Account takeover and step up authentication

True customer satisfaction means optimising experiences and relationships from start to finish

In the digital age, businesses face the constant challenge of determining legitimate customers from fraudsters. Fraudsters target a variety of points along the transaction process, but some of the most common are new account creation, transactions, and account recovery. Enterprises must walk a fine line to ensure that appropriate measures are taken to prevent fraud while also providing a low-friction user experience. While the sophistication and frequency with which fraudsters attack has increased dramatically, so have the tools businesses can use to combat them.

One of the most prevalent forms of fraud is synthetic identity fraud, which results in direct losses of around USD 118 billion each year. This is a hard cost for many industries such as insurance, healthcare, and banking who typically rely upon flawed legacy authentication methods such as increasingly complex passwords, OTPs via text and email, and knowledge-based authentication (KBA).

However, as enterprises increase the complexity of the authentication process, legitimate users are confounded by that complexity leading to false positives and by users circumventing the intent of the systems (eg reusing passwords).

These legacy methods have been further compromised by the numerous high-profile breaches of retailers, healthcare providers, government records, credit bureaus, and hospitality chains, resulting in over 10 billion data records reported as being exposed since 2013 (Gartner Market Guide for Online Fraud Detection Published 31 January 2018 - ID G00318445), and those are just the ones that we know about!

With so much personal information readily available, fraudsters have become proficient at using the same data to commit multiple fraud attempts. Through the use of bots, fraudsters can submit tens of thousands of applications in a single day, typically from a remote country, and only need a handful to pass through in order to profit.

While the direct cost of USD 118 billion seems a staggering number, it is not the total cost. I had the opportunity to work directly with the fraud and risk team of a large US S&P 500 Bank who illustrated the extent of unseen opportunity costs. Thousands of potential customer applications were being rejected due to authentication concerns. While these applicants may have been fraudulent, they may also have been qualified customers. Moreover, the opportunity cost losses were not limited to new customers.

A growing number of existing customers were locking themselves out of their accounts because they could not answer their KBA questions or they could not receive the OTP as they had changed their cell phone number. The standard protocol for the bank was to close these accounts.

These challenges are rampant on digital platforms. On average, for each account that is erroneously closed and each genuine applicant declined, there is an opportunity cost of USD 61 per incident. To make matters worse, there is an additional unquantified loss of goodwill. Just like the direct cost of fraud, these opportunity costs impact the companies’ bottom line.

Because of their potential for security, as well as usability, a growing number of enterprises are implementing biometrics ranging from fingerprints to voice, to facial recognition. In addition to better technology for collecting biometrics (eg improving smartphone cameras), customers are becoming increasingly accustomed to using them. While biometrics’ usability may resolve many authentication barriers, not all of them provide the technology needed to reduce the direct and opportunity costs of fraud.

Biometric solutions that can resist replay attacks and prove liveness partially resolve the issue of bot-initiated interactions. If a live biometric is required for applications, transaction approval, or account recovery, and that biometric is compared not just to the instant transaction but all prior biometrics from all transactions, then a fraudster needs a different live human for every transaction.

For many biometric solutions, a biometric sample is compared to a source of assumed truth such as a national ID document or passport, and if there is an apparent match, identity is established. The problem is that fraudsters create sophisticated fake IDs, sometimes using the same machines as legitimate issuing authorities, or they obtain “real” IDs for stolen identities. While this is not as scalable as blanked bot applications, it allows for repeated fraud attempts and has a far higher probability of success.

By using only biometric solutions that test liveness, while securely and compliantly storing biometric data, enterprises can compare the current biometric sample to all previous biometrics and spot instances where two or more users share the same biometrics. This deduplication process eliminates the possibility of the same person making multiple applications under different identities.

About Andrew Gowasack

Andrew is Cofounder and Managing Director of Trust Stamp. As a co-leader in Emergent’s global identity initiatives, Andrew is engaged with the delivery of identity-related services across all of Emergent’s verticals, but his primary focus is building strategic partnerships around the World.

About TrustStamp

A multi-factor biometric platform with inbuilt de-duplication that can be augmented with social media and other data mining and identity warranties. Among the platform’s unique factor is a shareable non-PII hash that tokenizes identity and can embed both encrypted data and pivot points to external data.