The pandemic forced radical shifts in human behavior, driving many activities to occur virtually. This drastically accelerated remote payment volume, with authentication practices struggling to keep pace, resulting in significant fraud losses. This session examines the dynamic remote authentication fraud landscape and how we must band together to demonstrate similar agility in our response.
1. Better understanding of the prevalence of remote authentication fraud and why its imperative to continually strengthen authentication practices
2. Risk and weakness of current authentication methods
3. Key considerations for implementing effective authentication comprised of multiple layers and factors
Transcript:
Scott Grizzle (00:07):
Well, thank you for joining us. This is the session on future trajectory of remote authentication fraud. If you are here for the do's and don'ts of classified military records, that's down the street at another property. Joking. Hopefully it was. Okay, so I'm Scott Grizzle, I'm with Omega Fin Primes or Mission Omega. I run retail delivery. We're a small boutique advisory company and with me this morning I have the privilege of introducing both Bobbi Weber lady here and on the end. Oscar Gonzales. Bobbi is with, she's the Director of Fraud Prevention, not title and company. Apparently at New York Community Bank. Quite busy right now, but their signature bank acquisition as well. So they're, they've got quite, I need to get a little closer to the mic. Nice. Okay, I'll sit down. So she's with Flagstar, New York Community Bank and Oscar is the Product Manager, Vice President, Product Manager at Citizens Digital Channels. We will be spending the next half an hour talking about remote authentication, the challenges, what's currently out there and where we think banks should start investing and thinking about authentication of course is really been on the forefront and really propelled by, obviously post, but by covid conditions where many of us couldn't send our customers and applicants into a branch for pictured id. And so the new digital characteristics of phone and mobile and text and multifactor and biometrics are all just amazing and how they come together and how you orchestrate that, not only in customer acquisition but also in servicing and maintenance will just be really nice. So let me start by thanking you all for coming here. I know we're a long walk from the cookie table, but I think one of the fellas I saw out there brought cookies for everybody. So let us get started. Bobbi, thank you for coming and I would love to just hear from you what your organization's currently doing and then we'll talk about some of the challenges and then the future state. But why don't you share a little bit of what you're seeing in the industry today that's commonplace, hopefully just kind of warm folks up around. And as you're thinking about this, what is your organization doing and what the break points or challenges are?
Bobbi Weber (03:08):
Yeah, absolutely. So as Scott mentioned, we're in the middle of a merger, so that's the top priority. And as we bring NYCB and Flagstar together, really understanding whose platform we're going to be on, what protections we're going to have and how we partner with the legacy vendors from both places or what we're looking at. I think one good thing that has come out of the recent craziness with fraud is five years ago in a conference like this, you may have heard fraud once or twice in those main sessions. And over the course of yesterday and today, it's been in every conversation. So really at the senior leader level, the product leader level, there's such a focus now that didn't sit there before is a great thing. So understanding what's next is what we're doing primarily in the consumer space. So commercial and consumer had conversations are very different beasts, but in the consumer space, five years ago, KBA was what you did. It was the best option, it was the best solution, it was the best protection, and then we needed to understand what's next. And it was one time passcode. So today you're sending a text, you're sending an email, you're getting your one-time passcode, whether it's at login, whether it's at moving money or some profile change in your digital app. And now we need to think of what's next. So really the biometrics that you mentioned, the biometrics that we heard about and some of the demos is what we're looking at. What's next. That's not one time passcode, unfortunately, it's just not as secure. At my prior place of employment, we would send a text message that said, do not in all capital letters share this code. We will not in all capital letters, call you for it. And every day we had customers providing that code to bad actors over the phone who were spoofing our phone number. And so it's that ability to stop the social engineering that we're really focused on.
Scott Grizzle (05:01):
Got it. Oscar, what are you seeing in the commercial space and what are your customers like and don't like?
