OneID Fraud Prevention

When credit card fraud happens, the merchant is required to pay.

Can OneID totally eliminate fraud? No. But we can actually come very close to it for cards issued by banks supporting OneID.

There are basically three types of fraud:

  1. The attacker steals a credit card and creates a new OneID account using the stolen card
  2. The attacker cracks into a OneID account and makes purchases using that identity
  3. The attacker cracks into a OneID account and steals the credit card information and uses it outside of OneID

There are over 20 fraud checks that OneID could make to reduce fraud. We don't disclose the set of checks publicly.

To prevent attack #1:

When the credit card is first input into a OneID account, OneID can do a series of checks and if some of the checks fail, can do additional screening to determine whether the card is stolen or not. In the future, if the issuing bank supports OneID, the user will be required to log into the bank using his OneID before using the card.

To prevent attack #2:

Because out-of-band (OOB) authentication is built into every OneID identity, suspicious transactions can trigger an OOB confirmation. Because OOB confirmations aren't onerous, the threshold for triggering these can be as aggressive as needed. OOB can be triggered by the merchant, the user, or by OneID (protecting the merchant). Therefore, if OneID either releases credit card information to an RP, or charges the card directly, these checks will be performed. The simplest check is to do an OOB every $500 spent, or for every new merchant, or when any velocity check is exceeded. A failure to enter the correct PIN code after several attempts will disable the device.

To prevent attack #3:

If the issuing bank supports OneID, the user can set a cumulative $ threshold that will trigger an OOB confirmation for any Point of Sale AUTH transaction (recurring transactions can be pre-approved). Those credit cards will be secure.

OneID has a big advantages in detecting fraud compared to merchant or issuer

  1. OneID can see
    IP addresses of AD, CD
    geo location of AD, CD
    device fingerprint, sync counters
    purchase history and velocity with purchases made using OneID
  2. And could do extensive checks on account registration or first or subsequent use:
    KBA, geo, AVS, Trulioo, etc.
  3. OneID can require
    OOB or OOB/PIN

For more detail, see the "Payments CNP fraud" (internal OneID doc).

 

 

 

OneID documentation guide