OneID Fraud Prevention
When credit card fraud happens, the merchant is required to pay.
Can OneID totally eliminate fraud? No. But we can actually come very close to
it for cards issued by banks supporting OneID.
There are basically three types of fraud:
- The attacker steals a credit card and creates a new OneID
account using the stolen card
- The attacker cracks into a OneID account and makes purchases using that
identity
- The attacker cracks into a OneID account and steals the credit card
information and uses it outside of OneID
There are over 20 fraud checks that OneID could make to reduce fraud. We
don't disclose the set of checks publicly.
To prevent attack #1:
When the credit card is first input into a OneID account, OneID can do a
series of checks and if some of the checks fail, can do additional screening
to determine whether the card is stolen or not. In the future, if the
issuing bank supports OneID, the user will be required to log into the bank
using his OneID before using the card.
To prevent attack #2:
Because out-of-band (OOB) authentication is built into every OneID identity,
suspicious transactions can trigger an OOB confirmation. Because OOB
confirmations aren't onerous, the threshold for triggering these can be as
aggressive as needed. OOB can be triggered by the merchant, the user, or by OneID (protecting the merchant). Therefore, if OneID either releases credit
card information to an RP, or charges the card directly, these checks will
be performed. The simplest check is to do an OOB every $500 spent, or for
every new merchant, or when any velocity check is exceeded. A failure to
enter the correct PIN code after several attempts will disable the device.
To prevent attack #3:
If the issuing bank supports OneID, the user can set
a cumulative $
threshold that will trigger an OOB confirmation
for any Point of Sale AUTH transaction (recurring transactions can be
pre-approved). Those credit cards will be secure.
OneID has a big advantages in detecting fraud compared to merchant or issuer
- OneID can see
IP addresses of AD, CD
geo location of AD, CD
device fingerprint, sync counters
purchase history and velocity with purchases made using OneID
- And could do extensive checks on account registration or first or
subsequent use:
KBA, geo, AVS, Trulioo, etc.
- OneID can require
OOB or OOB/PIN
For more detail, see the "Payments CNP fraud" (internal OneID doc).
OneID documentation guide
|