By John Watkins, Industry Consultant: Fraud Strategy and Intelligence Division at SAS
Customer identity is a precious asset and a highly prized commodity. As the financial services industry has become more digitised down the years, customers’ digital identity decides what they can do and what online services they have access to.
This has been revolutionary for the customer experience. So long as the service provider is happy that customers are who they claim to be, they can access their account, make a transaction or take out a loan anywhere and at any time they want. Indeed, the speed and ease of this process has become a point of competition, with organisations vying to provide the most seamless and frictionless online experience possible.
However, in the rush for greater convenience, the industry can’t afford to forget about proper identity verification. The threats from identity theft and cyberfraud are growing more sophisticated and pernicious. Organisations must guard against this, but in a way that doesn’t penalise the innocent customer.
A global identity crisis
Digital identity is a convenient means of authentication, but the lines are starting to blur. The industry has woken up to the fact that online identities are malleable and spoofable. Impersonating customers online to commit fraud and gain access to their financial assets has become big business for cybercriminals. In 2017, identity fraud peaked in the UK with 174,523 cases reported by Cifas, with eight out of 10 fraudulent applications made online.
What’s more, these hackers are constantly innovating and adopting new technologies to stay ahead of security measures. Even popular, tried and tested measures like two-factor authentication have been compromised.
Cybercrime is fundamentally adversarial. A lone wolf or criminal outfit will probe every weakness in your verification system and will stop at nothing to breach your defences. You need to cover all your bases and ensure they have no place to hide.
At the same time, however, you mustn’t go too far in the other direction. You have a duty to protect your customers, but also to provide them with the best experiences – something an endless loop of authentication methods can never deliver.
The 5 senses of security
When you meet someone for the first time, you make use of all your senses to get a first impression of them. The same principle should be applied to online interactions with customers. Why wouldn’t you use all the information channels available to you to find out if the user is being honest?
The problem is that credit, fraud and risk managers and their staff too often make the call based on incomplete insight. This is because they only collect and analyse some of the data that’s on offer.
If you don’t consider every possibility, you’re only leaving blind spots to be exploited. For example, an authentication system may approve a request from cybercriminals simply based on the device they’re using. Yet if the system had checked the device’s location and the customer’s behaviour, the hacker would likely have been exposed.
The main data points to consider are:
Experiential information: The organisation’s previous interactions with and knowledge of the user based on an existing profile. Has this user been denied access before, and why?
Channel information: The channel or device the entity is using. Has the user accessed your services with a certain device before?
User behaviour: The behaviour of users while they’re interfacing with your services. Are they hesitating too long when asked to make decisions? Does their cursor move robotically?
Public record: Publicly available information on the customer. Are they accessing their services from their registered address? Does their given age match what’s on their driver’s license?
Group and risk analysis: Wider data from analysis of the market and threat landscape. Is the email address the entity is using part of a known fraud cluster?
Organisations don’t have to implement every data type into their verification process. Yet every new segment they do adopt vastly increases their chances of detecting and stopping fraud in progress.
Time waits for no one
However, data alone won’t protect you or your customers. Once you have the data and a process in place for discovery, you have to do something with it. While models do an outstanding job predicting fraud, rules stop it. At the same time, you need to act quickly. Customers won’t wait around if you spend more than 10 seconds weighing up their credentials. The process has to be seamless and instantaneous.
Yet the industry’s approach to authentication has sadly become segmented. There are thousands of point solutions that cover only one part of the verification process. They are rarely joined up and only waste customers’ time and patience. It’s critical that the process begins and ends with the customer experience in mind.
Turning insight into authentication
To turn insight into an authentication decision, organisations should consider an end-to-end solution. When a customer tries to sign-in or access a service, an orchestration platform should be set up to collect all the desired data points before sending them to a decision engine. The solution can then analyse the data and evaluate if entities are the customers they claim to be.
When the process for verification is unified and data-driven, passive authentication becomes a reality. The customer enjoys a real-time, seamless experience – no password required – while the decision engine rapidly confirms identity in the background. This is security and customer satisfaction all in one.
There is no silver bullet that will protect your organisation from cyberfraud in every event. However, when you have access to the right data and the capability to interpret and act on it in real time, you achieve the best of both worlds.