Key capabilities required to protect the online banking journey

The fraud ‘industry’ is becoming increasingly far-reaching and sophisticated. Advances in technology have led to a rise in more complex forms of account takeover. The emergence of ‘deepfake’ and voice-cloning technologies means that bad actors can now look and sound exactly like genuine banking customers. When used alongside a customer’s stolen credentials, this makes it nearly impossible for banks and other financial institutions to distinguish between a genuine user or a bad actor in disguise.

The threat of these advanced techniques is compounded by the fact that traditional fraud prevention methods simply can’t keep up. For example, the use of One Time Passcodes (OTPs), whilst seemingly an extra layer of protection for online banking customers, can actually provide a ‘back door’ for fraudsters to exploit – as shown by the rise in SIM swap fraud and OTP scams.

1) Know your user

The most effective way for financial institutions to detect and prevent fraud is to fight fire with fire, by utilising innovative fraud prevention techniques powered by the most advanced technologies available.

One such technique focuses on a Know Your User (KYU) approach. In addition to traditional Know Your Customer (KYC), which seeks to verify the identity, suitability, and risks of establishing a business relationship, KYU extends that level of trust with advanced behavioural and biometric data analysed by AI to truly know each user inside and out - post onboarding. Customer data collected at each interaction can then be used to create a BionicID – a unique digital profile – for each user and bad actors alike. Then each customer’s online interactions can be compared with their own previous behaviours to precisely identify legitimate users, protecting them from manipulation or impersonation attacks. This approach provides a granular and accurate method to determine whether a user is who they say they are and thanks to deep learning capabilities becomes even more accurate with each user interaction.

2) Protection at every stage of the online journey

The pandemic has accelerated a switch to digital banking. To improve customers’ experiences, banks have focused on simplifying the account opening process to make it as easy and convenient as possible.

Unfortunately, this has also made it easier for bad actors to take advantage and carry out fraudulent attacks. Threats at the earlier stages of onboarding and login are driven by the theft of customer credentials, opening the door to further account fraud. To stop account takeover attacks, financial institutions need to prevent the theft of user credentials. This is where a proactive defence approach is most valuable. Detecting and stopping malware and phishing attacks before credentials can be compromised is a critical first step in stopping account takeovers.

Moreover, banks need to stop bad actors at every stage of the customer journey. The best way to do this is to implement a solution that focuses on continuous authentication – verifying each user at every interaction. This can be achieved by analysing each user’s BionicID at every stage of their online journey – and acting when any anomalous behaviour is detected. Fraud analysts can implement automated responses for each risk-level detected to streamline this process.

If an intelligent bad actor still managed to slip through and reach a point of transaction, this final stage can be protected by combining BionicID data with transaction intelligence, in order to fully understand whether the person carrying out the transaction is who they say they are. In order to identify even the smallest of anomalies, fraud teams should combine each user’s online activity data with historical payments intelligence onto one platform – thereby creating a risk engine that ‘knows’ each user at a truly granular, individual level.

Combined with AI and behavioural biometric analysis, this process also helps reduce the number of false positives and negatives – thereby reducing fraud analysts’ workload – and ensures a smooth customer experience, since all data analysis and collection happens in the background, without the need for user interaction.

3) A proactive approach

Finally, complete protection requires an always-on fraud response that is proactive, rather than merely reactive – preventing fraud before it has the chance to occur. Following the lead of the enterprise cybersecurity industry, an active defence approach needs to utilise hybrid-AI systems combined with the latest bad actor intelligence to automatically detect threats across the online journey and trigger automated responses blocking threats in real-time.

Active defence capabilities can, for example, prevent a legitimate user from taking an action manipulated by a bad actor that would lead to further fraud. These capabilities can also identify fraudulent behaviour linked to bad actors and prevent them from committing additional fraud. Thus, fraud can be mitigated before it occurs, preventing associated losses and allowing banks to finally get a step ahead of bad actors and beat them at their own game.

About Ken Jochims

Ken Jochims is Director of Product Marketing at Revelock, a Feedzai company. Ken has over 25 years of enterprise software product marketing experience delivering fraud prevention, identity, and access management, and IT infrastructure solutions to financial institutions and Fortune 1000 companies. Prior to Revelock, Ken worked for Arxan Technology, Neustar, ThreatMetrix, Guardian Analytics, CA Technologies, and Apple.

About Revelock

Revelock enables financial services and fintech companies to reveal and respond to online identity impersonation & manipulation attacks without hindering the customer experience. Protecting more than 50 million banking customers worldwide, the Revelock Fraud Detection & Response (FDR) Platform combines behavioural biometrics, network and device assessment with hybrid AI and Deep Learning to create a BionicID™ and continuously Know Your User (KYU), spot bad actors and mitigate risk regardless of the type of attack.