How to mitigate account fraud on mobile devices
In an increasingly digital world, consumers expect that their financial institution (FI) will provide mobile banking access. And mobile banking is good for FIs since it’s a low-cost delivery channel. However, fraudsters love it as well for its anonymity, which makes it easier to commit cybercrime.
Banks and credit unions have traditionally used multifactor authentication—for instance sending a One-Time Passcode (OTP) via SMS text message to a mobile device—but fraudsters can impersonate consumers by porting numbers, switching SIM cards, or installing mobile malware. Knowledge-based authentication (KBA) is also widely used by FIs, but fraudsters have become adept at using social engineering to answer and defeat these identity authentication answers.
American Banker spoke with Hal Granoff, Senior Director of Authentication for Early Warning Services, about fraud trends, what makes account fraud on mobile devices so insidious, and what banks and credit unions can do to keep their customers—and their institutions—safe.
What are some of the biggest fraud threats?
Hal Granoff: Fraud is a moving target. It’s constantly evolving as fraudsters look to exploit the weakest link. For example, as the industry rolled out the global chip standard EMV to thwart card present fraud, fraudsters transitioned their business model away from replicating credit cards used at a physical store to perpetrating online card not present fraud. In fact, According to Javelin Strategy & Research, online fraud is now 81% more likely than point of sale fraud.
Today, contact centers are among the most vulnerable access points and fraudsters are increasingly exploiting the contact center to gather the information they need to commit fraud on digital channels.
What makes the contact center ripe for fraud?
Granoff: Data breaches have made personally identifiable information (PII) readily available. Fraudsters have become more sophisticated at combining this information with social engineering from multiple sources enabling call center agents into allowing fraudsters to access customer accounts and change passwords.
The fraudsters then have full access to an account, including the passwords for mobile banking apps.
Is mobile banking particularly at risk?
Granoff: As more consumers use mobile banking, yes, the risk of fraud naturally goes up. And fraudsters can use SIM card swapping, porting, and forwarding to impersonate legitimate customers. But the good news is that the mobile device provides a lot of different signals that FIs can use to authenticate customers in various digital channels.
Mobile device binding allows us to tie the mobile device to the customer during the first interaction. If anything changes—let’s say the customer upgrades their mobile device—we can then check with the Mobile Network Operator (MNO) in real-time to make sure that the customer really did purchase a new phone. If the MNO doesn’t confirm the purchase, we send a red flag to the FI that the transaction could be fraudulent.
Or, if the MNO tells us the phone is prepaid and the account is new, that also sends up a red flag. If there has been a risky event associated, such as a porting event, with a phone, that’s another red flag.
Based on this intelligence, the FI makes the decision whether or not to approve the transaction or to step up their authentication.
How do you balance risk with customer friction?
Granoff: The vast majority of transactions are legitimate, so why inconvenience most of your customers with long passwords and intrusive KBA? The goal is to let good customers through with as little friction as possible and only add a layer of security to those who warrant it.
FIs ingest the data provided and combine it with what they know about their customers, to make an informed decision. They may, for instance, ask a brand new customer or a customer with red flags to go through another layer of security.
I use the analogy of TSA Pre-Check. Once you’ve gone through an authentication process, you no longer have to take off your shoes or remove your laptop. Sure, there is some screening, but the process has much less friction.
Any final advice for FIs?
Granoff: Managing fraud and authentication is always a balancing act. On the one hand, banks and credit unions can choose not to have a mobile app to reduce threats. Of course, that’s not an optimal strategy since our ever increasing mobile world demands mobile access, thus leading customers to potentially switch institutions. The best strategy is to use a multi-layered approach that protects and detects against threats without adding friction to the customer experience.
To learn more, click here to download Aite Group’s eBook, titled Fraud Risk Management in Real-time Payments.