How can financial services organisations enable valid users to complete transactions easily, and still stop fraudsters from criminal activity? That question has been taxing the minds of the brightest security specialists for the last 30 years, and with identity theft, data breaches and fraud at an all-time high, the question has never been more relevant to financial institutions.
It has never been more difficult to answer either. Consumers interact with their banks anywhere in the world through many different and fragmented channels, ranging from the bank website, an ATM machine, and an in-store chip and PIN transaction, to online shopping, the phone, or – just occasionally – at a bank branch. Fraudsters are waiting to strike at any opportunity to misuse user credentials at any of these touch points, whether it is through malware, phishing, card skimming, or other evolving threats.
Financial institutions typically struggle to collate the risk across the various customer touchpoints. For example, if a fraudulent individual steals a credit card and attempts to take money out of an ATM machine, afterwards tries to buy a television using a store’s POS system, and then follows that up with an attempted online money transfer, many banks would treat each of these breaches as separate events because of the different systems and personnel that service each channel. This severely undermines their ability to detect misuse.
Convenience trumps security
The fact is that today’s consumers want the least possible degree of friction when it comes to online transactions. Time is of the essence and only a certain degree of inconvenience will be accepted – especially for lower risk activities. People understand and tolerate proportionate responses rather than a fixed amount of security under all circumstances.
For example, when banking online, customers will tolerate the process of using their hardware/software PKI token to make a payment to a new payee but will be less tolerant when making a repeat payment to the same payee or simply checking their bank balance.
Similarly, is it not more reasonable to be asked to verify your identity when buying an expensive piece of jewellery than it would be if simply buying groceries at the supermarket? Ideally, the process for low-risk transactions should be as instant and painless as paying in cash. And for the higher risk transactions, the bank should use proportionate security that is related to the risk. Customers understand this and actually enjoy the benefits of the protection.
To keep the valid users in and the fraudsters locked out, financial institutions need to strike a balance between convenience, cost, and security – simultaneously keeping customers satisfied and their money safe. That puts them in a dilemma: on the one hand they need to enable financial transaction services with the least degree of friction; on the other hand they must verify that it is the right person before allowing any access – typically authenticating the user via a password and another credential.
Layered fraud detection and risk-based authentication
To effectively separate the ‘goodies’ from the ‘baddies’, financial institutions need a layered fraud detection strategy that combines risk-based authentication with a number of different methods of authentication to ensure that the security is proportionate to the risk of what the user is doing. This sophisticated risk analysis can include many items such as the user location, the device they are using online, the value of the transaction, or the type of goods they are purchasing. Typically, only a small number of transactions are considered risky and the ideal solution would identify these activities and then increase the security level required, in the most convenient manner possible. Such a solution would help prevent fraud in real-time on consumer online services without inconveniencing legitimate users in the vast majority of their activities.
An advanced authentication solution creates an adaptive risk analysis process to assess the fraud potential of every online login and transaction. The technology provides a variety of two-factor and risk-based authentication methods – all geared to frictionless, multichannel authentication. For example, financial institutions can examine a wide range of data collected automatically about each login or transaction. A risk score can be calculated to help determine what action to take on a given transaction. Tolerance thresholds can be set to adjust the impact on legitimate users. And there is the flexibility to determine the response to that score based on policies and risk tolerance. This approach transforms authentication and fraud prevention – while optimising convenience. Imagine, for example, a customer is visiting London for the Olympics. At the hotel, they use their credit card with a chip and pin machine so that their card is authorised for purchases during their stay. In their hotel room, they make an online banking payment using their laptop. During the evening, another purchase is made via an iPad. Using multichannel advanced authentication, the customer’s bank has verified the chip-and-pin card transaction, acknowledged that the customer is in the UK, and monitors subsequent transactions through other channels, whilst considering this first authorised transaction at the hotel.
For more information contact CA Southern Africa, +27 (0)11 417 8645, [email protected], www.caafrica.co.za
© Technews Publishing (Pty) Ltd. | All Rights Reserved.