Case Study: 3D Secure system outage for a financial institution
In this case study, we will be looking at what happens when a financial institution's 3D Secure system has failed. The 3D Secure system was designed to make online transactions safer by requiring another layer of user authentication for payments, with different institutions offering their own branded version of the system.
A bank’s 3D Secure System has failed. It impacts online card payments (where the card holder is not present in person at the counter/POS). As a continuity measure, the bank decides to bypass the authentication system for the period that the 3D Secure system is being fixed. It is understood that this raises the risk for the bank.
What is the risk?
a) Daman uses his own card for a transaction. Authentication is not completed but the transaction is successful. He cannot purchase for more than his credit card limit (the 3D Secure system does not do this test). Daman could use all of his limit and claim that he did not make those payments in order to seek a refund. Forensic investigations can still trace the system that originated the transactions. The delivery address may also be traced to Daman’s house. Daman could get the items delivered to another address – but perhaps it could still be traced back to Daman.
b) The above seems to be less realistic/ low risk. A bigger risk is if Daman had lost his card (or his card was stolen). In this case, a third person can now use the card to its full limit. Daman could have already reported theft/loss/blocked the card – so the risk to Daman and the bank is reduced. If Daman did not realise the loss/theft, the person could utilise the card to its limit. Forensic investigations can still track the offender.
I understand that, even in the worst-case scenario (bank does not get any money back), the bank’s risk is highly limited; out of millions of card holders, how many would have lost their cards during this period? Not all lost cards are necessarily used immediately. How many could have been stolen? These could be used to their limits and that is the only risk for the bank. For context, the bank is in the US/Europe/UK and it’s the Christmas period, so the bank does not want to stop all e-commerce activity even for the couple of hours that the 3D Secure system may be down for.
Are my assumptions correct? These were my initial views. I raised them in the experts’ group and some responses are listed below:
1. In the case of scenario B, the risk is limited as the misuse has to be between the time the card is lost and reported to the bank. The longer the gap, the higher the risk is, and it may impact Daman too as the bank owns it only for a specific limit. Apart from this, my understanding is that for the use of the card, authentication can still happen through their payment gateway aggregating partners, like VISA, RUPAY, MAESTRO, etc., and usage data can be later pushed to the bank’s system, after their 3D system is fixed. PCI DSS assessment looks into such alternatives to minimise losses , which, in my view, is a mandatory need now for all banks issuing cards. So the risk is limited again as opportunity for misuse is limited.
2. If 3D has failed for a bank, then it has failed for all alternatives like Visa/ MasterCard, etc., I suppose. Do banks have alternate vendors for 3D authentication for different card providers? I’m guessing not, as it is too costly. Even if a bank has different routes for different card providers, can MasterCard transactions be routed through the Visa route and vice-versa?
3. I remember that the PCI DSS assessment validates such arrangements as these vendors, like Visa, MasterCard, etc, play a crucial role for banks and may have such arrangements.
4. I have seen banks use risk mitigation products to check the client spending pattern and if any anomalies are noted, a call is initiated to check if the transaction was done by the client.
In this case, the bank is willing to take the risk. So, please focus on the rest of the points. Is there a risk? Is it significant? Can the routes be used as discussed above?
It is also understood that any changes from one vendor to another and from one route to another are time, effort, and cost consuming. Therefore, the parties involved may not like to pick that option at this moment when the failure has already occurred.
I have had long discussions with one of the industry experts in the field, Manish Walia, on this topic and we have decided to write the following analysis jointly.
The financial transactions work on the IAAA principles:
• Identification of the person
• Authentication of the person
• Authorisation of the transaction
• Accounting (limits etc.)
Of the above, only the first (Identification) is controlled through a one-time password during online transactions.
The real risk of fraud is not from the legitimate customers, it is from the criminals. For this, the customers would not need to lose possession of their cards (due to loss or theft). We must admit that all of us have our card (and other details) readily available on the darknet. However, the criminals are not able to use these as the 3D Secure system is in place. So, the moment that the 3D Secure system is down, the banks are fully vulnerable. And, whether the bank publishes this openly or not, the fact that the bank’s 3D Secure system is not working while the transactions are still happening will go through social media like wildfire and the criminals will start their work. It is estimated that they would not need hours to cause the bank millions of dollars in losses. The bank, at the most, would put in a complete stop after reaching its risk appetite.
The challenge is that many banks have not established/documented their risk appetite or risk appetite for such a case. Establishing it through an IMT/CMT meeting after the incident may take hours by which the criminals could have caused a great financial toll for the bank.
Also, good practice is ‘not to bypass the control’ (as in the given case). Rather, a better recommendation is to ‘change the control’ or ‘introduce new controls’ for the time being, e.g. ask security questions (already recorded with the bank) – some of these are:
• Spouse’s DOB
• Number of siblings spouse has
• Mother’s maiden name
• First email ID created
• Year of graduation
• City of birth
• First school
• Number of siblings mother has
• Pet name
• The year you finished your schooling
This may add a little frustration for the customers (but the bank could communicate its apologies for the inconvenience which would limit it to some extent), but greater frustration will be for the criminals who will still not be able to make the fraudulent transactions.
It is also understood that the number of transactions would be in the millions and no country would have the resources to trace the transactions through forensic investigations in a reasonable time period.
Communication, of course, will play a crucial role and will need to involve the following:
• Bank’s call centre
• General public
• International institutions
• Third parties
It must be appreciated that in the UK, the Bank of England, through its Operational Resilience mandate is asking financial institutions to focus on Third Parties (as well as fourth and fifth parties!).
Internally, the banks should evaluate whether their call centres are capable of managing the increased volume of queries/complaints.
With this case, it’s a good time for all banks to look at their Crisis Communication Plans and whether they have ‘holding statements’ for all relevant interested parties for such incidents.
A recommendation is to have relevant/applicable insurance as well. The insurance does not alleviate basic Risk Management/Business Continuity Management – rather they are the starting point. The insurance may also not be available in absence of the basics (or may be very costly). Also, good practice is to be aware of the terms and conditions/limitations of the insurance purchased.
During discussions, two points came out:
a) Perhaps the organization will be able to take the risk of monetary loss (up to its risk appetite) – the challenge is that the risk appetite is not known, or is not very well defined or is too old a value.
b) This monetary loss may be recovered (to an extent) from customers who might have withdrawn access.
The consideration is that it will be difficult to have any recovery from the fraudsters and Good Risk Management says, ‘control the loss, rather than looking at recovery’.
One last point, specifically for banks, the moment there is a failure of any type, the fraudsters will become super active to break other barriers and any defence (arguably) is only a matter of time. So, while managing one crisis, we should also look at the possibilities of other emerging crises – ‘what else could go wrong now?!’
Manish Walia, Senior Organizational Resilience and Cyber Defense ProfessionalDaman Dev Sood, FBCI, International Resilience
- Finance, insurance and risk management
- Business Continuity
- Case studies, sample tools & practical guidance