payment verification technology.
Phone numbers are the ultimate user identity because people typically keep only one phone
number and use it for long periods of time. Phone number verification also provides regulatory
compliance, global reach, enhanced security, high information privacy, and a quality user
experience. By using a strong phone verification service, financial institutions and payment
providers can deliver a simple process to their customers utilizing familiar technology that
increases payment completion rates.
An Evolving Technology Environment
Consumers Are Changing How They Pay
With the global dissemination of technology,
end customers now demand new ways of
paying for goods and services. In 2014, 22%
of all mobile phone owners reported having
made a mobile payment.i
Digital wallets such
as Apple Pay, Google Wallet, and Bitcoin
Wallets gain traction both online and with
brick-and-mortar retailers. Bitcoin trading
alone rose from $15 billion to $23 billion in
2014, with active wallets increasing to 7.95
Applications such as Venmo even
enable users to send money with a simple text
message. Payment provider Alipay handles
more than 80 million daily transactions and
is transforming Chinese consumer behavior.
Combined with online retail titan Alibaba,
% of mobile phone owners making at least
one mobile payment
Source: Federal Reserve
As payment technology changes, payment-related crime also changes. Criminals worldwide
skillfully utilize a variety of techniques to steal from ill-equipped users and businesses.
▪▪ Loading iPhone 6s with stolen information and exploiting the lack of strong user
authentication or physical card requirements.v
With Apple pay, consumers do not provide
any personally identifiable information or verify using dynamic knowledge-based questions,
which makes digital wallets a tempting target for identity thieves.
▪▪ Accessing Bitcoin servers and wallets using stolen credentials and trading large amounts of
Bitcoins, which cannot be reversed. vi
Strong Verification Has Become a Necessity
Alipay enables consumers to easily purchase international and domestic goods through a single
portal that only transfers money upon item delivery. These new developments in payment
technology have forced retailers and financial institutions to reconsider how they allow consumers
to pay as the next wave of technology innovation approaches.
User Experience Matters
Offering a compelling product or service is only the first step. In 2015, 66% of mobile users
regularly abandon their purchase during payment and 63% of these lost purchasers likely will
not return, even by non-mobile channels.iii
Poor user experiences in the United Kingdom (UK)
result in a staggering yearly loss of £1.73 billion because businesses have not made an effort to
design user-friendly processes.iv
With an increasingly wide range of available purchasing options,
payment providers and financial institutions need to carefully examine their payment processes
to capture sales instead of letting them slip away. Consumers want simple and intuitive payment
methods that integrate with their daily life. Businesses delivering a great user experience will be
poised to surpass competitors as payment technology evolves.
Account Takeover is Rampant
Pan-EU statistics indicate that internet card payment fraud in 2012 created €794 million in
losses (up by 21.2% from the previous year).ix
Overall, payment card fraud brings an astounding
€1.5 billion of yearly income to organized EU crime groups, which then funds other criminal
activities. With an increase in e-commerce, online banking, and mobile purchases, cyber criminals
continually develop new methods of identity theft, forcing businesses to implement improved
identity verification techniques.
Payment fraud comes in many different forms and is typically categorized into Card Present
(CP) theft and Card Not Present (CNP) theft. Whereas ATM withdrawals or in-person card
purchases require a physical card, online payments and digital wallet solutions do not necessitate
a card being present. For example, criminals use “spoofing” to steal user information by creating
fake websites posing as legitimate online retailers or institutions. Once a victim enters sensitive
information the criminal begins completing online payments or other Card Not Present
Unlike payment cards where the financial institution, payment provider, or merchant assumes
financial liability, online cryptocurrencies have a separate standard. Virtual currencies such as
Bitcoin place onus on both the user and the online wallet or Bitcoin Exchange to ensure no fraud
occurs. Bitcoin wallet holders face incredible risk because all Bitcoin payments are considered
“push” payments and irrevocable once completed, fraudulent or not.x
Online wallets or Bitcoin
exchanges may partially or fully reimburse wallet holders if their accounts are hacked, but there
is no guarantee, as this is not regulated. This makes it critical for online wallets and exchanges to
implement strong authentication to verify users and transactions.
A Shift in Regulations
In December 2014, the European
Banking Authority (EBA) published
a set of guidelines designed
to ensure more secure online
payments throughout the European
include stipulations for two factor
user authentication, reporting,
and traceability, with a required
implementation deadline of August
2015. Because payment fraud is
not confined by geography, many
anticipate other countries adopting
similar regulatory standards for
payment providers and financial
institutions in the near future.
