Securing the digital customer journey
Digital ID Verification
Making Digital Account Opening Simple Secure and Seamless
Check out this infographic and learn about the risk of fraud for financial institutions and how to secure a digital account opening process.
To see the complete infographic,
Digital Account Opening: How to Transform and Protect the Account Opening Journey
The process a customer goes through when opening a bank account can directly impact long-term customer loyalty, profitability, and retention.
Today’s customer expects a fully digital account opening experience – available online and on mobile. Banks, credit unions, and other financial institutions (FIs) need to offer customer-centric, mobile-first account opening and customer agreement experiences to convert customers and drive growth. Yet, remote identity verification remains one of the most challenging processes to digitize.
This white paper highlights key trends, best practices, and technologies to overcome this challenge.
Webinar: Breaking barriers in digital account opening
A poor customer experience and insufficient security in the account opening process has been shown to directly negatively impact long-term customer loyalty, retention and profitability. Financial institutions need to transform the new account opening process into a seamless and secure digital CX for applicants.
Check out our on demand webinar. In this webinar, we share the finding from a new survey of 100+ financial institutions on the current state of digital account opening transformation. You’ll hear from a panel of digital CX leaders and the strategies being used by their institutions.
Ranya Tzortzatos, Senior Manager, Customer Strategy, TD Bank
Jorge Oliveira Director, IT Solutions Delivery
Tim Bedard, Director Product Marketing, OneSpan
Mary Ellen Power, VP Marketing, OneSpan
Mike Sisk, Contributing Editor National Mortgage News
Delaware bank's tech overhaul shifts into higher gear
By Ken McCarthy
WSFS Financial in Wilmington, Del., has a greater sense of urgency for upgrading its digital platform.
The $12.3 billion-asset company was one of the first banks to vow to funnel cost savings from a large acquisition into technology upgrades when it announced an agreement to buy Beneficial Bancorp in August 2018. That deal closed last March.
While it was a novel concept at the time, other merging banks have followed with similar plans. For instance, tech upgrades were a big rationale for the megamerger of BB&T and SunTrust Banks that created Truist Financial.
WSFS, as a result, has expedited the timeline for its overhaul from five years to three years. And it plans to spend nearly half of the $32.5 million it earmaked for digital upgrades this year.
“The pace of technology is moving very quickly and we want to be in a position where we can continue to respond and innovate and provide what our customers are looking for,” Chief Technology Officer Lisa Brubaker said during the company’s recent earnings call.
WSFS spent much of 2019 laying the groundwork for its tech strategy.
The company closed or sold 25 of the 30 branches it planned to shutter, freeing up funds. It hired its first chief digital officer and worked with PricewaterhouseCoopers to assess the tech landscape and how the bank might fit in.
“People want their experience with their bank to be like when they're shopping on Amazon or using Uber," Rodger Levenson, the company’s chairman, president and CEO, said in a recent interview. “We had a great digital product offering, but things are changing rapidly."
The assessment found several areas where WSFS needed to improve, including its platform for letting new clients open accounts online. An upgrade is planned, keeping in mind that customers want a sign-up process to take five steps or less.
“It takes a lot more than five taps for our online account opening," Levenson said.
WSFS has also found more supporters since announcing its approach to tech.
The company’s initiative will accelerate its investments in technology and infrastructure, targeting the customer experience with peer-to-peer payments and personal financial management, said Russell Gunther, an analyst at D.A. Davidson.
“In today’s environment, banks need to try, and yes fail, at implementing many technologies to learn what their customers want and what will drive future growth,” said Jeff Marsico, an executive vice president at the bank advisory firm Kafafian Group.
Such endeavors require open-minded leadership and a long-term vision. Marsico noted that many banks make strategic investments only if they can recoup the costs quickly.
WSFS looked outside the company for leadership, hiring Corynn Ciber in August as its chief digital officer. Ciber, who is working with Brubaker, was the lead infrastructure project manager for Barclaycard US.
Community banks must avoid the temptation of taking on too many projects or being too aggressive in their efforts to keep up with fintechs and bigger banks, said Jim Adkins, managing partner at Artisan Advisors. Smaller banks must be selective and remember that branches still provide a marketing advantage, he said.
While accelerating its upfront investment, WSFS is content to sit back and let fintechs spend more money on research, Levenson said.
"We're not trying to replicate everything they're doing," he said.
Having strong ties to local markets should help WSFS hold its own against national banks as it works on its online and mobile offerings, industry observers said.
“Banks will figure out how to keep up” with tech, Marsico said. ”The advantage is knowing that most WSFS deposits will be deployed in Wilmington and Philadelphia and the surrounding area.”
The idea to revamp the tech platform originated in 2016 when Mark Turner, Levenson’s predecessor, returned from a three-month tour or visiting financial institutions, fintech firms, traditional retailers and medical device companies.
Along the way, WSFS determined that it needed to make some changes.
WSFS, for instance, realized that WSFS Everyday Pay, its own payment app, had lost favor among people who preferred Venmo or Zelle. The company signed on with Zelle last fall.
The company plans to incorporate integrated architecture into its data and workflow platforms, focusing on areas such as enterprise document imaging and back office automation. Cyber security, fraud oversight and integrated internal control monitoring also need a closer look.
Other new programs include myWSFS, a highly personalized messaging app that securely connects customers to personal bankers, and WSFS iQ, an interactive mobile platform focused on financial education.
WSFS also plans to improve its online and mobile account opening processes later this year.
“We've got customers to serve and others to attract, and we're ready to execute,” Brubaker said during the quarterly call.
Digital Account Opening
Research shows 57% of millenials prefer to open an account online. Banks that make new customers take unnecessary manual steps to open an account make it more likely an applicant will abandon the process altogether.
Watch this video and learn how secure agreement automation, digital identity verification, e-signatures, and intelligent fraud detection can be used to make mobile account openings faster and easier while reducing application fraud.
Case Studies: Moving to Software Authentication
These three North American banks migrated from hardware to software authentication. Learn their strategies, challenges, and successes in this mini case study document and learn how your institution can provide a safe, modern experience for your clients.
Adaptive Authentication: Superior User Experience and Growth through Intelligent Security
Fraud continues to grow while consumer patience for additional authentication layers dwindles. Intelligent Adaptive Authentication allows financial institutions a way to solve both issues.
In this white paper, you will learn:
- How to equip your bank to better combat fraud through real-time risk analytics
- Top solution requirements to look for, including open architecture, AI/machine learning, and advanced rule sets
- The importance of authentication orchestration, risk analytics and mobile app security in achieving a fully optimized digital banking experience
How to Drive Growth with Intelligent Adaptive Authentication
In this video, industry expert David Vergara discusses how financial institutions can use intelligent adaptive authentication to
- Improve fraud detection and prevention
- Meet strict compliance requirements
- Drive growth goals by creating a better digital experience for customers.
