Security Archives - Digital Payments, Payment Security and Lending

The Real Story Behind False Declines and How Wibmo Trident FRM Secures Transactions

October 21, 2024 / Animesh Jha

In today’s fast-evolving digital economy, businesses rely heavily on seamless online transactions to drive growth and customer satisfaction. However, false declines — legitimate transactions mistakenly flagged as fraudulent — have become a growing concern. These incidents lead to customer frustration and significant revenue loss. As fraudsters continue to innovate, businesses must deploy advanced security measures that both combat fraud and minimize false declines. In this blog, we explore the causes and impact of false declines and how Wibmo’s Trident FRM (Fraud Risk Management) system helps businesses reduce these risks while providing secure, frictionless payment experiences. What Are False Declines? False declines, also called false positives, occur when valid transactions are incorrectly rejected due to fraud detection systems being overly cautious. These rejections can be triggered by unusual spending patterns, technical errors, or overly strict fraud detection algorithms. While these systems aim to block fraudulent activity, they can sometimes hinder genuine transactions. In 2023, false declines have been an expensive issue for businesses, costing global eCommerce firms an estimated $81 billion in lost revenue. This highlights the need for more advanced fraud detection systems that balance security with customer convenience. The Impact on Businesses and Consumers False declines affect both businesses and consumers alike. For businesses, the immediate loss of revenue from rejected transactions is just the beginning. Customer churn is a serious consequence, as 47% of customers who experience a false decline may not return, leading to long-term revenue loss. Additionally, false declines contribute to operational inefficiencies as businesses deal with disputes and chargebacks, further affecting profitability. For consumers, having a legitimate transaction rejected can damage trust and loyalty. The frustration caused by a false decline often leads to customers turning to competitors, affecting future engagement. How Wibmo Trident FRM Reduces False Declines To address these challenges, Wibmo’s Trident FRM (Fraud Risk Management) provides a sophisticated solution that combines machine learning, real-time data analysis, and behavioural analytics to accurately assess transaction risk. Key Features of Wibmo Trident FRM: Trident FRM continuously monitors user behaviour, detecting anomalies and signs of potential fraud. This advanced fraud detection helps block fraudulent transactions while allowing legitimate ones to be processed without interruption. Unlike traditional fraud detection systems, Wibmo Trident FRM adapts to emerging fraud patterns. It fine-tunes authentication requirements based on transaction risk, ensuring a balance between fraud prevention and customer experience. Leveraging AI-powered data analytics, Wibmo Trident FRM offers real-time fraud detection, blocking fraudulent transactions as they occur. This ensures that businesses can process legitimate transactions smoothly while preventing unauthorized activities. Combating Online Fraud The global rise of eCommerce has seen an increase in online fraud, with $48 billion in eCommerce fraud losses globally in 2023. Businesses must adopt proactive fraud prevention strategies to avoid these significant financial losses. Wibmo Trident FRM provides a robust solution that not only protects businesses but also reduces the frustration caused by false declines. Best Practices for Fraud Prevention: Benefits of Wibmo Trident FRM Wibmo Trident FRM allows businesses to strike the right balance between security and customer experience. By reducing false declines, businesses can protect their revenue and build long-term customer trust and loyalty. Its adaptive approach ensures that customers enjoy a seamless and secure payment journey, even in a high-risk online environment. Customer Experience Impact: With fewer interruptions and smoother transactions, Wibmo Trident FRM enhances the overall customer experience, helping businesses maintain customer loyalty while ensuring secure payments. Conclusion As online fraud continues to rise, it’s crucial for businesses to adopt advanced fraud management solutions. False declines can cause both financial losses and customer dissatisfaction, making it essential to minimize them through intelligent risk management. Wibmo Trident FRM offers an effective solution that provides real-time, adaptive fraud prevention while ensuring legitimate transactions are processed smoothly.