▪▪ Transferring money online using stolen bank account information. Criminals often obtain
this information through device malware, website impersonation, or phishing and use it to
bring devastating losses to the consumer. vii
▪▪ Buying merchandise from online or physical retailers using a stolen credit card. viii
Strong user verification allows financial institutions and payment providers to prevent fraud by
ensuring the virtual account creator corresponds to a real user. This helps reduce false account
creation that takes advantage of stolen identities.
Service Login (Optional)
Many times the user can choose to provide additional user verification with each login. This
ensures their accounts are well protected by two-factor authentication.
Unidentified Devices or Suspicious Log In Attempts
User verification can be triggered to provide an additional layer of protection when unusual
activity is detected during account access attempts. Many times fraudsters will try to log in to
accounts through unrecognized devices or through an IP address that is inconsistent with a
High Value Transactions
Financial institutions are being encouraged to implement user identification, especially for high
value transactions. Fraudsters move quickly before the real user recognizes their identity has been
For example, in 2011 the Federal Financial Institutions Examination Council (FFIEC)
published a document stipulating the measures to be taken in order to combat the evolving
threat of online fraud.xii
One such recommendation was to leverage out-of-band verification
Out-of-band verification is a type of two-factor authentication that typically uses both
system credentials and PIN number, which are delivered through separate networks (i.e. computer
and mobile phone) to verify user identity. This provides an extra layer of security if a single piece
of a consumer’s identity is compromised.
In 2013, the Monetary Authority of Singapore (MAS) also released a set of guidelines to help
mitigate the technology risk financial institutions face today. The MAS strongly recommends
adopting two-factor authentication during login for all types of online financial systems and
This places financial institutions under enormous scrutiny as both
regulatory bodies and consumers are seeking ways to make secure payments. Two-factor
authentication has become the standard for good security.
United States law clearly assigns financial liability in the event of payment fraud. Often the
financial institution will assume the burden and cardholders are always protected from
unauthorized card transactions. However, with an increase in Card Not Present (CNP) fraud, the
burden lands upon the merchant to verify the consumer’s identity.xv
CNP fraud can be a huge
expense for retailers, especially when combined with high capital expenses from upgrading
technology. There is also risk of poor user experiences as their end customers adjust to the new
security steps. Businesses seeking to stay ahead of the curve must proactively seek ways to
implement compliant payment processes.
How Verification Helps
stolen. Strong user verification during any high value transaction ensures against a large financial
loss for all parties.
Manual Review Replacement
Strong authentication measures reduce the time spent manually reviewing suspicious user activity.
By implementing user and payment verification processes, businesses can automate these manual
reviews and focus on other business-critical tasks.
Mobile Application Sign-in
Most financial institutions and payment providers have mobile applications. Consumers can
now perform the same functions they would online, but with easily stolen portable devices. The
increase in mobile transactions accompanies a need for strong user verification. Having an out-
of-band authentication solution provides protection against fraudulent users with stolen mobile
device and credentials.
Payment Verification Can Take Many Forms
Modern companies use a variety of methods to verify customer identity but no method is
foolproof. The EBA defines “strong two-factor authentication” as the use of two or more of
the following: xvi
EMV Card Enhancements
Standard credit card and debit card verification methods are no longer sufficient. After stealing a
physical card, thieves face limited safeguards preventing them from causing financial damage to
the consumer and financial institution. To this end, card issuers developed Express-Mastercard-
Visa (EMV) technology which creates unique transaction codes to thwart unauthorized card usage.
Europe has readily accepted EMV cards and many anticipate the United States will implement
EMV technology soon. But widespread adoption takes time and criminals are shifting their
attention to the promising frontier of CNP fraud and digital payments.xvii
a user knows
a user has
a user is
User Name, Password, Security Questions, Social
Security Number, Address, PIN, Email
Mobile Phone, Security Device, ID Card, Authentication
App, Soft Token, Email
Fingerprint, Retina Scan, Biometric
As CNP fraud increases due to the rise in online payments, financial institutions and payment
providers seek ways to improve online card transactions. 3D Secure verifies user identity with an
additional layer of security outside of the normal payment process. First, the consumer creates
a 3D Secure password associated with their payment card. Upon purchase, they are required to
provide this password within a separate website outside the normal payment portal. Credit card
companies such as Visa and MasterCard have already implemented this method of verification
with their Verified by Visa and MasterCard Secure programs.
