Catch Me If You Can: Fraud Digital Identity Challenges
December 21st, 2020
This blog series acts as a companion to the sessions at ENGAGE LIVE. Catch up on the other entries here:
- Looking Back at ENGAGE 2020
- Immediate Action Required: Detecting Authorised Fraud
- Stay Ahead of First-Party Fraud & Mule Activity
- Future-Proofing Fraud with Advanced Technologies
- Fraud: AI in Action
- The Journey to Autonomous Fraud Management
In response to an ENGAGE LIVE session featuring a global panel, in this blog I’ll share an overview of the digital identity challenges discussed. I’ll also cover how the evolution of payments affects fraud and what can be done to make it a safer more prosperous ecosystem.
Challenges to fraud detection
In our new digital world, the need to do everything digitally and fast is quickly becoming the norm.
This could be opening an account, registering for banking online or with a mobile app, making a payment to a new beneficiary via an app, using a third party to open a banking transaction, or even requesting a bank balance through Alexa.
Whilst similar, these all pose different risks and levels of friction that would be expected by a genuine customer, or at least levels that they will put up with.
At onboarding, we want to be sure that the person exists and lives at the address stated, and then also that the person on the other end of the mobile app is that person. On top of this, are they a person that exists, or a known bad actor?
At registration, say for mobile banking, I want to know that it’s the person that opened the account. At the point of subsequent logins and payments, I want to know it’s the person that registered.
Now this should all be the same person, but I’m checking different data each time as what I’m trying to do is slightly different.
So, what I need to do is undertake three separate checks:
- Identify a real person
- Verify that that person lives at an address, owns a device, phone number, etc.
- Confirm that the person attempting to transact is that same person
Challenges arise without a definitive physical or digital list of real people, so we have to use proxies for this – e.g. credit bureau records. Unfortunately these are not full proof, as seen with Synthetic IDs.
Perhaps the biggest challenge is the friction during these steps – getting the balance right between fraud, security and customer experience is essential. Getting the balance wrong either means higher losses or higher attrition. Either way leads to lower profits.
Let’s look at the challenges faced at account opening. What tended to happen here is that existing physical identity processes have been digitized, rather than reengineered to process for a digital world.
Many countries, such as the U.S. and UK, don’t have national identity systems in the physical world, let alone the digital world, so they already must cater to multiple ways of proving identity. In today’s digital world, it’s even worse as we essentially have an identify for each online account. This is not only inefficient, but makes it hard for genuine consumers to keep things safe and secure. In the Nordics, Bank ID is used across financial services, which streamlines the process to identify customers digitally. However, it is still susceptible to social engineering frauds, leading to account takeovers.
So, if it’s hard to identify one when they open an account, then it’s also hard to do so when the customer is returning. In order to avoid going through the same account opening steps again, we set up security credentials at the point of account opening. A username and password is the most common form of this.
But usernames and passwords were not built for this sort of situation, where we all have many different accounts. Their usage is clearly broken and plays up our human frailties in terms of memorizing complex, secure passwords and the ability to be socially engineered to give them up.
This is where multi-factor authentication comes in, yet even here there are more challenges. Hardware tokens are secure, but unpopular with many customers as they must keep them on hand and not misplace the tokens. SMS can be used by people most of the time, but needs mobile reception and is not a best practice due to its many security flaws. Smartphones and their apps offer a good solution, but they are not yet ubiquitous.
Banks can increase security by using multi-modal biometrics, where you might use a fingerprint to log in, but an iris scan is then needed to make a payment to a new beneficiary for a large amount. With all of these, it’s the registration or re-registration process that has the largest weaknesses.
And even where we have strong systems, we have the linked challenges of data compromise, identity theft and social engineering to bypass these controls. This leads us to how frauds have evolved.
Evolution of fraud scams
As the security of remote banking has increased, with high levels of encryption and FI’s investments in fraud detection and authentication, there has been an evolution in fraud. This has also happened as real-time payments have taken off, so we’ve seen a rise in authorized fraud and scams. This means that fraudsters have changed how they attack. Instead of attacking the bank’s systems directly, the customer is the weak point and is now heavily targeted via phishing, vishing and smishing.
Social engineering is made possible through the level of data compromise and the lack of mutual authentication with FIs, government and business. The difficulty is in offering mutual authentication, where the customer can tell that it really is their FI and not a fraudster on the phone or email. This leads to identity theft and then identity fraud and account takeovers.
We also have found credential stuffing attacks against FIs, where the stolen credentials, of which there are many, are used to log into customers’ accounts. The sheer volume of attacks causes additional friction and costs for banks and consumers alike.
This means that authentication cannot alone prevent these frauds, but needs to be couple with good profiling capability. The ability to utilize ML models that are based on both supervised and unsupervised learning is key.
So what can we do about it?
Using more data to corroborate the identity, check against bad lists, check against changes and look for anomalies is a simple and extremely effective approach. In practice, this involves taking multiple data elements to establish an identity, which means more than just name, address, date of birth and Social Security Number. Identify the person and then verify the information against multiple sources.
Having a system that can cover the whole customer lifecycle that can easily ingest data from multiple sources to help independently verify the information provided, whilst using this within models to highlight high risk applications, registrations, access and payments for review is essential for a successful FI to implement.
Data sources should be covering areas such as:
- PII & KYC Verification
- Mobile Network Verification
- Email Verification
- Mailing Address Verification
- Document Verification
- User Mobile / Browser Behavior Verification
- ID – Combination Verification (SSN/Credit)
- Funding Account Verification
- KYC Checks
In addition, implementing tools such as device profiling and behavioural biometrics can help prevent known fraudsters and devices continuing to attack you, and can also be used to block at the earliest stage to avoid high volumes of alerts.
Whilst this requires more and more data, it can be done without adding too much friction. It also means that you can reduce friction throughout the customer lifecycle once the customer gets through the onboarding stage.
By linking this all together, we can minimise many of the challenges by adding the right amount of friction at the right time. For example, just by undertaking validation checks on the mobile phone number at onboarding can reduce a common occurrence of fraud.
Is it a real number? Is it on a contract? Is it owned by the same person? Is it registered at the same address? Do they have access to it now? Has it been ported or SIM swapped recently?
If all of these are true, then I should be much more confident in using this number going forward and in the application itself. These are all useful at account opening to build trust in the user and their devices/proxies on an ongoing basis.
Whilst I’ve concentrated here on retail customers, the same clearly goes for SMEs and corporate customers. This is particularly the case at account opening and has been thrown into the spotlight by the SBA loan fraud issues.
The evolution of digitalization has welcomed new and innovative forms of payments and technology; yet at the same time, fraudsters are using these same technologies to change their attack methods. COVID-19 has accelerated this trend. As fraud prevention professionals, it’s our responsibility to continue to protect our consumers, while meeting increasing customer experience expectations – even in a rapidly shifting threat landscape.