Orange Money: How We Added Risk‑based Authentication to our Mobile Experience
We regularly participate in industry events and presentations on topics such as fraud prevention, authentication, and mobile app security best practices. If you missed the presentation from Orange Money Romania and OneSpan entitled Intelligent Adaptive Authentication as a solution to provide PSD2 compliance, improve user experience, and enhance security for Orange Money customers at The Hack Summit 2020, here is the 10-minute summary.
Orange Group is a world leader in telecommunications services. Among its subsidiaries are Orange Money and Orange Bank, which provide mobile banking services to the Group’s telecom customer base.
In Romania, Orange Money was launched in November 2016 as an Electronic Money Institution (EMI) authorized by the National Bank of Romania. Owned by the largest telecom operator in Romania, Orange Money can provide retail banking IBAN accounts, issue loans, offer payment services, and more. Essentially, they provide almost all of the services a traditional bank provides; however, an eMoney institution does not hold a banking license from the European Central Bank.
Within the Orange Money app, customers can transfer funds, pay bills, buy foreign currencies, and make purchases on their mobile devices through a virtual Orange Money or virtual VISA debit card. They can make contactless mobile payments at point-of-sale by linking their bank account to Google Pay or Apple Pay. Physical debit cards can also be issued for cash withdrawal from ATMs.
By Q3 2020, Orange Money Romania had 245,000 clients. As a mobile-only bank, maintaining digital trust without compromising the user experience is key to growth. That makes strong customer authentication (SCA) and fraud prevention top priorities.
“Being a mobile-only bank, if the access channel to the customer’s account is compromised, there are no other channels. And as a relatively young company, if you make one mistake in security, it is very complicated to convince the customer that they should trust you another time,” says Mircea Spinei, Head of Payments and Transactions at Orange Money Romania.
The Orange Money app is rated 4.4 in the Google Play Store and 4.7 in the Apple Store. For Orange Money, it’s crucial to innovate and maintain a high level of customer satisfaction, while strengthening anti-fraud defenses and PSD2 compliance.
The Challenge: PSD2-compliant Fraud Protection with Minimal Friction
Orange Money Romania needed to replace the already PSD2 compliant security technology they had developed in-house and embedded in their mobile money app. However, the new solution could not add unnecessary friction to the user experience.
To upgrade to state-of-the-art security, the solution had to continue to be PSD2-compliant and therefore had to:
- Provide two-factor authentication (2FA)
- Generate a unique authorization code for each financial transaction
- Do real-time transaction monitoring
“PSD2 brings a lot of security requirements, which, if not implemented properly, can add friction to the customer experience. This is something we didn’t want to do in the mobile banking environment.”
Should Orange Money Build or Buy?
To upgrade the security of their mobile app, the team in Romania considered three options:
- Update the existing solution
- Internally develop a new solution that would be more secure and modern
- Integrate a purpose-built, third-party solution
They looked at the pros and cons of each to determine the best path forward in terms of cost, quality, and delivery time.
“If we wanted to update the existing solution, we would have been able to keep the same customer experience. The cost would be low and the implementation fast. The problem is we would not have been able to benefit from any new technology because we would be doing an entire overhaul of the solution. And while we have specialized fraud analysts, we do not have the same subject matter expertise as a company that only does banking security,” says Mircea Spinei.
“For option two, if we wanted to internally develop a new solution, we would probably have been able to keep the same customer experience. The cost would still have been relatively low, since we would be using our own resources. And we would have been using new technologies, which was an improvement. The problem again was that we would not have benefitted from a banking security provider’s expertise. And the implementation time would have been significantly longer.”
“The third option was to integrate a third-party solution. This had several benefits. The overall experience the provider brings, along with a relatively fast implementation because it would be hosted in the cloud. Plus, using the provider’s SDK meant we wouldn’t have to develop from zero. Of course, we had to balance this against the higher cost and potential changes to the customer experience.”
The Solution: Risk-based Authentication in the Cloud
Orange Money selected OneSpan’s Intelligent Adaptive Authentication (IAA) solution. Intelligent Adaptive Authentication is an API-based, PSD2 SCA-compliant solution powered by OneSpan’s Trusted Identity Platform, which enables real-time fraud prevention through a combination of orchestrated MFA and machine learning-based risk analytics. In the presentation, OneSpan expert Michal Wawrzynski explains the solution in detail. In summary, it is comprised of:
- OneSpan Risk Analytics: This is the risk engine, which is the backbone of the IAA solution. For transaction risk management, it evaluates all the contextual data associated with a transaction to determine a real-time fraud score. This score drives the authentication workflow.
- OneSpan Cloud Authentication: This enables strong authentication functionality such as biometrics and software tokens for one-time passcodes (OTP) to be harnessed by the Orange Money app. It ensures multi-factor authentication (MFA).
