Cyber thieves are a persistent bunch.
Even as banks and other financial firms have invested heavily in technology designed to protect customers’ data, fraudsters have become more and more aggressive in trying to steal consumers’ identities to open accounts, take out loans or intercept payments.
According to ThreatMetrix, a global cybersecurity network used by banks and e-commerce firms to help determine the authenticity of digital transactions, 210 million attempted attacks were made on its network during the first quarter of 2018, a 62% increase over the same period last year.
Attempts to open fake accounts via mobile device have increased 211% since the start of 2017, illustrating the challenges banks, credit unions, fintechs and other financial organizations face in staying on top of cyber crime as consumers continue to migrate to digital channels for every day transactions, said Vanita Pandey, vice president of strategy and product marketing at ThreatMetrix.
“The problem is really pervasive, and as a lot of folks become more comfortable with conducting financial business in digital channels, you have to be extra vigilant to find the fraudsters,” and distinguish them from the real customers, she said.
Building mobile defenses is particularly crucial. ThreatMetrix analyzed 9.3 billion transactions during the first quarter and, of those, 51% originated from a mobile device — nearly three times as many as in the first quarter of 2015. Moreover, the number of transactions conducted via mobile device increased by 118% in the first quarter when compared with a year earlier and the number of accounts opened using a mobile device climbed 140%.
Pandey suggested that firms rely on a multipronged approach to mitigate digital fraud while still ensuring a smooth user experience.
Accurate recognition of a user’s digital identity should be based on device, location, identity and threat intelligence and combined with behavioral analytics. This ensures that banks are able to better identify returning users and spur manual reviews only on transactions that are genuinely high risk, Pandey said.
The use of behavioral biometrics is an integral part of digital identity intelligence, because the way a trusted user interacts with their device tends to be remarkably consistent, with only small fluctuations. For example, an activity such as a user going directly to an account-transfer function after logging in, when typically that person visits another page first, could indicate an account takeover, Pandey said.
Conversely, banks should also use data and analytics to know their customers, so they can avoid flagging legitimate transactions as possible fraud and creating friction in the relationship. “So if you see someone that has logged in from four different continents in one week, it might seem like a fraudster, but she could be someone who is a frequent business traveler and this is common for them,” Pandey said.
When it comes to detecting fraud in new account openings, where there is no prior history to look at, banks can still use a measure of behavioral biometrics, said Mary Ann Miller, senior director, fraud executive adviser and industry relations for the technology and consulting firm NICE Actimize.
“So, for example, if a bank sees a lot of cash coming in and out of an account [after it was just opened] or a lot of deposit activity, those could be signs,” she said.
While many financial firms are in a rush to roll out as many new digital offerings as possible to sate customers, they should instead take a more measured approach, said Perry Menezes a managing director in the cyber practice for KPMG and banking cyber lead for the firm.
“It comes down to what is a bank’s risk tolerance?” he said. “As long as you have that in mind as the background, then by all means move ahead. It also comes down to maturity. Some banks are prepared to go full-out with digital. Others should start in segments; taking one product line, see how they can digitize that, and then from the outcomes and make tweaks where needed.”
Banks obviously build cyber defenses into any new digital product they roll out, but Menezes said that that is not always good enough.
“It’s a cat-and-mouse game. As banks fight fraud, criminals adapt and you have to respond,” he said.
NICE Actimize’s Miller said that application fraud and identity theft will continue to increase as more digital-only players enter financial services and established entities roll out newer digital services.
In this landscape, Miller recommends that banks and other financial firms encourage customers to actively participate in the fraud-prevention process, such as by encouraging them to sign up for biometric authentication.
Firms themselves, meanwhile, should be tracking passive information from the customer, such as keeping tabs on locations from which they conduct transactions and identifying payment patterns or how they normally key in information. Any deviations from normal patterns could be a sign of potential fraud.
“It’s not just identifying one event, but connecting events to each other,” Miller said.
Managing all this information can be challenge because banks often silo data storage, but Miller said some are moving in the right direction.
“There’s still a long way to go when it comes to coordinating and correlating, but you’re starting to see a focus on building the right kinds of framework to support managing digital identity as a long-term vision,” she said.