Oscar Gonzalez (05:08):
Yes. In the commercial space, I mean it's a different animal commercial space, we deal with larger amounts. So we apply always layered security. We have different friction points depending on the service and the product that the user is using for. So for example, in commercial banking, we have single sign on. So we are rationalizing the security, we are leveling up the security for the different products that our clients use. So they have the same authentication mechanism, the same security. We have behavioral based risk engine, like for example, threat metrics, right? That detects anomalies or abnormal behavior of the user. If you connect from a different location from a different device, it detects that and it prompts you with OTP, right? We are using OTP as well. Okay. We try to avoid OTP over email. It is less secure. So we encourage customers to have a phone to get text. It's not also ideal, but it's better than nothing and obviously better than email OTP, right? We do it over voice as well. But what happens is that once the user access online banking or cash management applications, if they want to move money, we apply software tokens or hardware tokens. So we don't want to add that friction for everybody that comes in. But when you do critical functions like release money or move money out, then we apply that extra layer of security. Things like payment limits are important and well as well, mandatory payment limits and mandatory security alerts that send notification to customers is if someone is be moving out. So applying all those layers of security is a way to go and as what we was saying, I mean the next thing to come is more registered devices instead of using OTPs over text or voice or email, have a registered device and in app notifications better than OTPs, right? So that's the next thing to implement.
Scott Grizzle (07:31):
Got it. Well, thank you both for sharing kind of current state and even with all of that and consumer awareness and training. If you take a look at the 2022 FBI report, it's the IC three internet, what is it? Cyber Crimes complaint report. It was just released a few months ago. It talks about over 800,000 complaints just last year tracked by the organization. This is the FBI's complaint tracking for internet based crimes. So 800,000 complaints. And that was, I mean, just pull the audience here. Do you think it was higher and lower? Higher or lower than 2021? Just by a show of hands. Higher. Okay. Yeah, unfortunately, thank you for being and raising your hand. Unfortunately, it's 5% lower, which is odd. I would've thought exactly what you did. Who raised your hands? I thought it would be higher as well. What was higher? So it was only 5% lower. I think people just got busy covid post covid, time to go to the beach, time to go to conferences. But what was in interesting about the 800,000 that was reported was the total dollars year over year that changed. So it went from 3.5 with a B and at dollars at risk to 6.6 billion. So al not quite doubled, but almost doubled. So even though the complaints weren't there, the people who really lost money probably raised their hand. So as as the backdrop, since we've just talked about current state and the dollars that fraudsters are still teasing us with, maybe we can talk a little bit. Bob, you kind of touched on it a little bit with the current challenges with customer scams, are you seeing any current challenges with customer scams? BECs, can you share a little bit about what your customers are?
Oscar Gonzalez (09:35):
Definitely BEC, I mean, Business Email Compromise is huge, right? It's a huge risk. So that's why, I mean, again, we apply layers of security also, we move away from email verification or email authentication. So always text voice and better in app notifications like using authenticators applications is, it's much better than email. One time passcodes.
Scott Grizzle (10:09):
Yeah. Anything Bobbi you'd like to add on customer scams?
Bobbi Weber (10:13):
Yeah, I think just there's a saturation point at which we're going to stop reading all of the emails that come into our inboxes. There are banks that send things monthly. There are banks that send things quarterly. There are some that only send anything in October for cybersecurity awareness month. But we've got to figure out a better way than a blast email to get that education in front of our customers or to look at things that will help us protect them from themselves. So new vendor opportunities to stop spoofed calls. We could say that the telcos should just do that for us, but now we can pay them to do that for us. So making sure that you are protecting yourselves with all of that newer technology or opportunity that's now out there. And communicating to customers in different ways, on banners, on social media, on different platforms outside of those blast emails, I think will help. And another good thing we talked about, one that came from some of the regulatory requirements in the CFPB that we've seen recently is that customer awareness. So we're getting some help in the industry from the post office and even Amazon now is sending out notifications of how you can avoid scams. So I think it's just the more that we can say scam or fraud, the more opportunity we have to get to customers. Nobody thinks they'll fall for it, and so don't necessarily spend time reading about it, but just making sure that we find new opportunities to alert customers to what's happening. And now we need new opportunities for the way we've done business. Before you're making a debit card transaction, you get a text message that says, click here. If this is legitimate, it's the greatest thing because then customers aren't interrupted at the point of sale. But now the communication is don't touch a text message. It could be fraud. So making sure we're balancing how we're doing that communication across the bank is also going to be critical.
