3-D Secure and authenticated fraud
ONE BIG THING: 3DS authentication needs to evolve to better protect against authenticated fraud—especially the risks associated with OTPs. Issuers and payment processors can immediately address this, without adding friction, by integrating behavioral biometrics into existing challenge pages.
SITUATIONAL AWARENESS: Despite known vulnerabilities, OTP authentication is here to stay—for now.
The future lies in phishing-resistant methods like FIDO passkeys, but today SMS and email OTPs continue to serve customers who depend on them for accessibility and ease of use.
Issuers and payment processors need to retain OTP in some form and focus on improving its assurance.
OTP risk and the changing fraud landscape
THE BIG PICTURE: The fraud attack surface has fundamentally transformed.
Fraudsters are no longer just attacking technical controls. They are targeting people. They trick customers into bypassing security measures themselves, such as sharing their OTP.
This is why addressing OTP risk is now urgent.
Why it matters:
- OTP authentication is functioning as designed, but fraud is still getting through.
- The rise of authenticated fraud is leading to more customer disputes over liability.
- Failing to address this risk can result in loss of front-of-wallet position and put interchange revenue at risk.
Addressing OTP risk with behavioral biometrics
CALL TO ACTION: Issuers and payment processors can address this challenge by adding Outseer’s native behavioral biometrics to the challenge page.
This straightforward enhancement enables vital assessments on how users interact when entering an OTP. It detects authenticated fraud when the person completing the authentication is not the genuine customer, even if the OTP is correct.
HOW IT WORKS: The way an OTP is entered can differ significantly between a genuine cardholder and a fraudster. Behavioral intelligence uncovers this without adding friction.
Outseer collects web and mobile behavioral telemetry through embedded JavaScript on the authentication page or via the mobile SDK to:
- Analyze inputs on the authentication page, such as typing patterns and mouse movements
- Compare behavior against a cardholder’s existing behavioral profile from prior interactions
- Identify nefarious patterns, including distinguishing between human and non-human input.
Behavioral biometrics can operate on the OTP field alone. Accuracy improves when combined with an additional field, such as email or passphrase, which enables assessment of longer-term memory use.
Impact across fraud, user experience, and revenue
Outseer helps you quickly strengthen your 3DS environment with advanced capabilities like integrated behavioral biometrics. Backed by deep expertise across both fraud prevention and authentication, we work with you to achieve the accuracy needed to balance evolving fraud risks, optimize customer experience, and deliver strong commercial outcomes.
- Lower fraud losses: Identify fraudulent transactions, even when authentication challenges are successfully passed.
- Intervention precision: Apply risk-based challenge orchestration to maintain low friction while meeting regulatory requirements.
- Operational efficiency: Continuous performance tuning and rapid configuration changes to reduce operational burden and costs.
TOP TIP: Your dedicated Outseer Fraud Advisor supports ongoing optimization of your environment and ensure rule effectiveness as fraud patterns evolve.
More on how fraudsters exploit OTP
DIVE DEEPER: Here is more information on how attackers leverage OTP weakness to subvert 3DS authentication, highlighting the need for behavioral biometrics. Different attack types result in different behavioral deviations from normal customer activity..
1. Exploitation of the technical attack surface
[fs-toc-H4]SIM swapping
Attackers redirect SMS messages by taking control of the victim’s phone number. This can involve social engineering or collusion within telecom providers. OTPs are then delivered directly to the attacker.
[fs-toc-H4]Remote access malware (RAT)
Attackers gain access to the victim’s device using malware. They can view or redirect SMS messages without the user’s knowledge, including OTPs.
2. Modern attacks target the human layer
[fs-toc-H4]Real-time social engineering
Fraudsters use leaked personal data to contact customers while impersonating a trusted entity, such as their bank. They often engage the victim during a live transaction and persuade them to share their OTP, allowing the attacker to complete 3DS authentication.
[fs-toc-H4]Authorized card scams
Fraudsters guide the customer through the entire scam purchase. This includes entering card details and completing 3DS authentication, making the transaction appear legitimate.
Next-generation 3DS authentication
Outseer is the only 3DS ACS with natively integrated behavioral biometrics to address the known risks of SMS OTP. It delivers higher signal accuracy, dramatically lower costs, and faster time-to-value compared to overlaying a separate behavioral biometrics solution on top of your 3DS platform.
Outseer has developed a next-generation behavioral biometrics architecture that processes data at the edge using client-side computation. This delivers major benefits over first-generation behavioral biometrics solutions:
[fs-toc-omit]Accuracy
- Cleaner signals due to on-device signal-to-noise filtering, with only high-value indicators transmitted to the platform.
- Client-side behavioral models natively adapt to each device’s sensors and characteristics without bespoke tuning or retraining.
[fs-toc-omit]Efficiency
Dramatically smaller payloads, resulting in lower latency and reduced compute costs.
[fs-toc-omit]Privacy-forward design
Less raw behavioral data is transmitted.
Next steps
By adding behavioral biometrics to your 3DS challenge pages, you can dramatically reduce the risks associated with OTPs. This can be deployed immediately, with no operational overhead, and zero impact on the user experience.
Reach out to your account manager today to get you started or request a consultation.