Online fraud is relentless. Merchants adopt new security layers, and fraudsters just find new cracks to slip through. 3DS fraud prevention was supposed to be the answer, but is it still in use as of lately? Let’s dig into how 3D Secure 2.0 works, how it’s being exploited, and what merchants need to know next.
What Is 3DS Fraud Prevention?
3DS (Three-Domain Secure) is a security protocol designed to reduce card-not-present fraud. It involves three domains: the merchant, the card network (Visa, Mastercard, etc.), and the issuing bank. During checkout, 3DS adds an authentication layer where the cardholder verifies their identity, often through a one-time passcode, biometric prompt, or app notification.
This step is meant to confirm the customer is who they say they are. If the verification passes, liability for fraud shifts from the merchant to the issuer. That’s the theory.
But in practice? It’s messier.
How 3DS2 Tries to Improve Security
The first version of 3DS caused friction, lots of it. Customers abandoned carts when asked to remember passwords or wait for text codes. So, 3DS2 was introduced to improve the experience. It uses:
- Frictionless flow: Merchants can send up to 150 data points (like IP address, purchase history, and device ID) to the issuer to determine if a challenge is even necessary. If the data looks clean, the user skips authentication.
- Biometric options: Face ID, fingerprint, or voice authentication adds a smoother layer of verification.
- Better mobile compatibility: 3DS2 was designed to work with in-app and mobile browser checkouts.
From a customer experience perspective, it’s a big upgrade. But from a security perspective, it still has problems.
How Fraudsters Are Bypassing 3D Secure
Fraud prevention tools only work if you can trust the signals. And that’s where 3DS fraud prevention struggles. Here’s how attackers get around it:
1. Social engineering and account takeovers
If a fraudster gains access to a customer’s banking app or device, they can pass biometric authentication easily. In these cases, 3DS doesn’t prevent fraud, it authenticates the fraudster.
2. Frictionless flow abuse
When merchants pass behavioral and transaction data to trigger frictionless authentication, bad actors can spoof clean signals. Tools like device emulators and residential proxies help disguise fraud as normal customer behavior.
3. Fake merchant setups
Some fraudsters create fake merchant accounts that only process verified 3DS cards (like stolen cards with low-risk profiles). Once the card clears a 3DS check, they drain the balance with rapid-fire transactions.
4. Synthetic identity fraud
Because 3DS relies on device and behavioral patterns, synthetic identities that mimic legitimate users can sometimes pass authentication. These aren’t real people, but they can act like them.
Why Liability Shift Isn’t a Safety Net
Merchants often assume 3DS fraud prevention protects them by shifting liability to the issuer. That’s only true if:
- The transaction was 3DS authenticated
- The issuer accepted the risk
- The fraud type qualifies for a liability shift
However, some chargebacks fall outside this scope. For example:
- Disputes labeled as “product not received” or “not as described” still fall on the merchant.
- If 3DS fails or isn’t supported in a region, liability stays with the merchant.
- Some issuers challenge the liability shift during arbitration.
And even if you’re not liable financially, you still face operational costs, dispute management headaches, and risk monitoring penalties.
Behavioral Biometrics: The Next Layer?
To plug the gaps in 3DS fraud prevention, some merchants are adopting behavioral biometrics. These tools track how a user types, moves their mouse, or scrolls. Unlike static data points (like device ID), behavioral patterns are hard to spoof.
Behavioral biometrics is often used alongside 3DS, but it is not used in place of it. Think of it as context. If someone suddenly types like a different person on the same device, it can trigger a manual review or deny the transaction.
Still, like all tools, it’s not perfect. Behavioral biometrics work best when layered with strong fraud detection systems, manual reviews, and adaptive thresholds.
So, Does 3DS Fraud Prevention Still Hold Up?
In short, it holds up better than nothing, but not enough to rely on alone.
3DS2 was a major leap in UX, but fraudsters adapted fast. Authentication isn’t the same as verification. Fraud prevention needs to go deeper than 3DS checks. It needs context, velocity tracking, and behavior analysis.
The takeaway: use 3DS fraud prevention as a foundation, but not a wall.
FAQ: 3DS Fraud Prevention
What is the difference between 3DS1 and 3DS2?
3DS1 relied on static passwords, which caused friction in the checkout process. 3DS2 supports biometrics, offers frictionless authentication based on data, and works better on mobile devices. It’s a UX-focused upgrade, but it doesn’t eliminate fraud risk.
Can a merchant still get chargebacks even if 3DS authentication was successful?
Yes. Even if liability shifts to the issuer, merchants can still get hit with chargebacks for non-fraud reasons like “item not received” or “services not rendered.” Also, some fraud types can slip past authentication if an account was compromised.
Does using 3DS prevent refund fraud or policy abuse?
No. 3DS focuses on verifying cardholder identity. It doesn’t detect customers who misuse refund policies or file false claims after receiving the product. That requires separate fraud monitoring systems.
What is frictionless flow in 3DS2?
Frictionless flow allows a transaction to bypass step-up authentication if the merchant provides enough risk data and the issuer deems it low risk. It speeds up checkout but creates opportunities for spoofed behavior to slip through.
Should I disable 3DS if it creates too much friction?
Disabling 3DS removes the liability shift protection and may increase fraud risk. Instead, optimize the flow by sharing quality data with issuers and using additional fraud detection layers like velocity rules and behavioral analytics.
Chargeblast Helps You Catch What 3DS Misses
3DS stops some fraud, but it won’t catch policy abuse, refund scams, or disputes filed after delivery. Chargeblast is built to help you prevent chargebacks before they’re filed, even when 3DS says a transaction was clean.
From real-time alerting to automated dispute evidence and analytics, we give you tools to stay ahead of fraud, even when it hides behind authentication, because not every fraudster gets flagged. But every dollar matters.
