In our first blog on Money20/20 USA , I reviewed the key messages and challenges presented in Las Vegas and explained key risks to digital identity. These risks that must be solved to enable the future of money are the security challenges surrounding digital transformation and the rise of the synthetic identity problem. My question for today is: What can service providers, vendors and financial institutions do about it? Three key themes were consistent across several sessions I attended.
1. It’s all about collaboration – between and within financial institutions, but can we make it happen?
Much has been said about the need to improve collaboration in the financial industry, be it participating in peer discussions to cultivate ideas and improve our overall security posture as an industry, sharing data through identity consortium networks to improve fraud detection, or coming together as a unified community to fight fraud.
At the FedPayments Improvement event during Money20/20, one of the points made was that there is not enough reporting of fraud incidents, and even if there is, there is not enough unified reporting of various types of fraud. For example, a form of social engineering scams known in the UK as Authorized Push Payments, considered the leading fraud attack today, is not considered a big threat in the United States. Yet.
The reality is we just don’t know the full scope of fraud because financial institutions do not all use the same framework to identify and report fraud cases. Classifying fraud properly will let us know what the primary threats are, and what problems and solutions we as an industry need to focus on. The FedPayments organization is attempting this with the Fraud Definitions Work Group.
2. Motivation: Customer experience is the #1 priority, fraud prevention is second.
We all understand the benefits of collaboration, but are they compelling enough to make it happen? Let’s consider collaboration among internal teams within a financial institution. Different teams have different goals and often work in silos, competing for budget. Customer acquisition is focused on customer delight and reduced friction, whereas fraud teams are focused on reducing fraud and introducing additional security control. All teams need to work together — security, marketing, digital experience, and fraud management — to create an approach that will cover contradicting considerations and achieve the ultimate goal of a secure and frictionless online experience.
During one of the panels at Money 20/20, Rivka Gewirtz Little, Research Director for IDC, talked about an interview she had with the head of payments at a financial institution about payment transformation and their plans for faster payments. The goal was to unify payment types to help better extract data from payments and to apply analytics for various purposes, mostly around introducing product and customer experience. After further questioning, Little realized that the fraud systems didn't have visibility into that data. In other words, the team with the budget (for customer acquisition) was not covering all aspects that were important to the organization. They were focused on customer experience and growth, but not fraud management.
In another session presented by one of the largest banks in Spain, the speaker, a digital business manager, said it loud and clear: “It’s important that the solution you choose will not impact customer experience, and if it can improve it, even better. We will not implement new authentication mechanisms if there are no benefits to user experience.”
As vendors, consultants, and trusted advisors, when we think about ways to secure the customer experience and solve the fraud problem, we must understand all priorities and help organizations break internal silos to facilitate collaboration within and across organizations.
3. Protections need to be implemented each step of the way in a continuous, agile manner.
To create the appropriate level of identity protection and fraud detection, controls need to be applied across the customer lifecycle. This includes:
- Account application
- Customer onboarding
- Account login and management
- All other online activities
Different types of attacks need to be considered, from account takeover with stolen credentials to automated trojans, various types of malware, remote access tool (RAT) attacks, and, finally, social engineering scams. Social engineering requires almost no technology and can circumvent almost all security controls because it is a genuine user, with their own device and all of their authentication methods, who is transferring the money.
Due to the complexity of attacks and use cases, continuous monitoring of the account and user activity is key. In many cases, visibility into a fraction of the online session will indicate that something is wrong, such as the case of remote access tools (RAT) attacks.
BioCatch takes an approach that singles out any deviation from the legitimate user’s behavior by applying behavioral biometric analysis to all activities. With BioCatch, you can identify when it’s not the user performing an activity, such as a login, payment or account opening, to detect attacks like bot activity, Trojans, and other adversaries. The BioCatch platform is able to detect indicators of abnormal activity for any user, leveraging innovative technology that is powered by machine learning and takes into account user behavior traits and cognitive thinking insights. The BioCatch platform selects a set of unique features out of 2,000+ behavioral profiling metrics to create a user profile, which is based on physical factors, including left/right handedness, press-size, hand tremors, and pressure, as well as cognitive factors, such as eye-hand coordination, usage preferences, familiarity with data and device interaction patterns.
The technology analyzes user behaviors in context and session data is compared to the genuine user’s profile. Finally, leveraging BioCatch’s Policy Manager, analysts can create rules to trigger the desired action in real time based on the BioCatch risk score, which can be used as a standalone factor or in conjunction with other indicators. This innovative approach can detect both known and unknown attacks and can provide more comprehensive protection than point solutions that are designed to target a single type of problem. In addition, using BioCatch technology, digital teams also benefit from the ability to reduce false positives (in the form of declining genuine user legitimate activity) for both account opening and other activities by taking BioCatch scores that indicate low risk as input in the decision-making process.
The focus on identity protection at Money20/20 this year shows that it’s a topic that won’t be going away, but will grow in importance in the year ahead. Find out more about how BioCatch is addressing risks to digital identity.