How to Reduce Friction in Fraud Prevention
For many banks and financial services providers operating in the 21st century, fraud prevention in the age of multiple digital channels and mobile banking applications has become a neverending struggle. Solving this challenge requires a smarter approach, using multiple threat detection models to improve fraud prevention that work behind the scenes to deliver a smoother and safer experience for online and mobile banking customers than is possible with previous approaches.
State-sponsored IP theft is on the rise. Read how Strider used open-source intelligence to identify the PRC’s plans to leapfrog competitors and advance its quantum technologies.
A Changing Landscape
Just as one threat seems to be eliminated, more fraud crops up to take its place. Threats come from all directions, including inside the bank with the growing success of phishing and other schemes that trick users into providing usernames and passwords. Attacks also come from outside the bank, in today’s increasingly complex ecosystem of networks, devices and channels that customers use to access their accounts. Even organizations that pride themselves on a thorough and cutting-edge risk management approach are not immune.
Fraud Readiness Now Is No Guarantee of Fraud Readiness in the Future
Fraud continues to grow. The only guarantees are that future risk profiles are likely to be elevated or differentiated compared to historical data. According to the U.S. Federal Trade Commission (FTC) Consumer Sentinel Data Book for 2021, fraud reports reached an all-time high in 2021, up from a previous all-time high in 2020. In 2021, people reported losing more than $5.8 billion to fraud—an increase of $2.4 billion over 2020.
Reactive security postures don’t guarantee threat tolerance in the future, no matter how well they are established. Being proactive means incorporating solutions that include zero-day fraud detection and prevention capabilities combined with a defense-in-depth (layered security) approach that encompasses physical, technical, and administrative controls. When banks also add machine learning-driven risk management, they can isolate anomalies and flag new threats as they emerge—not after they have already done their financial and reputational damage.
No Organization is an Island
When threat actors don’t target your organization, it may seem like you’ve been spared. But banks don’t exist in a vacuum, and any large-scale breaches cause ripple effects.
Take the massive SolarWinds hack as an example. Discovered at the close of 2020, the consequences of the SolarWinds hack were still reverberating well into 2021. The data breach incident is a case study on the interconnectedness of our online environment today, with a laundry list of affected organizations. Microsoft was one of the higher profile organizations initially cited to be breached as a result of the attack, including many of their cloud environments and Azure Active Directory. On 16 March 2021, the cybersecurity firm Mimecast announced that its source code had been breached as well. On 17 March, the United States Cybersecurity and Infrastructure Security Agency (CISA) released a table of techniques, tactics, and procedures used by the threat actor to help firms defend against future similar attacks, which is information every cybersecurity team should be aware of.
Too Often, The Source of Fraud Is Close to Home
Enhanced security that adversely affects the customer experience is not viable, but unintuitive user journeys can become more costly. Internally, organizations bolster security by educating employees. Externally, customers are a diverse group with various good and bad security habits, including sharing their answers to common security questions through social media quizzes (which are actually data-harvesting schemes), put out for their entire network to see.
Reactive security postures don’t work in this environment. Instead, organizations should establish a layered security strategy as their baseline and use an adaptive and machine learning-driven/risk-based authentication approach that preserves the low friction experience that customers demand.
Reading a Combination of Factors is Key
The most comprehensive risk management and fraud prevention solutions combine behavioral profiling supported by behavioral biometrics and payment transaction data that can detect threats in real time which can help detect zero-day malware.
The user behavioral factors include location, time of day, device type, operating system, and browser details. This enables continuous identification of a pattern the builds over time.
Looking at anomalies in payments harnesses the power of pattern recognition, using machine-learning algorithms to help the system understand when a transaction is not normal. This data analytics engine scrutinizes everything from payment behaviors and anomalies to suspicious and trusted accounts and known fraud schemes.
The derived threat intelligence can combat known and unknown cyber threats, applying zero-day detection capabilities to catch malware, bots, and phishing attacks sooner. It also incorporates application and device protection capabilities.
Working together, these three AI-driven capabilities have been proven to deliver better detection performance than traditional approaches with fewer false positives while reducing authentication costs. Most importantly, they are highly relevant for top management who, according to a Deloitte financial cyber survey, now prioritize cybersecurity on their agenda. More than 40 percent of the respondents said they now discuss cybersecurity monthly, or more frequently.
Today’s solutions address their concerns by helping to prevent identity theft and enhance security without impacting ease of use. Not only do they offer the opportunity for a better defense against ongoing threats—from both insiders and outsiders—but also help prevent fraud, which can have significant impact on trust.
Edwardcher Monreal, pricinpal solutions architect at HID Global, is a highly skilled solution architect and a digital security expert with an instinctive passion for pragmatic problem solving. He has more than two decades’ worth of experience working in the trenches developing software and delivering solutions and services to the military, telecoms, banks, enterprise and the government with synergies in NFC, TSM, and mobile financial services applied with PKI, risk management, and strong authentication.