Digital Transactions Authoritative, insightful and timely information for payments professionals
With the United States playing catch-up with Canada and much of Europe in deploying chip card technology, security firms are starting to respond to online operators’ fears that the arrival of chips at the point of sale will drive fraud to the Internet. One of the latest of these is OneID Inc., a Redwood City, Calif.-based software startup whose technology seeks to replace user names and passwords on e-commerce and banking sites with a single tap or click secured with cryptographic keys.
Formed late in 2011, OneID has sold its solution to about 10 e-commerce sites as well as a number of online platforms, which in turn serve other e-commerce sellers. On Thursday, the company launched its first consumer product: an extension for Google Inc.’s Chrome browser that automatically fills in online forms for guest checkouts with information the user stores with OneID, such as an address and phone number.
But “the next focus is banking and payment services,” Alex Doll, OneID’s chief executive, tells Digital Transactions News. In October, the company signed an agreement with the Credit Union National Association, a Madison, Wis.-based trade group serving more than 7,000 credit unions, to market its one-click security solution to the association’s members. Once CUNA members have integrated the OneID system, customers who have enrolled with OneID will be able to authenticate themselves for online services and account access by clicking a button on the institution’s Web site.
OneID’s annual subscription for the service is payable by the institution but was negotiated with CUNA, Doll says, and incorporates a number of tiers tied to a credit union’s asset size. He will not say how many consumers have enrolled so far with OneID.
Doll sees potential sales in addressing merchants’ and card issuers’ fears about fraud migrating online in the wake of EMV, the Europay-MasterCard-Visa chip card standard, which makes counterfeit card fraud harder to commit at the point of sale. Online fraud has spiked in other markets following widespread implementation of EMV. The first deadline for U.S. deployment is April 1, by which date processors must be capable of handling EMV transactions. “There’s a looming card-not-present shift [of fraud],” says Doll. “The user base is clearly trying to figure out what to do.”
While the form-fill extension can be used at any Web site, the full implementation of OneID works only at sites that have integrated the solution. In these cases, consumers who have stored information about themselves in a OneID account can check out or gain account access by clicking a button on the page. The click triggers the generation of a cryptographic key derived from data about the consumer, about his device, and about his browser. If the site recognizes the key, the consumer is authenticated and the transaction proceeds. Transactions on public computers require a so-called out-of-band authentication, in which OneID sends a one-time code to the user via his mobile phone.
The critical factor, says Doll, is ease of use. By requiring only a single click, the system not only replaces inherently insecure user names and passwords but also makes consumer adoption much more likely, he says, calling the process “friction removal.” Still, while OneID identities may be secure, the company concedes it cannot verify the identity of persons registering for OneID accounts.
Also, some security experts question whether consumers will change their behavior online, especially given that in credit card transactions they have become accustomed to so-called zero liability for fraudulent transactions. “It’s really hard to change consumer behavior,” says Julie Conroy, a research director at the Boston-based Aite Group who follows security issues. “Consumers have been well-trained to sign on to a Web site. [OneID] may be on to something, but it’s a little bit of an uphill battle.”
She points out that online merchants, which bear the brunt of fraud, can escape that burden by adopting security technologies such as the 3-D Secure authentication systems from Visa Inc. and MasterCard Inc. While merchants have long shunned these systems because they interrupt the checkout flow, the card networks have recently introduced improvements that trigger the systems only in cases of elevated fraud risk.
Still, she concedes that online fraud has risen in virtually every market where EMV has rolled out. “We will see a spike in online fraud [after full EMV deployment],” she says. “The United States will be no exception.”