PayThink: Security will pull AI laggards off the fence
By Mark Crichton
The past year has brought dramatic changes to the financial services industry. From the introduction of new regulations like PSD2 in Europe, to disruptive new technologies transforming the way consumers conduct banking and payments, the landscape is constantly changing. Facing the accelerating pace of technological change, financial institutions are left wondering what 2020 will bring.
I believe that one of the most significant technology trends that will impact the financial services industry in 2020 will be the growing adoption of artificial intelligence (AI). However, even as financial institutions, issuers and payment companies increasingly embrace AI, I anticipate they will need help learning how to use it to its full potential.
Surveys of financial institutions show that the majority (75%) of banks with more than $100 billion in assets are currently implementing AI strategies. Yet, even with growing adoption, most financial institutions are still holding back from providing enough data to use AI in its most complete form.
Often, this is due to the complexity of their own infrastructure and legacy systems. Most banks today have siloed data pools scattered across their operations, making it difficult to pull, aggregate and analyze the data at scale. But by moving to more agile processes and bringing their back-end infrastructure into the digital era, financial institutions will be able to start taking full advantage of AI and the benefits it can bring.
One of the best applications of AI in financial services lies in the area of cybersecurity, particularly in risk assessment, fraud prevention and dynamic authentication. The fight against fraud relies heavily on analyzing vast amounts of real-time data. New, risk-based technologies powered by AI and machine learning (ML) enable financial institutions to analyze transaction, device, geographical and behavioral data to make real-time security decisions, detecting and preventing fraud as it happens.
For example, we’re beginning to see financial institutions leverage AI to create intelligent adaptive authentication processes, which analyzes the risk of a situation based on real-time data and then intelligently adapts the security and required authentication accordingly, whether that be biometrics, device analysis, geolocation, a PIN, or a combination of a number of methods. Intelligent adaptive authentication helps financial institutions better safeguard their data and stem the tide of cyber attacks without compromising user experience or needing to manage and maintain an infinite number of static policies.
Over the next year, as more financial institutions and payment companies update their back-end legacy infrastructures, I believe it will become rare to see banks not using AI in an efficient way. When complex fraud detection models are able to be read and understood by people, and when security measures are made intelligent and adaptive so as not to inconvenience legitimate users, then I believe we will see the power of AI shine through across the financial services industry.
Mark Crichton Senior director of product management, OneSpan
Banks grow wary of Zoom meetings
By Penny Crosman
By pushing business meetings out of conference rooms and into the virtual world, the coronavirus pandemic has given bank security teams one more thing to worry about: the threat of so-called Zoombombings and other types of online intrusions.
The videoconferencing service Zoom has surged in popularity amid the public health crisis. The company said Thursday that it has 300 million users, up from 10 million in December. And the rate of Zoom installations on Windows devices in financial services grew 92.94% over the past four weeks, according to Forescout Research Labs.
Yet Standard Chartered Bank has reportedly banned employees from using Zoom videoconferencing because of security concerns, and survey data suggests other banks are starting to scale back or stop using the service.
“When in-person meetings are virtually impossible, video calls are the only channel for meetings, interviews and companywide announcements within organizations,” said Kyum Kim, co-founder of Blind, an online community of 3.5 million technology and financial services professionals. “Security vulnerabilities in conference calls raise concerns because often, if not always, confidential and private information about the company, employees and candidates are shared through these meetings.”
In a recent poll conducted by Blind, 28% of financial employees said they were worried their information may have been compromised through a videoconferencing tool. About 12% said they have stopped using the popular Zoom tool, and 10% said they have decreased use of it over hacking concerns.
Card company employees seem to be especially worried: 56.6% of Visa employees said they have completely stopped using Zoom, as did 55.6% of American Express staff.
More than a third of Goldman Sachs employees who took the survey said they fear data compromise with the use of Zoom, as did 27.8% of JPMorgan Chase staff and 20.7% of Capital One workers.
Several banks have experienced Zoombombings in which hackers have broken into a meeting and shown porn or flashed themselves.
“That has happened quite a few times, and we're collecting lots of stories on that,” said Steve Hunt, senior analyst at Aite Group.
There is no profit motive — they do it “to get their jollies,” he said.
These kinds of Zoombombings are not necessarily targeting banks. Sometimes people just type a random string of numbers into a zoom.us URL and get into an active meeting, Hunt said.
A Google search for URLs that include "Zoom.us" can turn up the unprotected links of meetings that anyone can jump into.
“It's hit or miss, but if you stumble into a meeting, you might not have any idea of whose the meeting is, but you can still have a little fun,” Hunt said.
Another way hackers could break into meetings is by buying Zoom account credentials on the dark web. Security researchers have found about 500,000 sets of Zoom usernames and passwords. Some belong to users in financial services and are for sale, with some of those priced at less than 1 cent each.
What are the risks?
Cybercriminals who find their way into an executive or board meeting could obtain sensitive information, which could be a serious threat to banks.
“I can imagine some bad guys targeting that,” Hunt said. “But it takes some luck and skill to pull that off.”
The cybercriminals would have to obtain some knowledge of scheduled meetings, perhaps by breaking through with a spearphishing campaign first.
In late March, security researchers reported vulnerabilities in Zoom that hackers could use to take over a Mac user’s camera and microphone. However, Zoom quickly issued patches for this problem, and Macs are not commonly used in financial services.
Zoom also routes traffic through Chinese servers to maintain resilience, according to Forescout, a practice antithetical to banks' risk management policies. According to a Zoom spokesperson, mainland China datacenters no longer function as secondary backup bridges for users outside of China.
Another issue with videoconferencing tools is they tend to use weak encryption, according to David Gurle, founder of Symphony, a provider of videoconferencing software that according to the company has stronger encryption and is used by 123 banks, mostly on Wall Street. Symphony’s main technology, instant messaging, is used by more than 300 banks.
Zoom did not respond to a request for an interview. In a press release on Wednesday, the company said it is upgrading to a stronger, 256-bit encryption standard to protect meeting data in transit and provide resistance against tampering. This will be enabled on May 30.
A spokesperson said the company is issuing product updates, providing resources to educate users on how to secure their meetings and conducting a review with third-party experts and users. Zoom says it is also shifting all engineering resources to focus on trust, safety and privacy as well as launching a council of chief information security officers to discuss best practices.
“Major financial institutions around the globe are continuing to use Zoom to keep their trading operations running and to continue their important work with their clients and colleagues on a daily basis,” the spokesperson said.
Are the fears overblown?
Hunt says the concerns around videoconferencing security have been overblown.
“Companies are blacklisting Zoom, but not for the right reasons,” Hunt said. “I think it's paranoia.”
Zoom meeting security can easily be improved by using the software’s basic security settings, for instance by setting passwords for meetings and blocking people who have been kicked out of a meeting from coming back in, Hunt said.
