A new mobile technology designed to halt sophisticated digital identity fraud, could eradicate cumbersome verification processes on online banking and mobile apps, and halt the ongoing issue of social engineering in its tracks. Aspect Software, which has already saved a major British bank £10m per year in fraud losses with its Aspect Verify™ trust platform, says ongoing developments with the technology is looking to finally seal the weakest link in cyber security – the human dimension.
According to the Crime Survey bulletin from the Office of National Statistics released in December 2016, two-thirds (66%) of ‘cyber related’ fraud were categorised as ‘bank and credit account’ fraud. Cifas, the fraud prevention organisation, claims that nine in ten identity frauds of all types take place online today. A recent report from Agari also claims that three in ten businesses were victims of social engineering fraud in 2016.
Keiron Dalton, Global Program Senior Director, Aspect Verify, commented: “Before any account takeover can take place, some form of social engineering needs to happen in order to obtain the right information to complete a false transaction. This could be any way of tricking or manipulating victims into providing personal information, including passwords, dates of birth and so on. While the most effective method of securing any account or technology system is to use multi-factor authentication, the human interaction element of fraud is still the weakest link in the chain.”
Passwords continue to be the most popular method of securing the first layer of authentication for online and mobile banking. Aspect’s 2017 consumer study into online banking fraud, The banks’ balancing act: Fraud risk vs the customer experience, found that 88 per cent of customers (who experienced at least one fraudulent incident on their bank or credit card account in the last year) recall needing to use a password, PIN, or some combination of characters and symbols in order to log in. For complex transactions, this number reduces to 75 per cent.
Keiron believes that passwords are a moot point. He said: “Any kind of password is practically a comfort blanket. We’re so used to them, but in between social engineering and sophisticated fraudsters, they’re near enough useless at protecting our money.
“Working with some of the big banks, we’ve been seeing a rise in sophisticated mobile fraud designed to target personal bank accounts, such as SIM Swap. Since some banks use one-off SMS codes to verify the identity of the victim, criminals have taken advantage of a weak spot by impersonating and convincing mobile network operators in the contact centre to ‘swap’ the SIM of the victim with a new one. After this happens, the fraudster can access these one-time codes via SMS and when combined with information they already have, such as PINs, passwords and personal details, can clean someone’s account out in minutes online.
“You could theoretically add more layers of security – say, to a mobile banking app – but all you’re doing is placing restrictions on users, forcing them to jump through hoops just to do something that a mobile app should let them do quickly and easily. They’ll get frustrated pretty quickly and you’re more likely to lose them as a customer down the line,” he said.
Keiron says that developments between the mobile network operators, banks and technology providers have meant that they are well on their way to striking that elusive balance between ease of use/convenience and appropriate levels of security that will stop social engineering at the start of a compromise. The technology leverages publicly available data to help banks to step up authentication by determining variables such as geo-location of the user, call divert and SIM Swap detection. This reduces customer friction and provides both enhanced security and extra flexibility for the modern digital citizen.
Keiron added: “Currently, an automated voice call is all that’s needed to authenticate a transaction for us to know whether it’s genuine or not. Eventually, the verification will be imperceptible and won’t interrupt a genuine user experience. A fraudster could be making an ‘omni-channel’ attack where they have already taken over someone’s mobile device, and is being talked through a process to transfer money on a separate channel while the automated call is taking place. It has been very successful in practice.”
Aspect Verify is a trust platform and a cloud-based service for fraud prevention and detection that maintains a great customer experience. It is a collection of automated engagement solutions for proactive monitoring, identification, prevention, and notification of fraudulent transactions, including SIM Swap, and diverted calls and SMS. Notification options target both the organisation and the customer, and include system-level alerts as well as phone calls (landline or mobile), SMS, and email. Aspect Verify enables the bank to manage the on-going communication with the customer.