Identity Management Archives - Digital Payments, Payment Security and Lending

Identification, Authentication, Authorisation — Know the Difference

February 21, 2022 / Sujit Kumar Mahato

We undergo the process of Identification, Authentication, and Authorization every day in both physical and digital worlds. Let’s first start with the physical world. You have been planning for a weekend vacation for a long time but have been stalling because of the busy work schedule. After months of long hours of work, you finally find a weekend for a getaway. After work hours you meticulously plan the vacation — the place to visit, the hotel to stay, the to-do activities, and whatnot. Finally, the getaway weekend has arrived and the first thing that you do after reaching your destination: is Check-in into the hotel 1. Identification — You walk to the hotel reception and mention that you have a prior booking at the hotel. The first thing the receptionist asks is for your name. The receptionist then checks through the register to confirm of your booking. By providing your name, you claimed your identity. Your name, more or less, is unique and used for identification. 2. Authentication — Once the receptionist has got your name in the booking register, you are asked to present an ID card. The ID card verifies that you are the person whose name is on the reservation Here, the ID card facilitates the process of authentication and verifies your identity. 3. Authorisation — After the receptionist has done the necessary authentication process/paperwork, you receive a guest keycard. The guest’s keycard grants you access to your room, the guest elevators, and the pool — but not other guests’ rooms or the service elevator. Hotel employees have a service keycard, authorized to access more areas of the hotel than guests are. You enjoy the next few days to the fullest and finally be well-rested and rejuvenated. It’s time to go back to your work and give your best. It’s time to check out and walk to the reception desk. You hand over your card to the receptionist to pay the bill. At this moment you have jumped into the digital world of identification, authentication, and authorization. 1. Identification — The receptionist puts your card through a POS terminal. The information stored on your magnetic strip/EMV chip enables the banking systems to identify your valid account details — a bank that has your account, your account details, etc. Here the information on your card’s magnetic strip/EMV chip is analogous to your name which you used during check-in. 2. Authentication — You are then requested to enter your card PIN. Your card PIN is confidential to you — only you know it (an ideal case). By providing the PIN, you establish the validity of you being the owner of the card, associated with the bank account. The PIN authenticates that you are the owner of the bank account, from which money would be transferred to the hotel for its services. 3. Authorisation — There are multiple stakeholders involved when you are making transactions through your card. The bank in which you have your account, the card networks — Visa/Mastercard/Amex/Diners, the bank which has the hotel account, the software provider for the POS terminal, etc. Each stakeholder has a specific role to play. For example, the bank — which has your account- confirms that your account has enough balance amount. It then authorizes the deduction of the bill amount from your bank account. It may seem that all three steps — identification, authentication, and authorization are inseparable. But that’s not true. Remember the last time you uploaded a file on your Google Drive/One Drive and shared a public link. Here, you have authorized anyone with the link to access that file without any prior identification or authentication. Probably, the value of the file is far less than the value of the money in your bank account. Hence, the banking world uses cutting-edge solutions to predict, prevent and detect fraudulent transaction attempts on your card. Author: Sujit Kumar Mahato, Product Manager Wibmo A PayU/Naspers FinTech Company Authentication, Authorization, Digital Payment, Identity Management, Security

Identification, Authentication, Authorisation — Know the Difference Read More »

How to prevent identity theft?

September 29, 2021 / Krishnan KN

With unprecedented growth in online transactions, it is no surprise that online fraud has increased. One of the major malpractices is identity theft. In a country like India which is striding towards the number one position in online shopping, the rise in this kind of fraud cannot be overlooked. Accessing and retrieving personal information is a child’s play in an increasingly digitized country like India. With social media and the deep web or darknet getting more and more accessible to a larger population, the prevalence of identity theft is getting increasingly difficult to control. Who can be the victims of Identity Theft? Have you used your Credit or Debit card to shop online/POS? Have you paid the utility bills using your Card? Have you used UPI or other payment methods? In short, anyone who has used plastic money is in danger of identity theft. Everyone who has shopped online or used any payment portal using their payment credentials is at risk of falling prey to synthetic identity theft. It is, in essence, stealing your identity i.e., impersonating you digitally, and riding on your credibility and creditworthiness. It is done by gathering data that confirms the identity like phone number, Aadhar card number, or PAN card number along with Bank Account number and utilizing this data to impersonate and transact digitally. With widespread social media and the data captured by almost all websites, it is nearly impossible to stay completely private. The Conditions favouring Identity theft In a densely populated country like India, identity theft is spreading like a disease more due to Cyber security laws are in place but reporting and actual implementation of those laws is not easy in a developing country like ours. It is getting easier to lay hands on social security details like Pan and Aadhar Data breach is increasingly difficult to prevent crime by identifying the perpetrators and isolating them. Also, the timeline that the entire fintech industry works, is very limited i.e., the journey of the card to merchant to verification or access control and back to the transaction approval takes just thirty seconds on average. This renders a very small window to our lenders but an easier getaway to the fraudsters. It, therefore, makes more sense to fortify defences at our end through our payment gateways. Usage of multi-layered security makes it a herculean task to track perpetrators while they on other hand enjoy accessibility from any corner which has internet. The Impact It is an indisputable fact that digitization of the financial transactions in India has accelerated beyond what the experts forecasted. Part of it was contributed by the covid waves and the awareness of “cashless transactions and contactless delivery”. It can however not be denied that as the younger population of the country is swelling, we find a major part of the population turning net-savvy and preferring mobile transactions. They demand seamless experience and connectivity through IoT. This has not only provided traction to digitization but has also enhanced the effectiveness of creating an antifraud and secure transactional environment to retain the credibility of the digitized transactions. Role of FRM like Trident in Detection of fraud The simple logic that Wibmo uses is that the more you know your customer, the more difficult it becomes for the fraudsters to impersonate you. E.g., while a person might impersonate another with a banker, it is almost impossible to impersonate him with his family. The difference lies in the fact that the family knows the person in question too well. This is the exact logic we use at Wibmo through our TRIDENT. In essence, the more you use our services, the more difficult it becomes for fraudsters to steal your identity. Collecting various data points through ML or machine learning offers the most effective defence against identity theft. Based on the past patterns, the current transaction can be evaluated and analysed in a fraction of seconds, and thus the fraud detection and prevention can occur without increasing the transaction time. The continuous learning by the machine will only improve as the data points collected are only going to get the virtual persona of the customer more precise. The long-term utility and credibility that such a system can give to the issuer and acquirer are worth every penny spent and every effort taken. Role of end-users in the detection of the fraud There are few steps that you can take to reduce the risk as an end-user. 1. Take time to check the authenticity of the sites where you are planning to use the card. Do not simply click on the links sent over SMS or WhatsApp or mails offering you cashback or discount vouchers 2. Download the apps from a trusted origin and use that for repeat purchase rather than using links that might have been sent to you. 3. Never share the OTP, UPI pin, and other bank details. However, at times this has been reiterated it is surprising how even the educated crowd is taken in. Do not hesitate to change them in case you even suspect them having been compromised. No one can deny that Identity theft is a very real threat but reducing our transactions fearing this is akin to not using roads fearing accidents. Neither is it fair to throw the onus of this onto the end-users or customers. The only sustainable and robust solution lies in fortifying our defences at the PG level. Author: Krishnan KN, Advisor in Wibmo’s Agile PMO Wibmo A PayU/Naspers FinTech Company Fraud, Fraud Detection, Fraud Prevention, Identity Management, Identity Theft

How to prevent identity theft? Read More »