ONE BIG THING: To overcome scams and authenticated fraud, issuers need next-gen 3DS with deep fraud insight that can both orchestrate risk-based authentication and strengthen assurance at point of challenge.
The evolution of 3DS in the age of scams
3-D Secure plays a critical role in securing online transactions. It helps verify cardholders, supports issuer decisioning, achieves SCA compliance, and adds an important layer of protection to digital transactions.
Yet fraud still gets through. Especially when standard authentication is not backed by risk-based decisioning built for today’s threats.
The question isn’t just if the customer successfully completed an authentication challenge. It is what additional assurance is needed in a transaction environment threatened by scams, coaching, and social engineering.
This is where 3DS has evolved.
The emotional attack surface
THE BIG PICTURE: For years, digital fraud was defined by technical compromise. But now fraud relies on social engineering and manipulating the genuine customer.
This typically shows up in two ways.
- The fraudster initiates a purchase with stolen card data; they contact the cardholder persuading them to share an OTP or approve a challenge.
- The fraudster stays in contact with the customer while the customer completes the transaction coaching them step-by-step, through 3DS authentication.
Why does social engineering for 3DS transactions work?
Social engineering works because it exploits behavior under pressure.
The most effective scams are credible, well-timed, and emotionally controlled. Fraudsters sound legitimate. They create urgency. They steer the conversation away from the purchase itself and toward a story about account protection, suspicious activity, or an emergency.
The pattern is familiar:
- Professionalism: The fraudster sounds informed and authoritative.
- Urgency: The customer is pushed to act quickly.
- Misdirection: The customer believes they are responding to an urgent issue, not authorizing a purchase.
That is what makes this threat so difficult. The authentication step may appear sound, but without deeper fraud insight, the actual risk is missed.
What is the business impact?
WHY IT MATTERS: When genuine customers authenticate fraudulent transactions, the consequences extend beyond a single fraud loss.
- Authorized fraud losses rise because the transaction appears legitimate.
- Customer disputes increase as cardholders question how the payment was approved.
- Liability becomes more complex when authentication has technically succeeded.
- Operational burden grows across servicing, disputes, and investigations.
There is a wider commercial impact too.
- Customer trust weakens when cardholders feel unprotected.
- Card preference shifts when confidence declines.
- Revenue falls when reduced usage affects spend and interchange.
OTP is still part of the reality
REALITY CHECK: One-time passwords remain a significant part of the 3DS ecosystem – for now.
They have known weaknesses, but remain widely used because OTPs are familiar, accessible, and practical for many customers.
Phishing-resistant methods such as FIDO-based passkeys point to a stronger future. But for many issuers, OTP will remain part of the mix for the moment.
The immediate challenge isn’t to replace OTPs overnight. It’s to improve assurance when they’re necessary.
How behavioral biometrics addresses OTP weakness
CALL TO ACTION: Ensure your 3DS ACS can add native behavioral biometrics to the challenge page.
This crucial enhancement enables assessments on how users interact when entering an OTP. It detects authenticated fraud when the person completing the authentication is not the genuine customer, even if the OTP is correct.
HOW IT WORKS: The way an OTP is entered can differ significantly between a genuine cardholder and a fraudster. Behavioral intelligence uncovers this without adding friction to:
- Analyze inputs on the authentication page, such as typing patterns and mouse movements
- Compare behavior against a cardholder’s existing behavioral profile from prior interactions
- Identify nefarious patterns, including distinguishing between human and non-human input.
Top 5 Components of a future-proof 3DS ACS
3DS environments need to do far more than execute authentication. They need to support stronger assurance around the transaction. This is vital for a 3DS ACS that is fit for today’s threat environment.
1. Go much deeper with fraud intelligence and risk-based decisioning
- Use embedded, real-time risk decisioning to assess transactions as they happen.
- Apply advanced machine learning to identify new fraud patterns as they emerge.
- Move beyond rigid rules and static thresholds that are slow to adapt.
- Improve detection accuracy over time as attack methods evolve.
TOP TIP: Work with a 3DS ACS with extensive fraud expertise, leveraging 2000+ attributes for real-time risk scoring.
2. Focus on the authentication moment
- Treat the challenge step as a key source of fraud insight, not just a pass-fail event.
- Look for greater visibility into the conditions around authentication.
- Help distinguish ordinary customer behavior from signs of manipulation or coaching.
- Reduce reliance on challenge completion alone as a signal of trust.
TOP TIP: Embed native behavioral biometrics on the 3DS challenge page to detect signs of social engineering.
3. Obsess over approval performance
- Identify low-risk transactions with greater confidence.
- Apply challenge where it is justified by risk.
- Reduce fraud exposure without adding unnecessary friction for legitimate customers.
- Support both fraud prevention and conversion performance.
TOP TIP: Work with experts who are constantly monitoring and refining challenge rates and fraud detection rates and can show measurable improvements.
4. Future-proof with phishing-resistant authenticators
- Introduce stronger authentication methods, including FIDO passkeys.
- Adapt authentication dynamically based on transaction risk.
- Strengthen resilience without forcing the same experience across every transaction.
- Balance security, usability, and trust as authentication evolves.
TOP TIP: Embrace banking-grade FIDO to overcome the limitations of standard passkeys by embedding risk-based decisioning.
5. Demand agile and control in 3DS configuration
- Enable self-service policy control so teams can respond faster.
- Support flexible configuration aligned to risk appetite and business goals.
- Allow rapid updates as fraud patterns change.
- Embed continuous tuning in your process, don’t rely on set-and-forget deployment.
TOP TIP: Choose a 3DS ACS provider that gives you real configurability and control.
The 3DS opportunity: overcoming scams, social engineering, and authenticated fraud
In conclusion, issuers need deep fraud insight in two pivotal moments of the 3DS journey:
- Before the challenge: risk-based decisioning should assess the transaction and determine the right authentication path. That includes whether to challenge, how much friction to apply, and which method best suits the risk level.
- During the challenge: issuers need additional assurance at the authentication moment itself. This is where live fraud signals such as behavioral biometrics (BB) help detect manipulation, coaching, or anomalous behavior.
In many environments, risk scoring before the challenge is already part of the 3DS flow. The big opportunity is to strengthen assurance during the challenge itself, when the issuer can assess not just the transaction, but what is happening around the authentication event in real time.
That applies to OTP, where adding behavioral biometrics is vital to help identify signs of social engineering or coached behavior.
It also applies to FIDO-based authentication. While FIDO offers stronger, phishing-resistant authentication, issuers need additional fraud assurance due to the risks of fraudulent enrolment, shared devices, and synched passkeys.
The goal is not just to check whether a 3DS challenge is successfully completed. It is to bring deeper fraud insight to the points in the journey where it can strengthen assurance most.
Next steps
Talk to an Outseer 3DS expert to see how we help issuers and payment processors detect scams, reduce authenticated fraud, and strengthen challenge precision.