Stop fraudsters in their tracks: An inside look at mitigating account takeover fraud
Prevent fraud in the digital channels and enhance the customer experience with layered authentication
Here’s one idea to take a bite out of account takeover fraud: Require that every transaction—whether viewing an account balance, transferring money, or changing an account’s mailing address—first go through a robust authentication process. Ask a few knowledge-based authentication questions such as ‘what was your first car?’ and “what month is your best friend’s birthday?’ Then send a one-time passcode (OTP) to a mobile device. Follow-up with fingerprint recognition. Require a blood test….
The scenario above is obviously tongue-in-cheek, but it raises a valid challenge for financial institutions: How do you differentiate between low-risk transactions with real customers and high-risk transactions with fraudsters using the same authentication tools?
You don’t. Apply such a heavy-handed approach to authenticate all transactions and you’ll likely make a dent in reducing account takeover (ATO) fraud, but you’ll also frustrate and annoy your good customers. They may even jump ship and move to a financial institution that doesn’t make them jump through hoops to check their account balance.
The key is determining when to use active authentication that requires an action, such as entering an OTP, or passive authentication that does the authentication in the background, such as using trusted mobile network operator (MNO) data to verify the legitimacy of the device.
Hidden High-Risk Transactions
When financial institutions think about security risks, they tend to focus on digital transactions such as transfers that involve money movement. But pre-money movement activities designed to facilitate a successful ATO attack—such as changing a mobile phone number so that the OTP sent via SMS text message is sent to a fraudster—can be much more insidious.
ATO is a foundational first step that enables fraudsters to make high-payout transactions, and it’s on the rise. Javelin Strategy & Research notes that mobile phone account takeovers nearly doubled to 680,000 victims in 2018 from 380,000 in 2017. Fraudsters, with ready access to the personally identifiable information (PII) associated with the more than 11 billion records breached since 2005, are adept at bypassing identity proofing controls implemented at call centers.
Financial institutions are beginning to focus on these pre-money movement activities, but many institutions still rely on fraud detection methods that don’t target the low-risk transactions that can lead to ATO fraud. For example, most ATO is the result of fraudsters gaining access to username and password credentials available on the dark web or consumers inadvertently giving fraudsters access to their online credentials through phishing attacks.
So when do you authenticate the customer? Do you ask every customer to verify their identity with OTPs or knowledge-based authentication questions even if they are only viewing an account balance? Or, do you wait until the customer tries to perform a high-risk transaction, such as attempting a large dollar wire transfer?
The answer is, it depends. What financial institutions should do is, evaluate transactions based on risk and authenticate low risk transactions passively, avoiding customer friction. For transactions that are higher risk or that seem suspicious, deploy more invasive authentication methods to step-up security.
Financial institutions need to balance the need to confidently authenticate the customer with the need to provide top notch customer experiences. But in a digital, faceless environment, it’s difficult to verify that the customer is who they say they are. Financial institutions traditionally relied on data from MNOs to verify an identity by associating a phone number or device with customers, but fraudsters can easily spoof numbers or swap SIM cards on devices, so it’s important to have authentication solutions that can detect these types of fraud threats as well.
The goal isn’t to totally eliminate friction, but to apply intelligent friction to only those moments in the customer’s digital experience that pose a significant risk. It’s about applying the right techniques to validate suspicious transactions at the right time.
Achieving Intelligent Friction Requires a Layered Approach to Authentication
No single authentication method can deliver 100% confidence that a transaction is being done by a legitimate customer. There are just too many ways that fraudsters can hijack accounts. Instead of hoping that a single tool will detect most fraud, use a layered approach that includes a variety of tools that confirm not only the customer, but the device that the customer is using.
Build a layered approach to fraud with device authentication and risk detection solutions that work together and waterfall solutions during those high-risk moments or when red flags are present. Trusted third-party data, MNO intelligence, and device intelligence can work behind the scenes to link the customer with the device. If everything checks out, the customer can complete the transaction with significantly less, or perhaps even no friction.
Apply predictive analytics using device authentication to measure the risk that the customer is actually a fraudster. Apply stepped-up authentication such as OTP via SMS message only if the customer poses a higher than acceptable risk. Perhaps allow a customer to log in using only passive authentication but use active authentication if the customer attempts to transfer money using real-time P2P transactions.
Whatever tools you use, ensure that the tools are easily updatable to protect against evolving threats and can be customized based on your financial institution’s risk tolerance.
A layered approach to fraud makes it easy for your good customers to do business with you and incredibly difficult for a fraudster to commit ATO and gain access to a customer's account – a win-win for your bank and your customers. To learn more about how Early Warning secures high-risk transactions, click here.
About Early Warning Services, LLC
Early Warning Services, LLC, is a fintech company owned by seven of the country’s largest banks. For almost three decades, our identity, authentication and payment solutions have been empowering financial institutions to make confident decisions, enable payments and mitigate fraud. Today, Early Warning is best known as the owner and operator of the Zelle Network®, a financial services network focused on transforming payment experiences. The combination of Early Warning’s risk and payment solutions enable the financial services industry to move money fast, safe and easy, so people can live their best financial lives.
To learn more about Early Warning, visit www.earlywarning.com