Scott Grizzle (12:07):
Yeah, wonderful. Oscar and I spoke a little bit yesterday and it was really about what he called or what the industry is calling embedded apps.
Oscar Gonzalez (12:18):
Embedded banking.
Scott Grizzle (12:19):
Embedded banking within other processors. So really Oscar, if you don't mind, share a little bit about what you're seeing. How secure is that?
Oscar Gonzalez (12:29):
Yeah, I'm very excited about this. What I feel it is the next evolution in commercial banking, at least. We started with branches. We moved to call centers, online banking, mobile banking, all those channels use the bank, the bank channels, the evolution, at least in business banking and commercial banking, I'm pretty sure it's going to be embedded banking. That means we provide the services where the client is. Clients won't need to come to the bank or log into the bank. With the adoption of online, of open banking, you've heard about open banking and APIs. The banks are starting to expose our services to third parties and to clients. So that allow us to enable our clients to bank with us from their own system, from their own UI. So businesses and companies, every day, they use their own ERP, the Oracle, NetSuite, sage, Microsoft Dynamics, SAP, all those softwares, that's what they use daily. But until now, those systems were didn't have the banking functions. So clients needed to do their accounting, their vendor management, they needed to capture their invoice in that software, and they needed to come to us to online banking to make the payments. With embedded banking, our clients are downloading the bank into those systems so they can bank with us directly from their UI. So they can make payments, they can check their balance, their transaction, they can do their account reconciliation, forgetting about downloading, uploading, extracting, formatting files, nothing like that. You select your invoices, you pay them those payments, those payment instructions through APIs, they come to us and we execute. But what does it have to do with authentication? Well, as you can see, the authentication is going to shift from the bank to those applications partially, right? Because the user is not logging anymore to us, to the bank. So the credentials that they are using is their ERP credential, the SAP credential, the Oracle credential, and the segregation of duties, the dual approval process, the permissioning happens on the system, not anymore. With us, we obviously secure the APIs and we wide list the IP of the system. We secure that connection, but now it's the client's responsibility to permission their own users in their own system. So it's fascinating how the security is going to shift a little bit, right? In retail banking, I mean the concept of embedded banking, I'm pretty sure that you are familiar with the new savings account by Apple, right? They launched a very nice with a good return of investment, but that at the other side, you have Goldman Sachs, the account is in Goldman Sachs. Apple doesn't have the account, but Apple gives you the UI and you are functioning with that account through Apple. You don't log in Goldman Sachs, you don't have a user in Goldman Sachs, you are using Apple, right? That's embedded banking. You are doing banking with Goldman Sachs through Apple, but Apple controls the security. We are doing the same in commercial banking. We are shifting the security from us. Partially, not everything obviously, but partially some of the security now is on the client system on those third parties. So they must be trusted third parties like Oracle, call Microsoft, et cetera, right? But we will see that in the future. It's fascinating.
(16:44)
Fascinating as well. I can't help to think that in a way, it brings tremendous convenience for your commercial and treasury management customers that at the same time, the bank, the FIS, are going to lose some characteristics about the device. They're not coming to us. The customers aren't coming to us anymore. Exactly. So interesting. Let's just pivot a moment and talk about investments where we should be looking for solutions as we think about replacing OTP, as Bobbi said, it was KBA, now OTP. What's next and what are those investments and vendors you guys are, and many of the vendors are here, if you want some cookies later, there are a number of vendors who will help bridge where the OTP is sent. If you're still on OTP in app, secure messages and secure registered devices, what else are you all thinking about or looking at?