One way to keep uninvited guests from joining Zoom (or Cisco Webex or BlueJeans) meetings is to authenticate users.
“Putting strong authentication on an online meeting is not rocket science,” Hunt said. “I imagine Zoom will soon offer an app for two-factor authentication.”
The company may have made a few missteps in the early days of the pandemic, but this is understandable, he said.
“Zoom was a niche application just a few months ago,” Hunt said. “It was something kind of cute and nice that we use to make our lives a little better. It was never designed for 200 million concurrent users. And to see a company go through a huge spike in popularity is generally a good thing. The fact that while doing so, it has a little trouble catching up from a security and privacy point of view is completely normal."
Account Takeover Fraud Challenges and Solutions
Account takeover is one of the top concerns for financial institutions, FinTechs and e-commerce merchants. Julie Conroy, research director at Aite Group, discusses the rise in account takeover fraud and how financial institutions can detect and prevent attacks.
4 Essential Things to Look for in a Fraud Detection Solution
Finding the best fraud detection and prevention solution for your organization can be challenging. Requirements from internal stakeholders and vendor fact sheets can give an overwhelming impression that your solution needs to have it all and then some. In reality, your choice should simply tick all the boxes on your must-have list and cover your business use cases. It should contain most of the necessary features out-of-the-box, to minimize the need for time- and resource-consuming customizations.
What should a fraud monitoring tool include to be able to meet your needs? To start, an ideal solution should be able to identify and respond to a wide array of fraud scenarios, both industry-known and specific to your organization. However, it’s also essential for the tool to be able to react to unknown and perhaps surprising fraud occurrences. It should provide a versatile mix of features to collect and analyze the data, draw correct conclusions, take actions based on results, and finally produce comprehensive reports. It should be able to integrate in your existing ecosystem and, at some point, this tool should become something your fraud team cannot imagine living without.
Clearly, that’s a tall order for fraud detection software. Not every fraud detection solution on the market lives up to this standard, so it is crucial that organizations do their research and find a tool that can provide comprehensive fraud monitoring.
To help you evaluate the key requirements, our Buyer’s Guide to Evaluating Fraud Detection Tools explains the top nine capabilities that a fraud monitoring tool must provide in order to meet the needs of modern financial institutions. Here’s a preview with four of the top nine capabilities we recommend evaluating.
Key Functions of a Fraud Detection Tool
1. Detect a wider range of fraud by combining machine learning with an advanced rule engine.
An advanced rule engine with a proper set of rules will filter out the fraudulent events meeting specific criteria. For example, the rule engine will catch transactions whose time, place or amount values deviate from a normal scenario. It can also help with detecting more sophisticated cases, like phishing attacks or transactions to mule accounts. Think about it as a system of filters that blocks transfers, allows them down the pipeline or alerts the system to step-up authentication.
But your solution should not rely solely on rules. A rule-based system can no longer keep up with fraud attacks that evolve in complexity, speed and automation. Rule libraries keep on expanding, which puts pressure on the system, slows operations and increases the false positives rate. In order to provide ultimate capabilities to combat a wide array of fraud attempts without affecting the processing speed, think of a combination of rules with machine learning algorithms.
Machine learning lives up to the hype. With the capability to analyze an incredible amount and variety of data, it is an indispensable element of your fraud detection mix. It can easily extract value from data with little human input.
Choose a machine learning solution that implements different algorithms and, with support from your vendor’s experts, pick the best algorithm for your situation. Look for a machine learning implementation that will provide insights into the analysis process as well as evidence about why a transaction was declined or accepted.
2. Prevent fraud out-of-the-box.
You should expect your anti-fraud tool to be able to detect fraud right from the start. Make sure it supports your business continuity requirements and, as such, ensures a smooth transition from the existing fraud processes. You cannot afford any freeze in your anti-fraud and risk analytics efforts, so it’s important to find a solution that will provide a sufficient level of protection out-of-the-box, from day one. A turnkey package should be available for you to analyze transactions through a combination of a rule engine and machine learning. Both should work on deployment even without reference data.
Of course, while out-of-the-box is a good start, the solution should be flexible enough to customize it to your own needs and data.
3. Apply a dynamic approach to your authentication flows.
The fraud monitoring framework should be able to integrate with existing and future multi-factor authentication options. It should constantly evaluate the risk of a particular event and, based on this evaluation, orchestrate the authentication flow. It should dynamically trigger the most suitable authentication method for a given situation, according to its risk level. For example, if a certain transaction is evaluated as suspicious, due to unusual timing, location of the user, or significantly larger amount than before, your solution should be able to step up the authentication criteria instead of simply rejecting the transaction or putting it on hold for manual review.
4. Be prepared for the challenges specific to the mobile channel and explore the full potential of data.
The mobile channel brings additional challenges that distinguish it from the standard internet banking experience. Your fraud monitoring solution should recognize these distinctions.
Monitoring of the mobile channel needs to take into account, among others, diversity of devices, operating systems or the fact of no control over what else is installed on these devices. Without recognizing the specifics of the mobile channel, the tool may not collect all the data points and therefore draw incorrect conclusions. Because mobile phones in general provide much richer context and enable more advanced analysis, leveraging the broader context of the mobile channel is essential for fighting mobile fraud.
Your fraud monitoring framework must provide analysis based on a wide array of data collected from your users’ devices. This data can include for example device health, detecting, among others, if the device has been jailbroken or if there has been any suspicious activity. Insight can also be provided for authentication and biometrics, for example face recognition score or PIN strength. General device information is another example from a wide array of mobile-specific intelligence, and can include the version of the operating system, device model, etc.
But these data points are only valuable if they are valid. This means that you should make sure that both the data collection and the transfer between the mobile device and the server are safe. A secure communication channel independent from other existing communication protocols will ensure that the device security status can be trusted upon arriving to your fraud monitoring system.
Additional Key Requirements for Your Evaluation
The ultimate goal of an anti-fraud framework is to stop criminal activities while streamlining the legitimate ones. Simple tools are no longer enough. Fraud keeps evolving simply because it has a huge profit potential for criminals, therefore your anti-fraud weapons must evolve as well.
Download the Buyer’s Guide to Evaluating Fraud Detection Tools to get the top nine requirements for a modern, effective fraud solution – from machine learning to the ability to orchestrate the authentication flows.
Online lenders confront deepfake threat
By Penny Crosman
Online lenders are inviting prey for crooks who hope to score quick money by disguising themselves from afar as legitimate loan applicants.
Some online lenders — including Elevate Funding and Credibly — are saying not so fast. They are taking a number of innovative security measures, including the deployment of technology that can spot fabricated photos, so-called deepfake videos and legitimate images that have been falsely tied to an incorrect date, time or location.
It is an important step because fraudsters try to trick lenders into thinking they have property, licenses, assets, equipment and more that they do not possess.