However, these programs have significant disadvantages because merchants must purchase a
Merchant Plug-in (MPI) in order to connect with Visa or MasterCard’s secure servers. These MPIs
ensure the merchant does not obtain the 3D Secure password, which reduces their liability in the
event of data breaches. But there is an increased risk of phishing attacks because cardholders see
their browser connect to unfamiliar domains as a result of the MPI implementations. Criminals
posing as legitimate businesses to steal user information can leverage this weakness by taking
advantage of unrecognized browser redirections.
Additionally, while 3D Secure reduces fraud, it provides an exceptionally poor user experience. The
consumer must remember yet another password and often chooses to simply abandon the sale
instead of spending additional time.xviii
This leads to decline in sales conversion and lack of 3D
Knowledge Based Authentication
Many institutions combat fraud by requiring Knowledge Based Authentication(KBA), which
leverages something a user knows either by static or dynamic questions. Static questions are
provided upon registration and should have an answer that is not easily guessable or researched.
These questions are often things like “what was the name of your first pet?” or “who was your
favorite teacher?” Dynamic questions are not provided in advance, but rather created in real-time
to prevent against weak questions or well-prepared fraudsters. Good questions should meet
these criteria: xix
1. Appropriate for a large segment of the population
2. Easily remembered
3. Have only one correct answer
4. Not easily guessed or researched
Although static KBA is often effective in deterring fraudulent activity, it is becoming increasingly
less effective with the growth of the Internet.xx
Especially with well-known members of society,
privacy is reduced and the answers for many security questions are easily found through online
searches. This occurred in 2008 when Presidential Candidate Sarah Palin’s email account was
hacked simply by guessing her security questions.xxi
Dynamic KBA typically relies on public records, credit reports, or compiled marketing data to
generate user-specific questions in real-time. While this method is considered more secure than
static KBA, it faces different challenges. Canada and many European countries are closing their
public records for commercial use because consumers often feel the public record searches
invade their privacy. This strong consumer perception threatens to limit the lifespan of dynamic
Many companies are beginning to adopt new methods of user verification due to the increase
in device capabilities and lack of confidence in traditional passwords. To this end financial
institutions and payment providers are using both voice and fingerprint identification to verify
payments and other transactions. Apple Pay adopted Fingerprint identification for the iPhone
6 and recent tablets, enabling consumers to pay for goods and services using Near Field
Communications (NFC) and simply tapping their phone on a reader.xxiii
Financial institutions are
also implementing voice recognition as a method of verifying users. The consumer is requested
to provide a short voice sample at registration, which is then compared to their voice upon
This has become an increasingly attractive option as phone technology and
sound quality has advanced greatly in recent years.
However, there are downsides to both methods of biometric identification.xxv
fingerprints are uniquely identifiable, fingerprint readers are easily baffled. Hand injuries, calluses,
lotions, dirt, or water can interfere with the reader’s technology and prevent access without
cause. Many companies also distrust fingerprint scanners because the scan occurs on the user’s
device instead of on their internally controlled technology. Voice identification solves many of the
problems with fingerprint scanning but shares the difficulty of interference. Background noise
prevents a good voice sampling, sickness or other voice-related illnesses affect how the user
speaks, and high quality recordings can fool even the most sophisticated systems.xxvi
Failed logins create a poor user experience for the consumer and lead to higher rates of payment
abandonment. Additionally, biometric identification has evolved, but does not have widespread
adoption. Very few phones have the capability for fingerprint identification and implementing
voice identification is often cost prohibitive to many businesses.
Phone Number Verification
Phone numbers have become the ultimate user identity. Many consumers possess multiple email
accounts, social media profiles, and mobile devices, but typically only one phone number that
is retained for years or decades. Phone number payment verification leverages SMS and voice
technology to send a unique response request (typically a PIN number) that customers must
verify before the payment completes. Unlike biometric identification, nearly any mobile phone can
receive SMS messages and the process requires no memorization. Phone verification also reduces
implementation costs because consumers already have phones and the business buys no physical
hardware. Lastly, phone verification does not lower payment conversions because consumers are
never directed to another website and the entire process is completed within seconds.
