Fighting back against the threat of account takeover
It’s the top type of fraud in digital channels. Account takeover fraud reached a record high $5.1 billion in 2017, according to Javelin Strategy & Research. Almost 90% of financial institutions (FIs) say that fraud losses on account takeover far outpace application fraud or mobile remote deposit fraud.
Once an account holder’s username and password are compromised, fraudsters can use those same credentials to gain access to additional accounts, launching consumers into a financial nightmare that can take months or years to resolve. Javelin Strategy & Research estimates that consumers spent 62.22 million hours in 2017 attempting to resolve the issues.
What Makes Account Takeover Fraud So Difficult to Detect?
In account takeover fraud, a fraudster impersonates a consumer and takes over their financial accounts. Fraudsters can change account details, buy goods, withdraw money, make unauthorized transactions, and even open new accounts.
Banks and credit unions have tried to thwart criminals in a number of ways, including multi-factor authentication and knowledge-based authentication (KBA) questions but fraudsters are constantly testing the limits of authentication protocols. The faceless nature of digital makes authentication difficult and a single approach leaves FIs vulnerable.
For example, fraudsters can spoof a mobile device, pretending to be the customer. The FI sends an SMS text message with a One-Time Passcode (OTP) to the device on file—but the SMS text message is redirected to the fraudster’s device instead. Malware installed on the mobile device allows fraudsters to steal the customer’s banking credentials without the customer’s knowledge.
The Multi-layer Approach to Fraud
With so many threats, it is becoming increasingly difficult to authenticate a customer in the digital space. No one type of authentication can deliver 100% confidence that the customer you are interacting with is who they say they are.
FIs can ask customers to jump through hoops to verify their identity, perhaps entering fingerprint recognition on their smartphone, confirming an OTP or answering a series of intrusive KBAs. Fraud will likely be reduced, but customer friction rises. As a result, customers abandon transactions or may even switch to an FI that delivers a less painful transaction experience.
And why should a long-time customer who is using their mobile app to pay their monthly utility bill be subjected to the same scrutiny as a brand new customer initiating a large dollar transfer? For most consumers, authentication should be relatively frictionless—and it needs to be tailored toward the individual and the type of transaction. For the fraudsters, authentication methods should include difficult challenges with enough friction to keep them at bay.
Combining Passive and Active Authentication Methods to Reduce Fraud
Passive authentication that occurs in the background allows FIs to balance their desire to reduce risk without negatively impacting the customer experience. One example of passive authentication utilizes intelligence from the Mobile Network Operators (MNOs) to validate devices using carrier information. While fraudsters use various ways to impersonate a customer’s mobile device, such as SIM card swapping, forwarding, or porting numbers, they cannot impersonate the MNO data to validate the device.
Passive authentication can be used by itself, or it can support more active authentication methods such as an OTP via SMS, email, or voice. Once the FI sends the SMS message, MNO data can validate the device. In this instance, passive authentication serves as a return receipt, assuring the FI that the intended recipient received the SMS text.
If a customer purchases a new phone and the customer then accesses their mobile banking app, MNO intelligence informs the FI about the new device so they can decide whether or not to step up authentication and add additional friction. Although this may impact the customer experience, the FI can have peace of mind this is their true customer authenticating their new device, and not a fraudster.
Passive authentication using MNO data can also identify the device type. Since sending an SMS text to a mobile device associated to a customer for two years is less risky than a pre-paid phone, the FI has a better handle on whether or not to ask for additional authentication.
Coupled with the information the FI knows about their customer such as transaction history, banks and credit unions can use passive authentication to make a more informed decision whether to approve the transaction or step-up authentication.
A multi-layer approach to fraud prevention and detection should incorporate both active and passive authenticators. It should also be customized and updated depending on emerging threats based on the FIs’ risk tolerance. Combined, these are critical strategies to authenticate customers in today’s faceless digital environment. Ultimately, the key is to mitigate risk in a way that adds the least amount of friction to the customer experience, while keeping fraudsters out.
To learn more, click here to download Aite Group’s eBook, titled Fraud Risk Management in Real-time Payments.