Traditionally, online lenders have used site-inspection companies to verify the existence of a business customer or its assets. These companies charge a fee to send a person in their network to take pictures on-site at a business.
This process takes time, which is antithetical to the high-speed world of online lending, where credit is typically more expensive but quicker and easier to obtain than traditional bank loans.
“Depending on how remote the merchant's location is, it can be a long wait” for the site-inspection company to do its work, said Ryan Rosett, founder and co-CEO of Credibly, which makes data-driven loans to small businesses.
It made more than $350 million in loans in 2019. Its average loan size is around $55,000. Loan volume has been growing 30% year over year, the company says.
“For somebody in Alaska, it might take 48 hours," Rosett said. “In the rural areas we're working in, time kills deals. These merchants need the money right away.”
It can also be intrusive to have a stranger walk into a business establishment and start taking pictures. Employees may start wondering if the business is in trouble and if they need to look for new jobs.
“A lot of businesses don't want their employees to know that they’re taking out a cash advance,” said Ken Peng, director of marketing at Elevate Funding, which provides working capital to small-business owners with a history of financial hardship or poor credit. It lends about $1.5 million a month and funded 1,400 merchant advances in 2019.
The one- to two-day turnaround time of human site inspectors can also anger sales referrers who might miss out on a commission, Peng said.
“It was just a huge thorn in our side,” he said.
These lenders and others now use software to verify the authenticity of photos submitted with online loan applications.
When Elevate receives an application for a merchant advance, its underwriting team assesses the risk based on the merchant's background and cash flow. Elevate might project that a company will do $14,000 in sales over the next three months and offer to advance $10,000 of that. Once the borrower accepts an offer, there is a post-underwriting process that includes a series of verifications.
Any loan over $10,000 requires a site survey, which includes taking photos of the business and its license to prove that it is legitimate, open and operating. Elevate uses technology from Truepic to do these site surveys.
Elevate sends a text to potential borrowers with a link to the Truepic interface, which instructs them to take pictures of specific things like their credit card terminal, signage, inventory, business license, transportation license and physical surroundings.
The photos get routed to Truepic, which runs 22 fraud detection tests. These include an analysis of the phone used, to see if it has been jailbroken or rooted, processes that could allow a phone to be manipulated.
A compromised phone “doesn't necessarily mean you're a bad actor, but it certainly means that you have access to different tools on your device that could let you do bad things,” said Craig Stack, founder and co-CEO of Truepic.
Truepic forces users into a controlled-capture environment, so they cannot upload an existing photograph or video — they have to take a new one. Truepic captures the genuine location of the user’s device and the actual time.
“The millisecond they push that shutter button, we're grabbing that image and our server records the universal time and date and pings local cell towers and Wi-Fi networks for the location,” Stack said. “So if you're trying to spoof that metadata, we immediately flag it as a mismatch.”
It produces a report on which photographs or videos passed its tests, which failed and why, and sends it to Elevate within 10 minutes.
The fast turnaround “has helped our referral partners be really excited about being able to fund a deal potentially the same day, versus having to wait an extra day,” Peng said.
In Elevate applications, Truepic has flagged several photos that were taken of other photos that already existed online, such as Google images. It has found some that were not at the borrower’s stated location, but at a business down the street.
In such cases, Elevate will go back to the merchant and ask questions.
“We don't just outright say, ‘Hey, you are committing fraud,’ but a lot of times we'll approach them and ask for an explanation, and then they'll just not respond or they'll give us some excuse,” Peng said. “Then we'll let them know that, due to risk factors, we will not be moving forward with the file.”
Like Elevate, Credibly used to rely on human site inspections to verify physical locations and assets and recently began using Truepic. It typically gets a response within 10 minutes.
Physical site inspections used to cost $75 each, but Credibly pays $50 for each Truepic check.
The occasional borrower who does not know how to use smartphones struggles with Truepic, Rosett acknowledged.
“But for anyone who can navigate a phone, it's super intuitive,” he said.
A fintech for fintechs
Stack started Truepic five and a half years ago with the idea that seeing is no longer believing when it comes to the internet.
“This was a bad problem then,” he said. “It's gotten much worse over the past five years, and it's trending to get even worse as time goes on. Deepfake technology is a runaway train.”
Thousands of apps help people seamlessly manipulate an image, he said.
It's "not just Photoshop editing," but "changing the metadata of an image,” Stack said. “Think time, date, location. This is not a big deal if it’s an image of your kids playing around on Instagram. It’s a really big deal if you're a business looking at a photograph and spending dollars associated with that photograph.”
The company has nine patents and another eight pending on its technology, Stack said.
“We think the current third-party site-inspection process is broken,” he said. “It's slow, it's expensive to the enterprise, it's not customer-centric. In a world where we're all addicted to Amazon Prime, Uber and Postmates, nobody wants to hear, 'Be home next Thursday as we send a stranger with muddy boots to your home,' or 'drive your car with the cracked windshield 20 miles to our preferred auto body shop.' "
Truepic began by working with the insurance industry. Several carriers use the technology to make sure applicants are in possession of an item, and that it is in the condition they say it is in, before the company issues a policy.
“There's a certain threshold where a lot of insurance carriers will roll the dice and hope that the insured is telling the truth about a scenario,” Stack said. “Now they're able to push our technology out via text message and know for sure.”
From insurance, Truepic expanded to working with warranty companies and automotive original equipment manufacturers.
A year ago, the company began working with alternative lenders, and that has become its fastest-growing segment. It is onboarding two or three per week, according to Stack.
Adapted from an article that originally appeared on American Banker.
Biometric Authentication: Five Myths Busted
Biometrics are increasingly being used in mobile banking apps to secure the digital banking process while providing a convenient user experience. The technology is especially useful in the current COVID-19 era, as there has been a tremendous shift to mobile and online banking due to shelter-in-place orders. Recent surveys show that consumers are increasingly comfortable using biometric authentication to secure their digital banking transactions, with 65 percent of Americans saying they are willing to provide biometric information to their bank. Although consumers are embracing biometrics for digital banking, there are still some misconceptions about the technology, which can easily be dispelled.
Here are five common myths related to biometrics, and the truth that financial institutions and consumers alike should know:
Myth: Facial and fingerprint recognition are easily fooled by a static fingerprint or photo
Reality: Today’s sophisticated biometric authentication systems include liveness detection capabilities to fight presentation attacks, or “spoofs” which could include 3D-printed models, masks, images, or video. Liveness detection can be active – requiring a user to blink or turn their head; or passive – running behind the scenes using algorithms to analyze biometric samples for signs that it is not from a live person, such as detecting paper, digital screens or cutouts in a 3-D printed mask.
Active liveness detection methods are more visible and easier for an attacker to study and circumvent, whereas passive liveness detection is faster, less intrusive and includes more advanced techniques for determining live presence. For sensitive use cases such as mobile banking, a third-party solution that combines multiple anti-spoof and liveness detection methods is an ideal fit.