The Real Story Behind False Declines and How Wibmo Trident FRM Secures Transactions Read More »

Enhancing Fraud Prevention with Risk-Based Authentication and Method URL

October 7, 2024 / Suresh Rajagopalan

Preventing fraud while maintaining a seamless user experience is crucial for merchants and issuers alike in the rapidly evolving digital payment landscape. A key way to strengthen fraud prevention is by gathering more device and browser characteristics before authentication. This can be achieved through Risk-Based Authentication (RBA), Browser Fingerprinting, and the use of Method URL as part of the EMV 3DS protocol. Let’s explore how these elements work together to improve security and reduce fraud. The Role of Risk-Based Authentication (RBA) Risk-Based Authentication (RBA) dynamically assesses each transaction’s risk level based on multiple factors, such as device characteristics, location, and user behaviour. Instead of applying a blanket security protocol for all transactions, RBA allows issuers to adjust the level of authentication required based on the perceived risk. This improves fraud detection while minimizing friction for low-risk transactions, thereby creating a better user experience. Browser Fingerprinting: A Core Element of Fraud Detection Browser fingerprinting is a technique used to collect unique information from a user’s browser. This includes data like the device’s operating system, browser version, plugins, IP address, screen resolution, and more. By building a unique profile of the user’s environment, issuers can detect anomalies that may indicate fraud, such as sudden changes in the user’s device or location. However, to leverage this information effectively, additional data must be captured early in the transaction flow, which is where Method URL comes into play. Understanding Method URL Method URL is a critical step of the EMV 3DS protocol. It enables issuers to collect additional browser information during the early stages of the authentication process. This step, which occurs before the authentication request is fully processed, provides vital data that can enhance RBA and fraud prevention measures. How Method URL Works: Benefits of Method URL in Fraud Prevention The use of Method URL offers several benefits for both issuers and merchants in combating fraud: Best Practices for Implementing Method URL To maximize the benefits of Method URL, issuers and merchants should follow these best practices: Integrating Wibmo Protect Wibmo Protect is an advanced fraud prevention solution that seamlessly integrates with RBA, Browser Fingerprinting, and Method URL to provide an additional layer of security. By leveraging Wibmo Protect, issuers and merchants can benefit from: Conclusion Method URL, when integrated properly, significantly improves fraud prevention by enabling issuers to gather vital browser and device characteristics early in the authentication process. By leveraging this data for risk-based authentication, both issuers and merchants can reduce fraud, improve authentication success rates, and provide a better user experience for customers. As fraud prevention becomes more complex, using tools like Method URL and Wibmo Protect is essential for staying ahead of emerging threats and ensuring secure, frictionless transactions.

Enhancing Fraud Prevention with Risk-Based Authentication and Method URL Read More »

