Background. 3-D Secure 2.0 (3DS 2.0) is an identity federation protocol authenticating the payment initiator for credit card transactions on the Web.

Aim. We aim to quantify the impact of factors used by 3DS 2.0 in its fraud-detection decision making process.

Method. We ran credit card transactions with two Web sites systematically manipulating the nominal IVs machine_data, value, region, and website.

We measured whether the user was challenged with an authentication, whether the transaction was declined, and whether the card was blocked as nominal DVs.

Results. While website and card largely did not show a significant impact on any outcome, machine_data, value and region did.

A change in machine_data, region or value made it 5-7 times as likely to be challenged with password authentication. However, even in a foreign region with another factor being changed, the overall likelihood of being challenged only reached 60%.

When in the card's home region, a transaction will be rarely declined (< 5% in control, 40% with one factor changed). However, in a region foreign to the card the system will more likely decline transactions anyway (about 60%) and any change in machine_data or value will lead to a near-certain declined transaction.

The region was the only significant predictor for a card being blocked (OR=3).

Conclusions. We found that the decisions to challenge the user with a password authentication, to decline a transaction and to block a card are governed by different weightings. 3DS 2.0 is most likely to decline transactions, especially in a foreign region. It is less likely to challenge users with password authentication, even if machine_data or value are changed.

Acknowledgement. This work was supported by the ERC Starting Grant Confidentiality-Preserving Security Assurance (CASCAde, GA no 716980).