- OneSpan Mobile Security Suite: This is a menu of mobile security SDKs. The capabilities that Orange Money is using include mobile device data collectors that gather and feed mobile data to the risk engine. This gives organizations like Orange Money access to contextual data and visibility they could not achieve elsewhere. OneSpan Mobile Security Suite also enables authentication orchestration on the client’s phone.
All of these combined provide advanced risk-based authentication – the ability to collect a tremendous amount of data from the user’s mobile, then analyze it in real time and dynamically adapt the authentication based on the risk score.
“Whenever the user performs a transaction, there is an interaction with our core banking and payment system, which calls to OneSpan for Intelligent Adaptive Authentication. In essence, it says to OneSpan: ‘This is the context. This is the transaction. This is the user. How should we authenticate them?’
The customer is then asked for their PIN or fingerprint authentication, depending on the level of risk associated with the transaction. With IAA, if the risk of the transaction is low, the customer may not need to authenticate at all – providing seamless authentication when users transact from their trusted device, usual location, and normal behavior pattern.
“At the moment, we have not yet implemented PSD2 SCA exemptions. We are using 2FA all the time, because we want to train the artificial intelligence and machine learning part of the OneSpan Intelligent Adaptive Authentication solution. We also want to get comfortable with the new way of authenticating and authorizing transactions. But we plan to implement PSD2 exemptions in the future,” says Mircea Spinei.
Integration and Go-live
To launch the project, OneSpan sent a team to Romania to provide training to Orange Money’s IT, anti-fraud, and business teams. OneSpan provided the SDKs for Android and iOS, and the teams worked together to implement the solution in Orange Money’s technical infrastructure as well as in their anti-fraud processes.
“For go-live, we first did the user acceptance testing (UAT) phase. Then we launched a beta to our beta tester customers. We have since implemented some of their feedback, which was very helpful. Then we put the application in the store and let customers upgrade at their own pace. After one month of going live, 99% of our active mobile application users had updated to the new security solution.
“For those in banking, you’ve probably noticed the shift in the way users authenticate to their bank. Some put a soft token in their mobile app, and with the majority of banks, the migration from password-only authentication and SMS authentication to software authentication can be painful. And a number of users will contact the call center. While we prepared for this, our implementation with OneSpan helped our customers self-serve. We did not have a huge surge in the call center.”
Key Takeaways from Orange Money Romania
The presentation by Orange Money covers many additional details not included in this blog, so we encourage financial services providers to watch the full presentation. In summary, there are 3 important takeaways from Orange Money’s experience
1. The value of cloud: At OneSpan, we are seeing a strong surge in cloud deployments, such as the one from Orange Money. This complements the research findings in Aite Group’s new report, Neobanks: The Bumpy Road to Profitability. According to Aite, “Several factors are driving the preference toward hosted/cloud-based technology solutions for neobanks:
- Faster deployment/speed to market
- Lower total cost of ownership
- Less of a staffing burden
- More time to focus on banking activities and customer acquisition, with the technology priority focusing on differentiating the customer experience rather than on infrastructure
- Lower regulatory burden when utilizing traditional technology vendors that are already compliant with the financial services industry
- Higher levels of business continuity through vendor-run backup data centers”
2. The value of progressively moving to more sophisticated authentication: As financial institutions re-evaluate their authentication strategies to balance fraud prevention, regulatory compliance and the customer experience, they are migrating from simple authentication (using individual authentication modalities like passwords or SMS) to more sophisticated approaches where the authentication is orchestrated through anti-fraud rules and eventually machine learning. This is the best practice that Orange Money Romania is following – first getting comfortable using fraud rules to drive adaptive authentication based on the level of risk, and giving themselves and their clients time to get used to the new experience. Then, training the machine learning model as a next step. That will usher in a new and elevated authentication approach, driven by machine learning-based fraud detection.
3. The value of a specialized security vendor’s expertise: Fraud threats such as account takeover (ATO), mobile malware and identity theft are becoming more prevalent and sophisticated. Many financial institutions still rely on older anti-fraud tech and need to re-assess their systems. At the same time, they are balancing regulatory compliance with user experience, and have to tie all three of these priorities together into a seamless flow for the customer. Understanding how to best implement new authentication and fraud prevention technologies in a way that deters fraud and reduces false positives, is crucial. Especially in the context of your client base as well as your regulatory context (whether that’s PSD2 in the European financial markets or Open Banking in the United Kingdom or the regulatory environment in the United States). This is all part of OneSpan’s core expertise. The knowledge transfer that occurs between OneSpan and our customers’ fraud teams throughout the partnership is something that both traditional banks and neobanks applaud as having strengthened their organizations.