FIs are expanding digital services to meet customer requirements, increasing the risk of attacks. Open Banking regulations require financial institutions (FIs) to provide access to customer data to third parties, further exposing their assets. Meanwhile, several new players, mainly fintechs and cryptocurrency companies, are entering the market and introducing new services and alternative currencies that are only loosely regulated.
'Establishing trust involves processing a mixture of signals throughout the user’s journey. These signals may come from fraud and risk services, or info about the user, device, and action being performed.'
Fraudsters and attackers are taking advantage of these changes. Many of them have access to large and well-funded criminal organisations, and they are becoming increasingly sophisticated. BOTs and emulators proliferate, and social engineering remains a major threat.
Because fraudsters are always evolving their methods, organisations must constantly review and reassess their security posture. New and smarter counter-fraud measures can help, but only if they don’t introduce excess friction. Despite wanting to feel like their accounts and data are secure, no customer wants to feel like they are being treated like a criminal. Because of this, FIs must find the right balance between securing transactions and delivering a smooth user experience.
Existing MFA solutions that support SMS and email OTP are not adequate, as they can be easily bypassed by sophisticated malware or attackers. However, modern MFA solutions that support strong cryptography make ATO attacks very difficult to complete because attackers cannot bypass strong authentication even if they are using stolen credentials. When logging in becomes too difficult or inconvenient, attackers will move on to easier targets. Some solutions also support passwordless authentication, completely removing the need for a password, meaning credentials cannot be stolen.
Identity verification and proofing tools can help address identity theft, allowing organisations to ensure a customer’s digital identity is tied to their real-life identity. Document-centric identity verification models are effective, as they require a live-image selfie and a photo of government ID to verify that a customer is a live person whose identity matches a valid form of identification.
To combat APP, fraud teams need to identify individuals’ propensity to fall victim to scams and take action based on that information, for example by designing user journeys that direct users down different pathways based on the perceived risk of the activity they are performing.
In general, establishing trust involves processing a mixture of signals throughout the user’s journey. These signals may come from fraud and risk services, or information about the user, device, and action being performed. The user may be directed to different user experiences depending on the trust level.
FIs use dozens of different best-of-breed point solutions and need to find ways to bring these disparate data sources together. Eliminating products is not the answer. Instead, organisations can make these products work better together by using a tool to ingest signals from across the business and incorporate them into a unified decision.
At different points in a user journey, these tools can determine whether to permit, deny or challenge (step-up) an action. A variety of contextual data is used to make these decisions; this may include fraud and risk engines, but also information about the user and the transaction being performed. Orchestration hubs are mechanisms to articulate policies that determine how these signals will be combined and used to make decisions. Ultimately, the correct tools should allow organisations to design user journeys that adapt based on perceived risk and inject minimal friction to low-risk sessions.
Increase real-time visibility and adopt modern technology that uses intelligent algorithms to identify anomalies. By observing, learning, and understanding the exact behaviour of legitimate users, these solutions can identify deviations from that behaviour and flag anomalies. Next, deploy orchestration solutions that allow the aggregation of multiple risk signals, and can respond to those signals with security controls. Finally, continue to educate end customers on good security practices. Even the more sophisticated and recent malwares often rely on users providing some level of approvals, and well-informed users are harder to scam.
This editorial was first published in our Financial Crime and Fraud Report 2022, which showcases the innovation and development of the best practices and instruments used by financial institutions in their fraud prevention activities, to improve the digital onboarding process of their customers while fighting against financial crime.
About Adam Rusbridge
Adam Rusbridge is a Senior Product Manager focused on Ping’s Authorisation products, responsible for developing cutting-edge solutions that keep organisations and their resources safe and secure.
About Federico Carbone
Federico has more than 10 years’ experience in the IT space, mainly in Identity & Access Management. He joined Ping Identity as a Solutions Architect in EMEA in 2013, where he is responsible for pre-sales activities for large enterprises.
About Ping Identity
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now