Edwardcher is a highly skilled digital security expert and avid technologist with an instinctive passion for finding pragmatic technologies to solve practical problems. He has over two decades worth of experience working in the trenches developing software and delivering solutions & services to the military, telecoms, banks, enterprise and the government with synergies in NFC, TSM and mobile financial services applied with PKI, risk management and strong authentication.
With the recent rise in banking fraud cases globally, the importance of consumer access control has gained a lot of attention. There has been a marked increase in frauds related to Private Sector Banks (PVBs), both in terms of volume and monetary amount involved, according to the 2020-21 report by the Reserve Bank of India. However, many of these fraudulent incidents could have been prevented at the initial stage with Strong Customer Authentication (SCA) and fraud prevention solutions. Today, several banks are willing to implement preventive measures to limit the dangers of phishing, identity theft and other such frauds.
Banks with a defense-in-depth (DID) strategy view ‘authentication’ as part of a comprehensive risk management ecosystem. This ecosystem uses artificial intelligence (AI) and behavioural biometrics to identify threats and minimise exposure. So, banks can proactively safeguard their customers’ assets, including online identities. Let’s delve into some best practices that banks can utilise from this ecosystem to ensure secure financial transactions.
Who has requested this transaction?
Security measures begin with simple and intuitive yet safe authentication.
SCA regulatory requirements, which require users to authenticate their identities via what they own or know, have driven financial institutions to upgrade their authentication solutions. Still, there are some financial institutions that continue to utilise risky authentication methods to login or sign transactions. According to a survey in 2021, the leading authentication mechanism used by many such organisations was an SMS sent to customers’ phones, despite the security risks associated with SMS authentication. Traditional authentication methods, like secret questions and answers and email password resets, are still in use.
Push authentication, which permits the use of a mobile phone to perform multi-factor authentication (MFA), is a more secure and user-friendly method of protecting logins and financial transactions. “Push” uses cryptographic techniques to associate a specific device with its owner’s identity, making impersonation impossible without physical access to the device. Its user interface is straightforward and simple to use. Instead of referring to and retyping an OTP acquired via SMS, users can simply swipe to validate the transaction request by picking one of two alternatives – “accept” or “reject” – when alerts appear on their phones.
However, SCA is just one piece of the fraud preventing puzzle.
Connecting the dots between actions and identities
Data about user behavioural biometrics, and payment transactions can be incorporated as adjacent data to form a user behavioural pattern. Some common or customary patterns, such as how the user types, swipes, and interacts with their gadgets, can help detect unusual login and transaction attempts that basic authentication systems would otherwise overlook. The idea is to complement such data with point-in-time data (credentials based on what we know, what we have, and who we are) to prevent bank fraud.
To enable quick decision-making and fraud protection, banks can use advanced internet and mobile channel risk management and fraud prevention systems to continually assess customer experience in real time. These solutions help map data points that are trivial on their own, but when aggregated, offer a picture of fraud prevention across the whole user journey.
Here are a few examples:
- Understanding the type of operating system being used
- Knowing whether the device is connected via VPN or infected by a malware
- What is the IP address and geolocation of each login attempt?
- Generating a unique device fingerprint from the system that includes language settings and the type of fonts loaded, to the number of contacts in the directory. Many data points are taken to ensure the behaviour profile is distinct
- Identifying payment transactions that can be fraudulent
It is important to assess the transactional context when users log into their accounts. For example, if a user is sending money or checking their account balance. The system can calculate how much this action varies from the usual behaviour.
Advantages of being proactive
When banks combine SCA with risk management and fraud prevention systems to detect potentially fraudulent transactions early on, they make it simpler for banks and financial services providers to be one or several steps ahead. Here are some of the most commonly known techniques used to commit bank fraud:
- Phishing attacks: Phishing is a type of cybercrime in which someone poses as a legitimate institution via email, phone, or text message to contact and trick individuals into providing sensitive data such as personally identifiable information, online banking information, and passwords.
- Account takeover: A cybercriminal takes control of internet accounts by utilising stolen passwords and/or usernames, mostly obtained from bulk lists on purchases available on the dark web.
- Social engineering & scam: Social engineering is carried out through human interactions. This involves tricking the user into disclosing important information or making a security error to steal their assets or identity.
- SIM swapping: Hackers get personal information and reroute all incoming messages and calls to their own handsets. SIM swaps are especially adept at bypassing MFA measures; swappers stole more than $100 million in the United States alone last year.
Fraudsters and cybercriminals will always be a part of the digital banking scene. Banks and financial institutions need to proactively understand and implement the right technology not just to maximize user experience but also to maintain their reputational integrity and remain risk averse. We can play a crucial role in the detection, prevention and most importantly securing customer’s hard-earned finances with the help of its full end-to-end consumer authentication journey.