Support for Standard ISO 8583 Protocol Enables Real-Time Authentication of Card Transactions
PhoneFactor, a provider of phone-based multi-factor authentication technology, this week announced support for ISO 8583, the standard communication protocol that financial institutions use to process credit and debit card transactions.
MasterCard and Visa authorizations utilize the ISO 8583 standard, as do most Automated Teller Machines. By supporting the widely used ISO standard, PhoneFactor can authenticate card transactions in any channel, including point-of-sale, ATM, and online transactions, through a single technology implementation.
Multi-Factor Authentication also referred to as “Out of Band Authentication,” is growing anti-fraud measure financial institutions are implementing in their online banking services to help protect customers. With the technology, at the time a customer attempts a transaction, a text message or phone call is sent to the mobile phone number the bank has on file. The customer is given through the phone a “TAN” or one-time password that must be provided on the website in order to complete the transaction.
By adding PhoneFactor to the transaction path using the ISO 8583 protocol, card issuers can authenticate transactions with a phone call or text message. When a protected transaction is initiated, PhoneFactor instantly places an automated phone call or sends a text message to the cardholder asking them to verify the transaction details. The user answers the call and presses # (or a PIN) or replies to the text message to approve the transaction.
Credit and debit card fraud is rampant worldwide, and while countermeasures like EMV chip cards have been introduced in some European countries, they have yet to gain even limited adoption worldwide. In addition, chip technology fails to easily address the online and mobile channels, leaving a growing segment of transactions unprotected.
PhoneFactor uses the cardholder’s existing phone — a device the cardholder already has and carries with him. So, enabling the service for large numbers of geographically diverse customers is easy and cost-effective. It works regardless of which merchant is processing the transaction or from which channel the transaction is initiated.
According to Idan Aharoni, Manager of the FraudAction Intelligence team at RSA and a SecurityWeek Columnist, out of band authentication isn’t perfect but is quite effective. “Even though it’s not bulletproof, out of band authentication is an effective tool to stop fraudsters at bay. But just like any idea, implementation has a very big part of whether it succeeds or fails. For out of band authentication to become even more effective, a more secure enrollment processes must be put into effect in order to ensure that the person opting-in to the service is the legitimate customer and not a fraudster,” Aharoni writes.” “Eventually, when the routes used to bypass security measures are themselves secured, most fraudsters will have no choice but to circumvent the problem in a different way – by targeting someone else.”