Fraud has been a horror for anyone ever since, but the ways to commit this kind of theft is becoming scarier these days, as one some times can be hacked through online access and information, which in rare cases can’t be traced back easily.
Adapting to the current pandemic situation across the globe, people has been relying to online purchases, online banks and online visa or master cards to buy anything they want and need. Popular these days in this kind of transactions is the Payment Service Providers Directive or PSD2 that requires strong customer authentication (SCA), doing its job fairly good, to add another layer of protection to users and businesses yet it can be quite expensive that can cause for some merchants to not implement it effectively. Another fact that you should take note of is that not all methods for SCA are invulnerable to fraud.
PSD2 REQUIREMENTS FOR STRONG CUSTOMER AUTHENTICATION
PSD2 SCA requirements are falling under two categories with the first being covered by articles 6, 7 and 8 and says that there is a need for multi-factor authentication (MFA) with at least meeting two out of three elements that are also considered as digital identity verification below:
- Something known – pin or password
- Something owned – mobile phone, laptop, security key
- Something you are – face ID or fingerprint
In article 9.3.a., authentication devices are required to maintain the independence of the authentication methods. This implies that in order to meet the SCA methods, your device must ensure that whichever of the two authentication elements being used are not interacting with each other.
VULNERABILITIES OF STRONG CUSTOMER AUTHENTICATION
Seems too good to be true as a protection? SCA can still be vulnerable to fraudsters, especially if they are tech savvy enough to counter all those measures of added security. They can do this by three primary means:
- Social Engineering – this is usually known as phishing or man in the middled (MITM). This kind of attack is designed to trick you or any user into providing information like username and password, usually for your bank account and are sent through emails or SMS.
- SIM Swapping – fraudsters can be bolder when there is a calling for them to do so and call phone companies, pretending to be their victim as mobile phone owners.
- Malicious Accessibility – software or firmware vulnerability is being used in this method and is called zero-day exploit. This is where hackers discover vulnerability in any software before any prevention can be done.
Aside from passwords, pins, digital copies of valid IDs, you must also take good care of your digital signature API so that you can avoid being a victim of fraudsters.
Merchants do have the responsibility of protecting you, as a customer, but you also bear the same, so you should be extra careful, especially these days. You might want to try passwordless authentication that utilizes private key cryptography.