Going Beyond Customer Authentication to Fight Bank Fraud
How Strong Customer Authentication and Risk Management Systems Work Together to Prevent Fraudulent Transactions
Customer authentication gets a lot of attention when it comes to fighting fraud, and for good reason. In the 2021 Data Breach Investigations Report, investigation of data from nearly 80,000 incidents from 88 countries around the world suggests that stolen credentials were used in 61 percent of all attacks in 2021.
Phishing remains a key weapon for fraudsters. Customers at one Singaporean bank lost nearly $8.5 million last December after being tricked into surrendering their account details via SMS through a smishing campaign. Meanwhile, the Scamwatch team of the Australian Competition and Consumer Commission (ACCC) reported a 106 percent increase in SMS scams since the start of the year — after tallying over 67,000 scams and $10 million lost in 2021.
Strong Customer Authentication (SCA) based on secure mobile push notifications protected by biometrics could have prevented many of these fraudulent transactions from happening. Banks that are serious about mitigating risks from phishing and identity theft can go one step further and prevent attacks before they occur. Banks with a defense-in-depth (DID) strategy view authentication as part of a comprehensive risk management ecosystem that takes advantage of artificial intelligence (AI) and behavioral biometrics to identify threats and minimize exposure to constantly and proactively defend their customer assets which include safeguarding their online identity.
In this post, we’ll explore how this full risk management ecosystem works to protect financial transactions.
Who’s Behind That Transaction Request?
Fraud prevention starts with user-friendly yet secure authentication: if only licit users can access their accounts, imposters can’t cause any damage. Strong Customer Authentication (SCA) regulatory requirements — which demand that customers confirm their identities through multi-factor authentication (MFA) using something they have or know, have prompted financial institutions to fortify their authentication solutions.
Yet many financial institutions still rely on insecure authentication methods. The leading authentication method used by the institutions we surveyed in 2021 was an SMS sent to customers’ phones — in spite of the security risks that SMS authentication entails. More traditional authentication methods like secret questions and answers and email password resets are also still widely in use.
A more secure and user-friendly way to protect log-ins and financial transactions is push authentication, one of the delivery channels that enables the use of a mobile phone to perform MFA. “Push” uses cryptographic techniques to link a specific device to its owner’s identity, making it impossible for attackers to impersonate someone without physical access to the device. The push user experience is seamless and straightforward. When notifications appear on the users’ phones, they must simply swipe to validate the request by making a binary choice — “approve” or “decline” — rather than referencing and retyping an OTP received via SMS.
In fact, the most flexible push authentication solutions enable banks to go completely passwordless by enabling device biometric capabilities — and eliminate the threat of compromised credentials.
Linking Actions With Identities
Strong Customer Authentication (SCA) is only one tool to prevent fraud. Data from customer device threat detection, customer behavioral biometrics and customer payment transactions can be collected and incorporated as adjacent data with the usual user behavioral patterns. Common or usual behavioral patterns include things such as how users type, swipe and interact with their devices. The benefit lies in leveraging those patterns to flag anomalous log-ins and transaction attempts that simple authentication solutions might otherwise miss. The key principle here is to supplement our point-in-time data (credentials based on what we know, what we have and who we are) with collected data over time to help mitigate bank fraud.
To provide risk-based decision and fraud prevention, the HID Risk Management Solution (RMS) utilizes a modern approach to continuously evaluate the entire consumer journey in real time. The RMS solution leverages pieces of information that seem insignificant on their own but when combined, paint a portrait to prevent fraud across the entire journey. Here are some examples:
- The type of operating system being used
- Whether the user is connecting through a VPN — or on a device that’s been compromised by malware
- The IP address and geolocation of each log-in attempt
- A unique device fingerprint, from the languages and fonts that are installed to how many contacts are stored in the directory
- Flagging payment transactions that can be fraudulent
Once users log into their accounts, RMS continues by evaluating the transaction context. Is a user checking their account balance or transferring a large sum of money? To what extent does this action deviate from their typical behavior?
The Benefits of Being Proactive
Together, consumer authentication methods and RMS power a proactive approach to prevent fraud, identifying threats earlier in the banking journey and making it easier for organizations to take effective proactive actions. It’s an especially powerful combination for fighting common types of bank fraud such as, but not limited to:
- Phishing attacks — Phishing is one of the most prevalent social engineering scams in the internet era. Phishing is a cybercrime in which a target or targets are contacted by email, phone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, online banking information and passwords.
- Zero-Day attacks — New risks are emerging all the time, and the days when organizations could count on security patches to stop them are long gone
- Account takeover — A cybercriminal takes ownership of online accounts by using stolen passwords and/or usernames, most commonly obtained through mass lists available on the dark web for purchase
- Social engineering & scam — Social engineering is accomplished through human interactions. Basically, it involves manipulating the user to give away sensitive information or making a security mistake to take advantage and steal their assets or identity.
- SIM swapping — A SIM swap starts when hackers obtain personal information, then reroute all incoming texts and calls to their own devices. SIM swaps are unusually effective at circumventing MFA protections; last year, swappers stole more than $100 million in the US alone.
Cybercriminals will always be part of the digital banking landscape, but the damage they cause doesn’t have to be. Effective fraud prevention technologies that optimize user experience enable organizations to be proactive about risk — not just to protect their customers but to preserve the financial and reputational integrity of their business.
To learn more about how to keep your consumers protected:
- Download the eBook The Ultimate Guide to Risk Management Systems >>
- What is your organization’s exposure to phishing attacks? Get a free analysis >>
Edwardcher is a highly skilled solution architect and a digital security expert with an instinctive passion for pragmatic problem solving. He has over two decades worth of experience working in the trenches developing software and delivering solutions & services to the military, telecoms, banks, enterprise and the government with synergies in NFC, TSM and mobile financial services applied with PKI, risk management and strong authentication.