Myth: Biometric authentication provides a lower level of trust than login credentials
Reality: Biometric authentication can provide a higher level of trust than credential-based methods because biometrics cannot easily be shared. In contrast, traditional authenticators such as passwords, PINs and consumers’ personally identifiable information (PII) are sharable and have also been leaked or stolen in high profile data breaches and made available for sale on the dark web. Moreover, biometric authentication with active and passive liveness detection and anti-spoofing technology offers additional trust because the fingerprint, face, or other biometric is presented live and connected to the in-the-flesh individual.
Myth: Biometric authentication is an invasion of privacy
Reality: Facial comparison and recognition technologies used in mobile applications are opt-in use cases, where a consumer willingly enrolls in the system to allow easy account login or add an additional layer of security. This is different from facial recognition technologies often reported in the news, where the technology has been used in public spaces, and people have not given consent to being monitored.
More importantly, one-to-one facial recognition does not store raw photos for purposes of identification but rather creates a mathematical representation of the face. That representation, which is kept on file for comparison when the user logs in, is typically encrypted and essentially useless to an attacker.
Biometric authentication does not rely on the secrecy of biometric traits but instead on the difficulty of impersonating the living person. What’s most important is effective spoof detection, which can be lacking in many device-native biometric systems.
Myth: Biometrics aren’t practical over the long run because technologies like facial recognition or fingerprint scans won’t work as a person ages and their features change
Reality: Biometric markers like a person’s iris remains pretty stable over time, while a person’s face or voice may change slightly over time. The timespan over which significant changes to a person’s biometric markers will occur makes it a non-issue for most user authentication applications, as most consumers are authenticating more regularly and small changes in their features will be noted and updated with the application over time.
Some biometric authentication solutions are dynamic and regularly update the consumer’s stored fingerprint template so that they are mapping any changes as they happen. Often, users can also register a second fingerprint in case the first fails. A layered approach to security with multiple authentication factors is always the best approach.
Myth: Biometrics are only applicable if the user is already known
Reality: Behavioral biometrics, which analyze the way a person interacts with the mobile device, can be used to strengthen security and fight fraud even when the user is not yet known to the organization. In the case of an unknown user, like when someone applies for a new bank account, behavioral biometrics can compare the consumer’s behavior to what is typical for a wider population. In this way, behavioral biometrics can be used to evaluate the probability that a new applicant is performing the actions of a legitimate user. The greater the similarity score, the less the organization has to worry about the user’s identity or intent. The lesser the similarity between a consumer’s behavior in comparison to similar populations justifies additional layers of risk and fraud detection.
Biometrics are a cornerstone technology enabling the future of digital banking, but they can be daunting to those unfamiliar with them. By dispelling the myths and misconceptions of biometrics, organizations such as financial institutions can help their customers feel more comfortable utilizing this technology to securely and conveniently conduct important transactions in digital channels in the COVID-19 era and beyond.
Mobile security—delivering the mobile experience customers want with the security they need
Banks and financial institutions have reached a Catch-22 when it comes to delivering great user experiences on their mobile platforms. Consumers are demanding the ability to perform more types of transactions on their mobile devices. At the same time, though, growth in mobile banking applications has unleashed an increase in both the volume and sophistication of mobile cyberattacks.
In this podcast, OneSpan’s mobile security expert, Sam Bakken, explains new tools that can help you deliver the mobile experience customers want with the security they need.
Selecting the best authentication method for a mobile transaction
The big challenge for financial institutions is that they want to provide a wonderful user experience while still demonstrating to customers that their experience is secure.
‘Screen scraping is not evil’: Bankers, fintechs, aggregators face off
By Penny Crosman
The Consumer Financial Protection Bureau held a gathering this week of bankers, fintech executives, consumer advocates and others to tackle a key data-sharing issue facing the bureau, and the event provided the parties an opportunity to have it out over a longtime bone of contention: screen scraping.
Part of the CFPB’s objective behind the event in Washington was to get input on what it should do about a clause in the Dodd-Frank Act (Section 1033) that gives consumers the right to access a portion of their bank account and transaction data in a usable electronic format. There was a broad consensus in the room that consumers should be in control of their data. But what that means, how it should be executed, who is liable if something goes awry and many other related questions lead to heated debate.
The bankers at the event, unsurprisingly, had harsh words for screen scraping, the method in which a lot of customer data is collected today. Consumers share their online or mobile banking usernames and passwords with a third-party fintech, that fintech or a data aggregator logs in as them and copies the latest data on their accou
“Screen scraping has reached its peak of benefit,” said Natalie Talpas, senior vice president and product group manager for digital at PNC Financial Services Group. “The consent is not clear. Screen scraping enables financial applications to collect all the data a customer would access. And we have a lot of security concerns about that. A more secure, efficient way would be through [application programming interfaces], which is what many of us are working towards.”
Lila Fakhraie, senior vice president of digital banking APIs at Wells Fargo, compared screen scraping to “giving your house key to a house painter and saying, 'Just go in my bedroom and paint that one wall, that's all I want.' And then the house painter has your key forever and they come and go as they please and they look at things and take things if they want.”
Wells Fargo has signed agreements with several data aggregators and offers Control Tower, a dashboard where consumers can turn data access off and on for third-party apps.
Nick Thomas, co-founder and chief technology officer at the data aggregator Finicity, defended screen scraping.
“I think we all agree that that credential access to financial data is not the best approach, but it has served us really well for 20 years,” he said. “There have been issues, and we have as an industry worked through some of those issues through the years. But generally speaking, consumers have spoken, they want access to their data, and screen scraping has been the only way that that data has been made available.”
He described screen scraping as taking an HTML page and deconstructing the tables in HTML to get access to the data.
“We need to make sure that we as an industry and as regulators and lawmakers understand that screen scraping is not evil,” he said. “We want to move to tokenized access, but there is a long tail of financial institutions, and it's going to take time for these API standards to proliferate.”
Christina Tetreault, senior policy counsel at Consumer Reports, said that while screen scraping may not be evil, “it is dangerous for consumers.”
Screen scraping also leads to data inaccuracy sometimes, she said.
“The web page changes, they pull the wrong data, and it’s inaccurate,” Tetreault said. “We've seen instances where screen scraping has caused changes to an account and mistakes to happen to accounts because there's not a lot of controls over it.”
Becky Heironimus, managing vice president of customer platforms, data ethics and privacy at Capital One Financial, elaborated on others' concerns that screen scraping gives data aggregators unlimited access to customer data in all accounts.
“The problem today with credentialed screen scraping is that they have access to all elements in the account,” she said. “The consumer really doesn't have control.”
She broke account data into three buckets. One is the basic account transaction data, which can be shared. The second is sensitive data like personally identifiable information, including account numbers, which could be used by fraudsters to harm the consumer. The third is proprietary data — a bank’s specific product terms, features and functions — “that today we don't see a need in the industry to be shared.”
