Authentication is a Speed Bump for Fraudsters (and for Legitimate Customers)
Somebody logs on to your online banking site to change their mailing address. No big deal, right? People move all of the time, so an address change performed online seems perfectly reasonable. Now, a couple of days later that same person asks you to box-up $10,000 and mail it to their new address. Hmm. Would you do it?
Okay, the scenario just described is fiction but it’s not much of an exaggeration. The non-fiction version: The person is not your customer, but instead an account takeover specialist who has compromised a victim’s account —and instead of asking for a box of cash, the fraudster is asking for a replacement credit card with a limit of $10,000. This scheme takes place all the time.
But with strong authentication, how can that happen? The common set of access controls found on online banking sites today put up barriers, but face it—those barriers are breached all the time. So often, that there are publications solely dedicated to the topic of data breaches. The most basic authentication procedure, entering a user name and password, does not stop even intermediate-level criminals. More rigorous authentication procedures that require the customer to respond to out-of-wallet quizzes or enter a one-time verification code provided over SMS don’t stop the more sophisticated hackers.
Yet some financial institutions have reported using their existing authentication mechanisms as the primary and only fraud control for handling address changes. In other words, if a customer calls into the call center or logs into online banking, they are only required to go through a standard process in order to be authenticated before proceeding with the address change.
Authentication is not Enough
In addition to the problem of being commonly bypassed, solely relying on authentication also has the following limitations:
- It doesn’t act uniformly across channels – The authentication controls from one channel to the next will almost certainly be different. For example, an online session may involve multi-factor authentication while a call into the phone channel may involve knowledge-based authentication questions (e.g., last four digits of SSN). Because it is in the fraudster’s nature to seek out the system of fewest controls, it is only a matter of time before they eventually find the most vulnerable channel and exploit it.
- It can only act uniformly across risk levels – By its very nature, authentication doesn’t measure risk. It simply puts a barrier between the customer and the protected system. The most effective fraud prevention strategies use pattern recognition, anomaly detection, and other analytic methods to first measure risk, then apply an appropriate level of authentication rigor that is commensurate with that risk.
- It puts the burden on the customer – Putting the burden of proof solely on the customer can result in friction and a negative experience for that customer. Knowledge-based authentication requires the customer to recall data that is often publicly available and accessible to fraudsters, and easily forgotten by legitimate customers. Because of this, authentication measures often drive considerable false positives as well as false negatives.
While strengthening and expanding authentication controls is worthwhile in the overall effort to prevent fraud (and required by FFIEC), authentication alone shouldn’t be thought of as a complete solution. The complete solution should be effective across all channels, provide a measurement of relative risk, work in combination with authentication controls to thwart fraud, and operate in a way that is seamless and frictionless to the customer. Said another way, financial institutions are best served by taking a multi-layered approach to verify address changes and other risky non-monetary events.
What is needed
What should be layered on top of authentication? Our view is that rather than accepting a marginal gain by layering authentication with more authentication, an entirely new dimension is needed. That new dimension is context aware analytics. Much like credit scoring solutions that predict events like delinquency and charge-offs, using data and analytics related to the address change itself can be used to predict and detect account takeover fraud. Pattern analytics automatically identifies cases that are suspicious. A simple question to illustrate the point: Why would John Smith suddenly be moving from a suburban owned home in Colorado to a check cashing store in Miami where ten other address changes have taken place this week? Regardless of whether or not John Smith could remember his first boss’s grandmother’s high school mascot’s maiden name, most fraud investigators would conclude that this case is suspicious and should be checked out to determine if it is a valid address change.
By focusing on the data, the pattern and attributes of the move, financial institutions can now take action immediately to avoid the fraud before it occurs. This new layer, placed on top of authentication controls, will prevent account takeover fraud, reduce the cost of address change process and streamline address change operations. Even if an online account is breached, the fraudster will have a tough time completing the take-over and cashing out.
(In my previous post, I describe the pitfalls of notification letters and signature cards for screening address changes.)
Written by Matt Schraan
Vice President, Product Development and Client Solutions
Matt has dedicated his professional life to building products that reduce fraud risk, meet compliance requirements, and maximize value from fraud detection techniques. He has presented at numerous industry conferences on counter-fraud topics such as account takeover, application fraud, identity verification, and compliance strategies.