Browser Fingerprinting- Part 1

April 12, 2023 / Vaibhav Chandel

Overview: 1. A user’s device’s hardware, operating system, browser, and configuration are all included in a set of data called a “browser fingerprint.” 2. Via a simple script running inside a browser, a server can collect a wide variety of information from public interfaces called application programming interfaces (APIs), HTTP headers, device information, etc. 3. The method of gathering data from a web browser to create a device fingerprint is known as “browser fingerprinting.” Cookies vs Browser Fingerprinting: Cookies Fingerprinting: Small pieces of data are stored on a user’s computer by a web browser when they visit a website. They are used to store information about the user, such as preferences and browsing history, and to track user behaviour on the website. They are typically used to improve the user experience by remembering information about the user and their preferences, but they can also be deleted, blocked, or turned off entirely. Cookie tracking involves placing a unique identifier on a person’s web browser, and fingerprinting occurs when a company (the website owner) creates a profile of the device’s unique characteristics. The General Data Protection Regulation (GDPR) regulates the rules for covert data collection, which is why websites often ask users to approve or disapprove of cookies. Browser Fingerprinting: Information includes details about the browser, network, and device, such as the language used, keyboard layout, time zone, cookie settings, operating system version, etc. By combining all this information into a fingerprint, advertisers can recognise a user as they move from one website to another. Studies have shown that around 80–90% of browser fingerprints are unique. This is done by advertising technology companies that insert their code onto websites and collect data about online activity. Once established, a fingerprint can potentially be linked with other personal information, such as data held by brokers. GDPR: Browser fingerprinting also falls under the purview of the GDPR to protect user privacy. However, nothing has been explicitly mentioned about it. The GDPR establishes six legal grounds that enable the processing of data, including user consent and the “legitimate interest” or consent of the person doing the tracking: In the context of browser fingerprinting, these general rules apply as follows: Companies using fingerprinting must ensure that their interests in tracking user information do not override the user’s fundamental rights and freedoms, including their privacy. The website must also provide detailed information to the user about the scope, purposes, and legal basis of the data processing. Fingerprinting should be transparent when using and processing data about anonymous visitors. *Browser fingerprint technology has enabled marketers to run targeted campaigns on the internet at any stage of the marketing funnel. Parameters and the Math: Uniqueness: It means to provide enough ground for identification; the more unique a fingerprint, the more identifiable it is. When the fingerprint has an attribute, whose value is only present once in the whole dataset or when the combination of all its attributes is unique in the whole dataset. Stability: This links the browser fingerprints that belong to the same device. For stability, the quantity of modified information (each time the user’s fingerprint is obtained) should be as small as possible. Entropy: Defines the amount of uniqueness that a specific property exposed by the browser (such as the User-Agent header) introduces into a browser fingerprint. Usually expressed in bits, the higher the entropy, the more unique and identifiable a fingerprint will be. After the new dataset is tested repeatedly, giving similar correlated probability outputs, we can say that a technique is effective in terms of its ability to say that a fingerprint is unique! Blueprint: Using Browser Fingerprinting for Authentication Information gathered: Browser fingerprinting can gather a lot of information (more than 100 data attributes) from a browser, for example: Device model Operating system Browser version User time zone Preferred language settings Keyboard layout Ad blocker used Screen resolution Tech specs of the CPU graphics card, etc. The logic is to have enough specifics about a user’s device and settings to pinpoint them in a sea of internet users. A specific fingerprinting technology employs several cutting-edge browser identification methods to gather over 100 individual signals. These signals are combined with server-side analysis and deduplication to generate a visitor ID, providing a persistent and valuable abstraction of a browser fingerprint, which can be volatile if a user changes settings or updates software on their device. Watch out this space for Part 2! Author: Vaibhav Chandel, Product Manager Wibmo A PayU/Naspers FinTech Company BaaS

Browser Fingerprinting- Part 1 Read More »

Identification, Authentication, Authorisation — Know the Difference

February 21, 2022 / Sujit Kumar Mahato

We undergo the process of Identification, Authentication, and Authorization every day in both physical and digital worlds. Let’s first start with the physical world. You have been planning for a weekend vacation for a long time but have been stalling because of the busy work schedule. After months of long hours of work, you finally find a weekend for a getaway. After work hours you meticulously plan the vacation — the place to visit, the hotel to stay, the to-do activities, and whatnot. Finally, the getaway weekend has arrived and the first thing that you do after reaching your destination: is Check-in into the hotel 1. Identification — You walk to the hotel reception and mention that you have a prior booking at the hotel. The first thing the receptionist asks is for your name. The receptionist then checks through the register to confirm of your booking. By providing your name, you claimed your identity. Your name, more or less, is unique and used for identification. 2. Authentication — Once the receptionist has got your name in the booking register, you are asked to present an ID card. The ID card verifies that you are the person whose name is on the reservation Here, the ID card facilitates the process of authentication and verifies your identity. 3. Authorisation — After the receptionist has done the necessary authentication process/paperwork, you receive a guest keycard. The guest’s keycard grants you access to your room, the guest elevators, and the pool — but not other guests’ rooms or the service elevator. Hotel employees have a service keycard, authorized to access more areas of the hotel than guests are. You enjoy the next few days to the fullest and finally be well-rested and rejuvenated. It’s time to go back to your work and give your best. It’s time to check out and walk to the reception desk. You hand over your card to the receptionist to pay the bill. At this moment you have jumped into the digital world of identification, authentication, and authorization. 1. Identification — The receptionist puts your card through a POS terminal. The information stored on your magnetic strip/EMV chip enables the banking systems to identify your valid account details — a bank that has your account, your account details, etc. Here the information on your card’s magnetic strip/EMV chip is analogous to your name which you used during check-in. 2. Authentication — You are then requested to enter your card PIN. Your card PIN is confidential to you — only you know it (an ideal case). By providing the PIN, you establish the validity of you being the owner of the card, associated with the bank account. The PIN authenticates that you are the owner of the bank account, from which money would be transferred to the hotel for its services. 3. Authorisation — There are multiple stakeholders involved when you are making transactions through your card. The bank in which you have your account, the card networks — Visa/Mastercard/Amex/Diners, the bank which has the hotel account, the software provider for the POS terminal, etc. Each stakeholder has a specific role to play. For example, the bank — which has your account- confirms that your account has enough balance amount. It then authorizes the deduction of the bill amount from your bank account. It may seem that all three steps — identification, authentication, and authorization are inseparable. But that’s not true. Remember the last time you uploaded a file on your Google Drive/One Drive and shared a public link. Here, you have authorized anyone with the link to access that file without any prior identification or authentication. Probably, the value of the file is far less than the value of the money in your bank account. Hence, the banking world uses cutting-edge solutions to predict, prevent and detect fraudulent transaction attempts on your card. Author: Sujit Kumar Mahato, Product Manager Wibmo A PayU/Naspers FinTech Company Authentication, Authorization, Digital Payment, Identity Management, Security

