NCCoE Project to Help Retailers Consumers, Reduce Fraud

NCCoE project description on Multifactor Authentication for e-Commerce finalized

We know the importance of safeguarding our credit cards—we don’t leave them laying around in plain sight and we don’t share our PIN numbers. We are discriminating about where we save our credit card information online, and most of us try to use good passwords. However, we also know that there are malicious actors that want this information and are increasingly adept at retrieving it despite our best efforts.

The introduction of chip technology on credit cards has reduced counterfeit card fraud, but does not currently improve the security of online transactions. Credit card chips now make it harder for malicious actors to create counterfeit cards, so they are turning their efforts elsewhere. Stealing user account names and passwords to access stored credit card information online has prompted a 50 percent increase in fraudulent online transactions.

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) is working on a project to reduce fraudulent online transactions by helping retailers ensure that the credit card information being provided in online transactions does in fact belong to the authorized user. The project is outlined in the recently released Multifactor Authentication for e-Commerce project description.

Multifactor authentication means that more than one way is used to prove your identity online. Typically, these factors are:

  • something you know (a password)
  • something you have (a code texted to you by the retailer)
  • something you are (personal information)

The “something you have” factor, when designed properly, will be inaccessible to someone that has stolen credit card or account information.


What Consumers Can Do

There are practices that each and every one of us as consumers can follow to reduce the likelihood that our credit card or our online account information gets into the hands of those who wish to commit e-fraud. Checkout Protect Your Online Information and Online Shopping Safety Tips for guidance. The effects of e-commerce fraud impacts banks, card issuers, retailers, payment processors, and consumers; though retailers primarily incur the most damage of fraudulent transactions. Beyond monetary losses, a breach in customer information and fraudulent purchases can potentially ruin the trust that we have placed in a company and result in a loss of revenue for that business. To avoid this potential repercussion, reducing e-commerce fraud quickly becomes an area of business focus.


What Retailers Can Do

Many of your favorite shopping sites are already offering the ability to authenticate your identity in a more secure manner. They are offering digital authentication that requires more than one authentication factor to make a purchase. The “something you have” factor is typically a code emailed or texted to a source you provided when you initially set up your account. Without that information, someone seeking to use your account or credit card will not be able to authenticate to complete a fraudulent transaction. Additionally, many retailers have implemented systems that monitor their networks and aggregate threat information to reduce fraud.

Retailers can implement a solution that will require you to provide the “something you have” factor during online checkout when they have reason to doubt the purchaser is really you. The Multifactor Authentication for e-Commerce project description provides insight on how retailers who offer online e-commerce can implement this approach to better protect us against fraud, while not interfering with our desired shopping experience (i.e. fast)!


Addressing Business Concerns While Providing Security

Retailers fear that if the checkout process is too time consuming, we will empty our carts and purchase from their competitors thus leading to a loss of sale for that business. To keep the fast-pace shopping experience many online consumers expect, businesses can implement a tiered approach to multifactor authentication—only employing it if the transaction seems suspicious.

For example, if a retailer notices that a repeat customer is suddenly logged in from a new IP address in another country and is trying to purchase an expensive item and send to a new shipping address, the odds are high that this is actually a malicious actor. Through multifactor authentication, the online retailer can prompt the malicious actor to provide additional information not available in the repeat customer’s account to prove their identity. When the malicious actor is unable to answer correctly, the transaction is terminated and the account is locked.


NCCoE’s Multifactor Authentication for e-Commerce Project

The NCCoE hopes the end result of this project will provide:

  • An increased level of protection for both retailers and consumers
  • Security alerts to a consumer if a purchase attempt is made that doesn’t fit his or her typical shopping routine
  • A significant reduction in fraudulent online purchases

Read the project description to learn more about Multifactor Authentication for e-Commerce. Check the project page often for updates on the progress of this project. The NCCoE relies on collaboration with industry, government, and academia. If you would like to be involved in this project, please email and ask to join our retail Community of Interest.