John Pitts, policy lead at the data aggregator Plaid, immediately countered that when banks talk about proprietary data, they are talking about their rates and fees.
“It's in fact in the CFPB principles that those are the types of things to which the consumer has the right to access,” Pitts said. “And yet we hear sometimes that that fee, because it was derived from a proprietary method, is itself proprietary and the consumer doesn't have the right to share it. I'm troubled by that as a definitional line. If you can see it when you log in to your web interface or if it's essential to the functioning of the account, that is what you should have the right to access and share with a third party of your choice.”
Heironimus responded that there is a difference between sharing data one-on-one with a customer and providing it en masse to a data aggregator.
“There's a distinction between the right for the consumer to directly have it and the right for the consumer to hand that to a party that's collecting it on a scale of millions and millions of elements of data across the U.S. or the world,” she said.
Steve Boms, executive director of FDATA N.A., a trade group for fintechs and aggergators, said that data aggregators' attempts to pull bank account data fail 40% to 48% of the time.
This is because of technical challenges, the use of multifactor authentication, and in some cases financial institutions restricting access to data aggregators, Boms said.
James Reuter, president and CEO of First Bank Holding Co. in Colorado, noted that smaller banks are dependent on their core providers to help them create data-sharing APIs.
“But screen scraping is not the way we want to do business," and multifactor authentication is strongly encouraged by the regulators, he said.
“We use it frequently when we see activity that's suspicious,” Reuter said. “One of the things we face today are credential-stuffing attacks, and they look a lot like screen scrapers coming in, because they're machine-generated logins. We need to get to the API standards, and it's going to take a while with the core providers. But we're on the journey. We'll get there.”
Pitts pointed out that consumers have already decided they want to work with fintech apps that need to consume their bank account data.
“We are not talking about a future state where consumers might do this,” Pitts said. “Consumers have already voted with their thumbs that this is something they want and these third-party services are important to their life. Our shared objective is to make sure that having made that decision, the consumer is safe and can be confident in that decision.”
He said that banks, fintechs and aggregators are working on this through the Financial Data Exchange, where they are developing a common API standard.
But he also said it is important to make sure that as banks, aggregators and fintechs move from screen scraping to the use of APIs, consumers’ choices should not be restricted.
“One of the risks is that if every player is independently deciding which app is OK for their customers to use, they may override a decision that a consumer has already made,” Pitts said. “The consumer may have already said this is something that I want to use. It helps me in my life. It benefits me. And the consumer shouldn't have a different set of apps and services that they can use based on where they bank.”
Talpas argued that there are issues today around the way consumers give consent to use their bank account data.
“Consents are not consistent, they're not transparent, and they're not clear, unfortunately,” she said. “The Clearing House conducted some research in the fall that demonstrated that consumers don't understand what they're agreeing to. They don't know that there might be an intermediary or a data aggregator that's also collecting the information. We need to improve that consent experience as quickly as possible.”
Pitts said Plaid has rolled out a consent screen it provides for every customer who wants to use one of its customers’ apps. It introduces Plaid to the consumer and identifies Plaid's role in data sharing.
“I think there are still improvements that we need to make,” Pitts said. “We all want to make sure consent is the right for the consumer.”
Whitepaper: Behavioral Biometrics–Frictionless Security in the Fight Against Fraud
Behavioral biometrics is an excellent tool supporting the fight against application fraud and account takeover fraud.
Fill out the form to download this whitepaper to learn how continuous, frictionless user analysis using behavioral biometrics can prevent fraud while improving the mobile authentication experience. You'll also learn why confirming the user’s identity in a continuous, transparent way is more effective than one-time authentication at the beginning of the banking session.
Behavioral Biometrics–Securing Digital Banking without Compromising on User Experience
By Samuel Bakken
Digital banking has grown rapidly in recent years. Juniper Research forecasts that by 2021, one out of every two adults in the world will use a smartphone, tablet, PC or smartwatch to access financial services. Unfortunately, fraudsters always follow the money, so as consumers conduct more of their financial transactions through mobile banking apps and smart devices, cybercriminals are increasingly targeting the mobile channel. Mobile malware nearly doubled in 2018 and mobile account takeovers increased 79 percent. As a result, financial losses are on the rise. Global fraud losses are estimated to have cost banks more than $31 billion at the end of last year.
Facing these growing cybersecurity threats and fraud losses, financial institutions are seeking to strengthen their user authentication methods in digital channels. The rise in application fraud and account takeover fraud means it is no longer sufficient to only authenticate users at the start of their digital banking session – financial institutions need continuous multi factor authentication. However, at the same time, today’s consumer has high expectations for a frictionless and convenient digital banking experience and mobile users do not want to be burdened by additional, cumbersome, authentication steps. Financial institutions need strong security to ensure they’re dealing with a legitimate applicant or customer, but without negatively impacting the user experience. To solve this challenge, they are increasingly turning to the emerging technology of behavioral biometrics.
What Are Behavioral Biometrics?
As explained on BiometricUpdate.com, traditional biometric authentication techniques, such as fingerprints and facial recognition technology, have been commonplace in digital banking for several years now, but behavioral biometrics are the next frontier and are poised to transform FinTech. Whereas traditional biometrics authenticate customers using static biometric markers (e.g. a fingerprint or retina pattern), behavioral biometrics analyze the way a user interacts with their mobile device. It compares the information to a previously developed user profile, or “behavior fingerprint”, to continuously authenticate the user throughout the entire digital banking session.
Behavioral biometrics can measure and analyze a variety of user behaviors, from the way they hold their mobile device, to finger pressure, swipe patterns, keystroke dynamics and more. It can look at the user’s navigation behavior both within the application and on the device, examining their typical speed of browsing and accuracy of movement. Behavioral biometric data can also be combined with server-side analytics, enabling the financial institution to draw insights from data collected from different sources, including groups of other users, events and third-party partners.
Behavioral analytics — a different concept — uses data from multiple sources to understand when and how a user normally interacts with their bank account – such as the time of day they normally log in, the typical transaction amounts and more. Any deviations from the user’s typical behavior are detected in real-time by comparing that behavior to historical data. By combining behavioral biometrics and behavioral analytics, the financial institution is able to create a multi-layered, context-aware approach to authentication and risk assessment. This, in turn, helps the organization’s risk analytics engine decide whether the user should be allowed, challenged (by requesting additional authentication measures), or blocked, when deviations from the user’s typical behavior are detected.