Identification, Authentication, Authorisation — Know the Difference Read More »

How did we make Wibmo GDPR ready in 6 months?

October 2, 2021 / Pravin Kumar

A brief about GDPR GDPR is the world’s most strictly enforced set of data protection rules, enhancing how people can access information about themselves and limiting what organizations can do with personal data. GDPR’s full text is a cumbersome beast with 99 individual articles. The regulation in the EU, which replaced the previous 1995 data protection directive, serves as a framework for laws across the continent. After more than four years of debate and negotiations, the GDPR’s final form was adopted by both the European Parliament and the European Council in April 2016. At the end of that month, the underlying regulation and directives were published. GDPR went into effect on May 25, 2018. Countries in Europe were given the ability to make minor changes to better suit their own needs. This adaptability resulted in the creation of the Data Protection Act (2018) in the United Kingdom, which replaced the previous Data Protection Act of 1998. Driver for GDPR Wibmo currently has a large presence in India, Asia, Middle East, and Africa. And we aspire to enter the European market with our flagship service offering such as Authentication solutions and Fraud Risk Management solutions. We foresee that with increasing dependency on technology and digital products, we can offer seamless services to the European market. Moreover, with the expansion of the European Union, the EU market seems to be more lucrative to capture a large clientele base with a common regulatory framework and processes. Journey to GDPR readiness We performed initial due diligence with regards to GDPR articles and realized that it falls under the category of “Data Processor” as the majority of Personally Identifiable Information (PII) are not captured by themselves. These PII are shared with us by our customers/banks (controller) to whom we provide services. Then we defined “Security and Privacy by Design” principles and implemented them across the organization. To make everyone aware of these principles, we also provided mandatory training to all our employees on this subject through the “OneTrust” training tool. We performed a check for applicability of GDPR Articles and prepared a Statement of Applicability (SOA) which listed the set of GDPR Articles applicable to it. As a next logical step, we engaged with a Big4 consulting firm to perform gap assessment vis-à-vis processor control requirements. The gap assessment covered below domains: 1. Governance and Operating Model 2. Legal and Regulatory 3. Data Privacy Policy 4. Data Management 5. Privacy by Design 6. Security for Privacy 7. Third-Party Management 8. Data Subject Access and Requests 9. Consent Management 10. Training and Awareness 11. Breach and Incident Management 12. Business Unit Processing Activity (BUPA) 13. Data Privacy Impact Assessment (DPIA) The identified gaps were categorized in the areas of People, Process, and Technology. Then we created several policies and processes with the help of the global privacy team to comply with GDPR articles. To name a few policies and processes — Cyber Security and Privacy Incident Process, Data Subject Request Handling process. We also defined Business Unit Processing Activity (BUPA) and Data Privacy Impact Assessment (DPIA) for applicable business processes. We also enhanced our systems following a robust Change Management process to address some of the technology-specific gaps. We organized several awareness sessions and training on Privacy and Security controls requirements to ensure that the entire company stands in unison with regards to GDPR expectations. We are very pleased to share that the identified gaps have been successfully remediated. The remediation evidence has been shared with consulting partners for independent verification and closure confirmation thereafter. In addition, we have established a dedicated team for enforcement, implementation, and ongoing support of the GDPR compliances. Finally, we got a much expected and long-awaited tagline that “Wibmo is a GDPR-ready organization”. This compliance would help our business team to attract customers based out of the EU region which will make us globally the number one authentication service provider. Lastly, we would like to extend a big thanks to all our customers, employees, vendors for their seamless support in this journey. Author: Pravin Kumar, CISO Wibmo A PayU/Naspers FinTech Company GDPR, GDPR Compliance, GDPR Training, Security