Bobbi Weber (17:50):
Yeah, I would say you can't lose that base layer in the protection first. So making sure that you have all of the device information, making sure that you have a strong front door and that you have those analytics. If we lose the ability to see that, we lose the ability to manage it. So from a consumer side, ensuring that you have a product and application, a vendor that helps protect the front door, that can see the velocity, that can see the geolocation, that can see the bound device, and making sure that that's your first level of security is so important, and finding the right vendor to partner with you on that. And there's a lot of them, right? There's a lot of vendors out there. So talking to people in the demo hall, I did that yesterday, talking to people and just knowing who their competitors are to make sure you pick the right option for your business. And then with that success at the front door, you don't have to apply blunt force to all of the other things within the app. You don't have to necessarily do a one-time passcode or a face scan for a profile change. If you have all of the right data at the front door, you can do that selectively so that you are minimizing the friction that you know need in place to be able to do that. So I think the investment still has to be at that base layer. Basic protections of understanding who's logging in, what's the device, where does it sit, is even just the behavioral biometrics of knowing, do they keystroke like this? And then looking at what is the step up. So I think the investment is in options for step up outside of one time passcode, and then understanding how customers will adopt. If I want to send a Zelle transaction or a wire in my mobile app, will I scan my face or will I look for another bank to service that? And that, that's kind of what we ran through with onetime passcode is how will customers feel about it? How long is that friction step going to take? And so I think that's where we're looking at investing next is understanding what the customer is willing to shoulder and when in the journey in the digital app, they're willing to do that.
Scott Grizzle (19:58):
Wonderful. Oscar, anything you want to add as we wrap up?
Oscar Gonzalez (20:02):
Well, I would say password less authentication is a good trend right now. It has a good balance between customer experience and security. Password less authentication is where you don't even need to know your password. You enter your user ID, and then you will need to authenticate in a different device. So if you're using your desktop, for example, you're going to a web, you will receive an app notification asking you, is it really you, right? So it uses your biometrics with your face ID or fingerprint. Then you're authenticating that registered device and then it opens the desktop session. So there are cool vendors out there that can provide these type of solutions, and we can also embed that solution in our application, in our banking application. So you don't need an external application like the Okta or the RSA or hyper application. There are several authenticators like Google Authenticator or Microsoft. We could embed that authenticator within our own mobile application, but maybe we will see more adoption on those kind of solutions.
Scott Grizzle (21:24):
I certainly hope so. I think when you push that additional layer of security to that same device and the user just clicks on that link or on that authenticator, we know that all of that happens on the same device, that they're not sharing that OTP or that code or that passcode to the fraudster on in another web session that they think is hosted by the fraudster, a counterfeit site or over the phone. The fraudsters are calling our customers as well and saying, Hey, I'm calling from the fraud department of your bank. I'm going to send you an one time passcode just to validate that I'm talking to Oscar or Bobbi here.
Oscar Gonzalez (22:05):
We all know that. I mean, there is no a hundred percent right secure solution, but I mean, we need to make it hard to fluster, right?
Scott Grizzle (22:13):
Yeah Absolutely. So anyway, thank you both very much. Do we have time for questions or is it Oh, we are at, okay. We can do one question. Yes.
Audience Member 1 (22:29):
Hi. I'm curious to know coming next month, what are some of the things that should be thinking about, because it'll be probably for many banks the first time, how do they expect from to change? With Fed now coming out and any learnings from what all the banks who went through the TCH, RTP journey, what are some of the learnings from that?
Scott Grizzle (22:59):
Yeah, I can start. I don't know how you guys are thinking about it, but I don't know that all the banks are ready for that. I just read something yesterday from a colleague who's attending the ACFE conference up in Seattle, and many of these mid-size and credit unions that are out there just aren't ready for, they're already struggling with the investments for authentication and with Fed Now, I think it's going to really be a challenge for them.
Bobbi Weber (23:34):
I don't disagree with that at all. I think that would be the same response. It's really gearing up whether you're doing baby steps or whether you're really going to, do you keep your flow and find the best solution within your flow, or do you sort of completely change that hosting process, I suppose? I'm not sure we're ready for it.
Scott Grizzle (23:54):
Sorry. That's probably not a great answer. It's the best one I have at the moment, but a great question. I just think that this may be one of the situations where the carts before the horse type in terms of readiness, but I mean, in all fairness, they've been planning for it for years. So not necessarily a surprise on us. Well, thank you very much on being told we need to go enjoy some cookies. Thank you for coming.
Fraud track: The Future trajectory of remote authentification fraud
June 28, 2023 3:17 PM
24:32