Account Takeover, Application Fraud and the Mobile Majority
By Shirley Inscoe, Sr. Analyst at Aite Group
In this age of unending data breaches, it is not surprising that identity crimes are the biggest fraud challenges facing financial institutions (FIs). In early April alone, Saks, Lord & Taylor and Panera Bread announced that they had data breaches that went on for months and leaked millions of records from their point-of-sale systems or websites. The faceless nature of the online and mobile channels makes authentication hard, but the massive amounts of data that have been breached in recent years combined with fraudsters’ use of phishing, social engineering, and malware make authentication much more difficult. FIs must use new techniques to ensure they know who they are dealing with in the online and mobile channels.
For 74% of FIs recently surveyed, digital channel fraud losses have increased over the past two years. Account takeover fraud and application fraud—both identity crimes—are the top two leading causes of those fraud losses, prompting many FIs to re-evaluate their authentication strategies. The challenge then becomes finding better and more customer-friendly means of determining who they are dealing with in an increasingly faceless environment. In doing so, many FIs have a goal of orchestrating multilayer authentication (i.e., tying the level of authentication required to the risk associated with the transaction the customer is attempting to complete).
For instance, a customer with a recurring monthly bill pay transaction shouldn’t be subjected to the same level of authentication as a customer initiating an unusually large-dollar wire transfer for the first time. FIs with a one-size-fits-all authentication strategy should consider new active and passive methods that enhance security without introducing unnecessary friction for their customers. Authentication platforms and hubs have arisen in the market as well. Some of these platforms enable an FI to leverage multiple authentication capabilities through a single implementation; this can save a great deal of time when introducing a new solution in the future as well as streamline vendor management.
As FIs re-examine their current authentication strategies and processes, some methods are falling out of favor while others are gaining traction. Methods that rely upon third-party data (such as knowledge-based authentication questions) are less attractive because they are time-intensive, intrusive, and easily defeated due to data breaches and fraudsters’ use of social engineering techniques in contact centers. Contact centers are often the weak link that leads to account takeover fraud due to the human element, particularly because agents are encouraged to provide excellent customer service. Techniques that are gaining momentum include the use of one-time passwords (OTPs) sent to the customer’s known device and the use of biometric features housed on mobile devices. Several leading FIs state they are carefully monitoring the handset manufacturers so they can take advantage of new biometrics on handsets quickly in the future.
As consumers shift to a mobile-first mentality, many fraud executives believe the mobile channel should take precedence in technology investments when compared to the online channel. It is clear consumers have an affinity for their mobile devices and want to use them in a variety of ways, including how they manage their finances. This strategy could pay off handsomely for FIs recognizing this shift in consumer behavior. Adding to the appeal of the mobile device is its ability to be used for authentication purposes regardless of the channel the customer is using. For example, if the consumer calls into the contact center, a one-time password sent to the customer’s known device can be given to the agent, and the customer is then authenticated. This can reduce operating cost by dramatically reducing the average length of the call, which also improves the customer experience.
Many FIs are also sending OTPs via SMS, email, or voice. Although SMS has its own challenges with fraudsters porting numbers, forwarding numbers, switching out SIM cards, and doing other nefarious acts, it can be fortified by leveraging mobile network operator (MNO) data to validate the device the SMS is being sent to. Using MNO data can help offset these SMS risks, and many FIs are planning to use MNO data to help combat fraud—yet another benefit of using the mobile device as a customer authenticator.
The mobile channel is definitely consumers’ first choice for digital banking, and FIs are rapidly responding to that reality. Mobile offers many factors to help with fraud prevention, so this preference should result in a win-win scenario for consumers and FIs.
Interested in learning more?
You can to watch an on-demand webinar entitled “Protecting Against Digital Channel Risk,” during which I go into greater detail around application fraud and account takeover. I’m joined by Early Warning's senior director of authentication solutions, Hal Granoff, and Early Warning’s vice president of product management for identity solutions, Robin Love, who present how Early Warning is helping FIs combat these types of fraud.