Because behavioral biometrics is continuously working behind the scenes and is invisible to the user, it is often described as passive. As opposed to active methods of authentication, behavioral biometrics do not require any additional actions from the user, which improves the customer’s digital banking experience. At the same time, there are no privacy concerns because a user’s behavioral data is converted to a mathematical representation within their profile, which is meaningless to criminals.Behavioral biometrics is one of the most disruptive new technologies in identity management. Any organization that needs strong identity verification and multi factor authentication without hindering the digital customer experience should look to add behavioral biometrics as part of a multi-layered approach. It offers financial institutions an excellent opportunity to enrich their risk analysis with user-specific data. By performing continuous, real-time analysis in the background, behavioral biometrics ensure a positive digital experience for legitimate users while detecting and stopping fraudsters.
How SBA-approved lenders can use e-signatures to accelerate loans
In this demo, Patrick Albert, Sr. Business Architect at OneSpan, explains how your bank can get started using electronic signatures to accelerate the process of setting up documents and signatures.
OneSpan Sign SBA E-Signature Checklist
SBA-approved lenders: use e-signatures to accelerate loans to small businesses. The Coronavirus Aid, Relief, and Economic Security (CARES Act) allocated $349B in aid to small businesses as part of the Paycheck Protection Program. To become an SBA-approved lender, financial institutions who support electronic signatures must comply with the standards outlined in the SBA SOP 50 10(k).
We’ve analyzed the e-signature requirements for you and produced this valuable 10-page checklist with everything you need to get started.
Download the OneSpan Sign SBA E-Signature Checklist for a concise summary of the requirements including authentication, capturing intent, and records retention and distribution.
Serving Customers in Times of Crisis: 5 financial processes to digitize (Part 1 of a 2 part series)
In these unprecedented times, digital banking and other financial services have become crucial for millions sheltering at home. Around the world, people now rely more than ever on online banking portals, mobile banking apps, and other remote banking channels – even for interactions that would traditionally involve a visit to the branch or a face-to-face meeting with an advisor.
In an ideal state, this increased volume of digital interactions, applications, agreements, and transactions would flow straight through digitally. The challenge many banks and financial institutions (FIs) now face is that while some core processes have been digitized, many others are not yet automated end-to-end. From account opening to small business loans, much of what starts out through an online portal or mobile app still involves manual, paper-based processing.
These gaps in the digital chain hamper the “right here, right now” service needed in times of crisis. In response, banks and FIs are rapidly adjusting their digitization efforts to meet customers in their moment of need. To help prioritize these efforts as the world settles into a new normal, we are publishing a two-part blog series that explores the top banking processes to focus on.
1. Commercial and Small Business Lending
Governments around the world are issuing economic stimulus and relief packages for businesses affected by the outbreak. From the EU, where the European Investment Fund will guarantee loans to help “provide liquidity to at least 100,000 European SMEs and small mid-cap companies” – to Japan, where SMBs are being offered interest-free loans and large corporations have access to crisis lending programs. Many businesses need these funds as quickly as possible. FIs can support their business clients now, when they need it the most, with an expedited digital process.
At the same time, government agencies must also find ways to digitize their processes and deliver the necessary resources to businesses through their designated intermediary lenders. In the U.S., for example, the Office of Management and Budget released a memo instructing government agencies to “leverage digital forms and electronic signatures to the fullest extent practicable.”
One federal bank, the Business Development Bank of Canada, integrated e-signatures with their mobile app to enable entrepreneurs to complete a loan or financing application in 15 minutes. “E-Signatures transformed the customer experience, because now we can get the client the help they need, in the time they need,” says Jorge Oliviera, Director of IT Solutions Delivery at BDC.
Security tip: Banks are experiencing increased fraud attacks in lending and need to be on heightened alert. Fraudsters are actively trying to exploit the current situation in various ways, including via application fraud (loan origination fraud). This is where a criminal applies for a loan as a net-new customer by submitting a new application based on fraudulent identity details such as stolen or synthetic identities. To help prevent this type of fraud in your digital channels, the first line of defense is digital identity verification security – notably, ID document verification with facial comparison.
2. Consumer Lending
Large-scale lockdowns and business closures are affecting household finances significantly. As a result, some banks are offering immediate relief for loan payments. The Wall Street Journal reported on examples such as Goldman Sachs “allowing borrowers who have personal loans from its consumer bank, Marcus, to sign up to delay their payments for a month.”
Despite short-term relief and government programs, financial pressures on workers, solopreneurs, and small business owners are expected to lead to increased demand for emergency personal loans, bridge loans, and debt consolidation loans. According to American Banker, “Many banks are also working to identify emergency borrowing needs – and using digital platforms to provide advice and process loan applications.”
One area that banks, alternative lenders, and student loan providers are re-prioritizing is the mobile channel. With so many customers transacting through their personal devices from home, the speed and efficiency of mobile-first lending is gaining momentum. As developers pivot to build out and enhance lending workflows in mobile banking apps, two technologies will be important to consider: mobile e-signatures with digital audit trails to quickly capture signatures while maintaining compliance and mobile app shielding to protect the banking application from cyberattack.
Security tip: With more customers transacting through a mobile banking app, banks also need to strengthen their mobile app’s resistance to intrusion, tampering, reverse-engineering, and malware. Mobile app shielding technologies can fortify banking apps against mobile threats without hindering the customer experience.
3. Remote Bank Account Opening
In times of crisis, banks and FIs are focused on supporting their existing customers. More so right now with loan applications than deposit accounts, due to the current economic shutdown.
However, new customer acquisition remains a growth priority for many banks. Even in the current environment, prospective customers are trying to open new bank accounts, especially as well-served customers refer family and friends to FIs offering better digital services. This new growth is at risk among institutions that still rely on manual identity verification and/or signature in the branch.
According to a Litico survey from mid-March 2020, 82% of consumers are hesitant to visit bank branches during the outbreak. However, the same survey reveals that 63% are more inclined to try an app.
This is good news for banks and FIs that already offer a mobile account opening experience or that are in the process of building or enhancing it. In a recent ISMG banking industry survey, 68% of FIs surveyed had already identified digital account opening as a priority initiative for their institution this year. Nearly all (99%) confirmed level or increased budgets to invest in digital ID document verification, machine learning, and electronic signatures. These projects are being fast-tracked now, as technologies that securely service new and existing customers via remote channels are needed more than ever.
Security tip: Ensuring an applicant is who they say they are is critical in this time of low-touch/no-touch interaction. When a bank can’t have a physical meeting with the customer, this increases opportunities for fraud. Used together, facial biometrics and digital ID document verification can help the bank ensure an applicant or user is in fact the person they claim to be. Combining these with strong mobile application protection gives banks an advantage over criminal hackers.
4. Account Maintenance
Banking customers tend to go to the branch to manage changes to existing accounts. Many such changes require a signature. Some, like adding a new spouse to an existing account, also require that the bank verify the new joint account owner’s identity. But with branches limiting hours and customers unable to visit due to restrictions or heath concerns, FIs need to adapt these processes quickly with e-forms, e-signatures, and digital identity verification, so they can be securely and easily executed online.
