A Eulogy for the Static Password

Last month, Visa eliminated the use of static passwords for its Verified by Visa cardholder authentication service. Static passwords were once thought to be an easy and secure way to verify a consumer’s identity, but with more than 1.8 billion compromised accounts floating around on the Dark Web, these stolen credentials are now said to be responsible for more than 80 percent of all hacking-related breaches.

To improve the user experience and cardholder security, risk-based or dynamic authentication methods are now the recommended industry standard. Risk-based authentication evaluates every transaction for potential risk by using a risk model or rules engine that automatically steps-up authentication if a transaction is deemed high risk - all occurring prior to authorization of the transaction by examining cardholders’ typical usage patterns to include behavior checks (Has the customer shopped at this merchant before?); device checks (Has the customer used this computer or device to make purchases with their card before?); and merchant checks (Does this merchant generate a lot of fraudulent transactions?) the system can analyze contextual data and score the transaction according to risk.

If, indeed, the transaction is deemed high-risk, a step-up authentication method can be deployed that to the cardholder might look like a one-time passcode sent via text message or email. According to Visa, fewer than 5 percent of all card transactions fall in this high-risk category, so only a minimal number of cardholders will experience the minor friction of stepped up authentication at check out.

Late last year, ICBA Bancard began the process of adding its own 3DS risk-based authentication solution that is powered by CardinalCommerce and a free benefit for community bank issuers that participate in our Fraud Loss Protection Plan. During the 2017 holiday season alone, the new 3DS solution scored more than 6,000 eCommerce transactions and prevented nearly $30,000 in fraudulent transactions for the first wave of client banks for whom it was implemented. 

ICBA Bancard’s risk team is in the process of developing a campaign to further educate community bankers about 3DS 2.0 authentication. The CardinalCommerce offering will also soon be available to client banks who do not participate in our Fraud Loss Protection Plan. As always, please send your risk management concerns and questions to bancard@icba.org.