Phone Number Verification Has Emerged as a
With the problems inherent to EMV technology, 3D Secure, KBA, and biometrics, phone number
verification leads the way in payment security and fraud avoidance.
Phone number verification can be combined with traditional password-based logins (something
a user has + something a user knows) to meet requirements imposed by governing bodies. Many
Financial institutions, online services, and payment providers have already begun implementing
phone number payment verification. Large banks such as HSBC recognize the importance of
using a solution that is proven to work and smaller credit unions such as Seattle Metropolitan
Credit Union are following closely after this trend. Google email also provides optional phone
verification for users seeking to protect their important digital information.
Today, large geographical regions cannot employ several payment verification options. The
United States has not yet widely accepted EMV card enhancements and the majority of
consumers lack high performance smart phones needed for biometric identification. Phone
number verification allows businesses to verify payments across the globe with readily available
technology. Payment solutions do not need to choose between reliability, performance, and scope
when verifying payments.
Phone number verification allows passcode information out-of-band from the original application,
providing additional security compared to a social login or an email-based login. Phone numbers
are also inherently difficult to fake, unlike social media profiles or email addresses, because
carriers typically verify their customers and virtual numbers that are favored by criminals can be
Third-parties and merchants do not receive any data beyond the required transaction information.
Whereas knowledge based authentication(KBA) necessitates additional information beyond
payment details, phone number verification does not. This removes any potential accusation
of privacy invasion and removes liability for businesses because they do not obtain sensitive
customer data, which can be stolen.
Consumers discard 25% of apps after a single day, many times because of an overly complicated
Phone number verification allows companies to tightly control the user
experience. Instead of relying on a third-party service, the financial institution or payment
provider remains in control of the web or mobile interface to ensure a seamless login and
Phone number verification provides a simple and intuitive payment process leveraging
familiar phone technologies. It helps any business provide consumers with a user-friendly and
straightforward way to verify payments almost anywhere in the world.
First the phone number is provided to the financial institution or payment provider upon
registration. The consumer then receives a unique PIN number either by SMS or voice that they
must confirm within the application. This associates their account with a physical number that the
business can now use to confirm future payments.
How Verification Works
After a consumer has registered, they can now log in to the website or application with their
established credentials. Once a customer desires to make a purchase or payment transaction, a
transaction-specific PIN number is sent to their phone either by SMS text or Text To Speech. This
PIN code is then entered into the business’ application. Once the PIN is confirmed, the transaction
is complete and payment can take place.
Factors for Success
Not all phone verification services are created equal. If you are ready to implement strong
authentication for payments, look for these seven best practices in a third-party service:
Best Practice Description
Reliably deliver PIN codes to
Being able to reliably deliver PIN codes globally is
critical. Select a vendor with global reach and direct
connections to carriers. In case SMS delivery fails,
must automatically failover to voice to ensure timely
Comply with global carrier and
Verifying international numbers with SMS and
voice requires companies to adhere to many
regulations that vary from country to country and
carrier to carrier.
Distinguish between mobile phone
and landline numbers
Phone number patterns and logic vary between
countries. Some countries clearly distinguish
landlines and mobile phones, but in some other
countries there remains overlap.
Ensure security Quality phone number verification providers secure
their system against fraudsters by detecting and
blocking virtual numbers.
Provide a localized user experience Phone verification messages need to be targeted.
This includes country-specific or region-specific
language, format, and tone.
Align their goals with
Increased costs accompany an increase in
conversion rates, if this process is implemented
in house. Look for solutions that charge only for
Measure performance and provide
Success requires insight and analytics to see what
drives conversions and what does not.
About The Spur Group
The Spur Group delivers business results that
matter. We provide the thought partnership,
business insight or extra bandwidth you need
to be more successful. Make better decisions,
realize your objectives, tell your story, leverage
your channel and strengthen your staff with
The Spur Group.
We can help you make your next project more
successful. Our expertise includes developing
partner programs for Microsoft and Dell,
managing messaging and partner conferences
for Cisco and Juniper Networks, and providing
recruitment insight and strategies.
Nexmo provides innovative communication
APIs that bridge traditional voice and text
services with cloud communications. Nexmo
enables applications and enterprises to make
phone calls, send and receive text messages,
and verify phone numbers with ease to
improve user experiences, no matter where in
the world customers are located.
High-volume communication companies such
as Alibaba, Airbnb, Line and Viber send millions
of messages per month using Nexmo APIs.