Security tip: Fraud prevention is a top consideration when automating any financial process. Industry analysts at Aite Group have reiterated that financial institutions need to be particularly aware of online fraud during this time. "Bad actors thrive in times of chaos and uncertainty, and they have been quick to capitalize on the fear that surrounds the global outbreak of COVID-191". One of the top security challenges facing banks is account takeover attacks. Account takeover attacks happen when criminals infiltrate a user’s digital account. Once this has occurred, the attackers can attempt to steal funds in multiple ways – including adding new account payees or changing the account owner’s contact information or address to facilitate the theft. Fraud detection platforms can continuously monitor account activity to block – among other things – fraudulent attempts to change the account holder’s name, address, and contact information.
5. Employee-facing Processes
For all essential services providers and businesses operating in the current environment, the top priority is maintaining operations in a way that is safe for employees. Some of the rapid actions that banks and FIs have taken to protect their front-line teams include virtual meetings and web chats for customer interactions.
Similarly, FIs are protecting back-office and work-from-home employees by removing the need to manually handle paper. There are still a number of back office processes across all lines of business, including in fraud and disputes, legal, compliance, risk, and others, that require paper. Like cash, paper documents carry bacteria and viruses. Considering all of the forms and documents printed solely for signature, banks are acting decisively to digitize the paperwork that their employees process by introducing e-signatures.
For organizations that need to move quickly, there is no need to wait for e-signatures to be integrated with internal systems or an employee portal. Employees can be up-and-running in minutes with an e-signature service that enables users to prepare and send documents for e-signature. Pre-built integrations or e-signature connectors to popular third-party back-office applications like Salesforce, nCino, and Pega also significantly reduce go-live time.
Security tip: Historically, banks have generally resisted implementing work-from-home policies due to data security risks. That has changed virtually overnight. We recommend FIs do the following:
- Educate employees on how to spot and respond to phishing and social engineering attempts (then implement random internal testing to track employee performance and identify needs for additional training)
- Develop a backup security access plan for all staff and be prepared to provide secondary forms of authentication
- Replace SMS authentication with out-of-band technologies like push notifications, Cronto, or a mobile authenticator app to help prevent phishing
- Ensure workers handling sensitive data or having customer-facing discussions have disabled devices connected to the Internet of Things in their home office space
For more information, visit OneSpan: https://www.onespan.com/blog/financial-processes-to-digitize-part-1
Coronavirus scams to watch out for
Fraudsters of all stripes are taking advantage of the coronavirus scare, and some of their scams are a direct threat to banks and their customers.
Granted, New York hardware stores charging $79.99 for a bottle of hand sanitizer get the spotlight. But there are also hackers in the shadows sending emails and creating websites designed to trick people into clicking on malicious links disguised as helpful resources. Consumers can end up with malware on their computers that steal online banking credentials or credit card numbers.
“Cybercriminals will often take advantage of trending topics in the news, such as the coronavirus, to try and prey on consumers using fear and urgency tactics,” said Gary McAlum, senior vice president and chief security officer for USAA.
In the case of the COVID-19 pandemic, such activity is especially insidious in that it mimics communications from expert sources such as the World Health Organization, the Centers for Disease Control and Prevention and Johns Hopkins University.
“I think false information is becoming more of a problem, especially in times of crisis, because ... everyone's looking for the best information, and they have no way of judging if it's real or not,” said Avivah Litan, vice president at Gartner. And even for consumers who consider themselves savvy enough to spot fakes, "they're not clearheaded, and they're usually very anxious to get the information, so they’re not going to analyze the URL or details of a map, images or instructions.”
These are some of the scams banks should look out for and warn employees and customers about.
The fake map
Litan’s point about analyzing URLs carefully before clicking on them applies to a fake-map scam.
Johns Hopkins' popular COVID-19 dashboard has been a go-to source for people who want to stay up to date on the virus.
But researchers at Malwarebytes discovered a malicious program, Corona-Virus-Map.com, that claims to provide an up-to-date coronavirus map just like the one at Johns Hopkins. It produces a map that looks exactly like the university’s graphic. But the software has embedded malware called corona.exe that’s a variant of AzorUlt, a type of spyware that steals usernames, passwords, credit card numbers and other data stored in the user’s browser.
According to PCRisk.com, the Corona-Virus-Map.com Trojan is distributed through infected email attachments, malicious online ads, social engineering and software vulnerabilities.
Read more: Complete coverage of the coronavirus impact
As usual, fraudsters are finding the simplest way to break into computers is through phishing email attacks.
“Phishing scams are ever-present and pervasive,” said Steven Silberstein, CEO of the Financial Services Information Sharing and Analysis Center. “Phishers are always looking for topical subjects that will capture a victim's attention. Nontargeted phishing campaigns using COVID-19 as a lure in the subject line have been observed since January. These cover the range of pre-existing threats out there, including information-stealing malware.”
Aviram Jenik, CEO of Beyond Security, pointed out that the coronavirus outbreak creates an ideal environment for phishing attacks to succeed.
“Phishing attacks are successful when one of two things happen,” he said. “No. 1, if you're flooded with information about something, it's really easy for the phishing to kind of blend in. No. 2 is, if you're uncertain, if you're getting emails about stuff and there's no concrete information, things are not really clear, you'll try to find out more.”
These phishing emails typically use the virus as a lure in the subject line; the text tries to claim news about the infections or the virus itself. Some emails claim to be from the CDC or the World Health Organization. Some offer a link to coronavirus map of the recipient’s neighborhood, or an update on how many people have been infected.
The trouble they cause runs a gamut.
“Phishing is an entry point for a variety of exploits, including stealing identities or money and delivering malware onto a victim's computer,” Silberstein said. “We have observed information stealers, banking Trojans, ransomware and remote access Trojans.”
Telling the difference between real and phishing emails is not easy.
“It's a cat-and-mouse game,” Jenik said. “It's getting harder and harder.”
One rule of thumb is that if an email asks the recipient to click on a link or go somewhere, they should always try to find another way to validate it, he said.
“If you're getting an email from your company, reach out to them on Hangouts, on Slack, or call somebody and say, is this true, is this happening?” he said. “Just try to find another channel. Don't reply to the email, because you might be replying to your attacker.”
What to do
Silberstein recommended that banks continue to do anti-phishing training and use email filtering services and multifactor authentication.
“The public should not click on the unknown, especially not password reset requests,” he said. “They should use MFA for all personal email and banking accounts.”
McAlum of USAA also suggested using the strongest authentication options available, as well as account monitoring. Customers should be encouraged to set up alerts and notify their bank if they see any suspicious activity.
“They should be wary of charity scams out there,” McAlum said. “If they want to contribute, they should give to established organizations that have a known track record.”
Litan advised putting out alerts to customers warning them to be very careful about visiting websites.
“Be more paranoid than ever,” she said.