How did we make Wibmo GDPR ready in 6 months? Read More »

DevSecOps — A necessity in the current landscape

September 29, 2021 / Ravi Bhushan

Let’s start with the basics here. Traditionally, we followed Software Development Life Cycle, in short SDLC, a structured approach to develop quality software that meets customer requirements. With a rapid evolution in lifestyle, we moved to the Agile method which is one of the variants of SDLC to develop software in an iterative and fast way. While the agile methodology aims to develop a software or a component of software quicker, there is a need to deploy that component at equal speed in production set up to make it available to the user community. This development process along with the deployment process is together referred to as DevOps. Essentially, DevOps refers to the continuous integration of a software component and its continuous deployment. Now, thinking of security from the early stage of the development cycle instead of retrospectively fitting at the end of the cycle, transcends DevOps to DevSecOps. Here, we are shifting Security at the early stage of the cycle, i.e., shifting to the left of the cycle, which is referred to as Shift Left. To establish an analogy, may not be exact but a crude analogy to understand better, let’s look at some of the household work like cooking. I cook in my free time at home. After cooking, I request my wife to serve the food to family members. Here, the cooking process is Development, serving process is Operations, together with cooking and serving process is DevOps. Now, it’s important to understand in this example what is DevSecOps. While cooking, I am concerned about the hygiene of the food from the beginning, else, retrospectively fitting hygiene is very difficult. Therefore, the cooking and serving process along with maintaining hygiene in the entire process is DevSecOps. In a rapidly moving world where technology is easing the way we do business and lead life, there is a rapid increase in threats to the technology landscape by fraudsters or individuals with malicious intent. Therefore, it’s imperative that security is looked at from the very early stage of the development cycle and all possible threat vectors are identified and appropriate controls or safeguards are built into the software to protect the software and therefore protect its user community and ultimately customers. Let’s look at some of the benefits of DevSecOps. Continuous integration (CI) — merges code changes to ensure the most recent version is available to developers. Continuous delivery and continuous deployment (CD) — automate the process of releasing updates to increase efficiency. Microservices — builds an application as a set of smaller services. Infrastructure as code (IaC) — designing, implementing, and managing app infrastructure needs through code. Common weaknesses enumeration (CWE) — improves the quality of code and increases the level of security during the CI and CD phases. Threat modeling — implements security testing during the development pipeline to save time and cost in the future. Automated security testing — test for vulnerabilities in new builds on regular basis. Incident management — creates a standard framework for responding to security incidents. Fast delivery — achieve ensure fast delivery of application by embedding automated security controls and tests early in the development cycle. Enriched efficiency — higher efficiency by scanning code for vulnerabilities as it’s written. Automotive: reduce lengthy cycle times while still meeting software compliance standards. Digital Transformation: enable digital transformation efforts while maintaining the privacy and security of sensitive data per regulations such as GDPR. Code analysis — deliver code in small chunks so vulnerabilities can be identified quickly. Compliance monitoring — be ready for an audit at any time that means being in a constant state of compliance, including gathering evidence of GDPR compliance, PCI compliance, etc. Threat investigation — identify potential emerging threats with each code update and be able to respond quickly. Vulnerability assessment — identify new vulnerabilities with code analysis and accordingly analyze how quickly they are being responded to and patched. Security training — train software and IT engineers with guidelines for set routines. Source: https://accelera.com.au/ To conclude, DevSecOps is a cultural shift which means security is a shared responsibility, and everyone participating in SDLC has to a play very vital role in building security into the DevOps workflow. Author: Ravi Bhushan, Head- GRC and Ritesh Prasad, Manager DevOps+SRE Wibmo A PayU/Naspers FinTech Company Compliance, DevOps, Infosec, Risk Management, Security

DevSecOps — A necessity in the current landscape Read More »