We live in unprecedented times. Criminals know more about the identity of a bank’s customers than the bank.
Due to vast amounts of data available to criminals and their clever ability to masquerade as and manipulate their victims, banks find it increasingly difficult to trust that their clients truly are who they say they are. At the same time, there is tremendous competitive pressure among banks, pushing them to introduce new banking services that increase risk.
The ramifications are far-reaching and impact the services that banks offer; how they secure new services and protect account holders; and how they control operating costs.
The combination of decreasing trust and increasing competitive pressure are forcing banks to realize that new security strategies are required.
Trust suffers through access to personal data
Nearly a billion identities have been exposed since the beginning of 2013. Around the world, 1,355 records are stolen every minute, according to SafeNet. And criminals are using their detailed knowledge of account holder and bank employee identities to commit fraud.
We all see the news about new strains of malware, data breaches, credential compromises, email mining, and new fraud tactics one at a time. But they are additive.
When taken together, including what people willingly share on social networks, criminals have an unprecedented amount of data about account holders and employees. Data is further expanded and identities patiently fleshed out over time by data-stealing malware and clever social engineering techniques applied against banks’ clients as well as call center agents. While the media focuses primarily on credit card data, criminals compile detailed dossiers on their victims.
To monetize the data, criminals choose from two paths. First, they may use it to commit banking fraud themselves, having all of the necessary credentials and answers to authenticate and initiate payments. Alternatively, they sell the data in the criminal underground.
Trust is further eroded by victims being tricked or manipulated into doing something that benefits the perpetrator. Recent examples include criminals using compromised business email accounts to submit fake vendor invoices that fool accounts payable staff into paying them, and compromising a CFO’s email account and using it to direct the controller to send a wire to the fraudster’s account.
Competitive pressures raise risks
There is tremendous pressure on banks to expand services to stay competitive, improve the customer experience, reduce friction, and avoid customer churn. Banking customers are demanding speed, simplicity, convenience, and security.
Said differently, they want to manage their money and payments now, they want it easy, they want it everywhere, and they want it safe.
Banks are pushed to adopt innovations in online banking, mobile banking, and payments, including RDC, P2P, bill pay, mobile payments, straight-through wires, higher limits, faster ACH processing, and global payments. New services plus convenience and the overall customer experience are paramount to competitiveness, growth, and client retention.
Expanding services, however, create new opportunities for fraud in an environment in which risk is already at a historically high level.
Impact of loss of trust on new services
Many financial institutions weaken their competitive position by holding back on capabilities due to concerns over trust and security. They may scale back the speed and depth of products and services they offer; constrain the size of the audience allowed to use new capabilities; or limit planned service level improvements.
Or to increase competitiveness, institutions push forward with new capabilities. Mitigating risk associated with new services historically has resulted in expanding internal operations or placing yet another burden on account holders, or a combination of the two.
Many banks simply throw bodies at the problem and end up taking on significant operational costs. Hiring staff to actively monitor transactions and accounts and place confirmation calls racks up costs in personnel and overtime.
Alternatively, banks force new security measures onto account holders. The gates that banks put in place—such as endpoint protection, positive pay, multi-factor authentication/knowledge-based authentication, out-of-band authentication, tokens, call backs, dual controls, and so on—create friction, impact overall convenience, and ultimately take an emotional toll on account holders. Every transaction now carries the weight of time, inconvenience, and effort.
Banks face an overall loss of control consisting of pressure to offer new products, declining trust regarding who is accessing accounts, and escalating operating costs, all while the customer experience deteriorates. Locking down systems to mitigate risk will lower customer satisfaction levels at a time when improved competitiveness is key.
Institutions’ unique advantage over criminals: behavior
This isn’t an authentication problem, or a device problem, or a manual review problem. These measures have been defeated and simply doing more of the same won’t prevent fraud nor reverse declining trust. Because of the threat landscape and competitive marketplace, there are new requirements placed on security strategies. Banks need a different approach to validating that users are who they say they are and their actions are not being driven by criminal manipulation.
While banks can’t rely on identity information, they do have an asset the criminals don’t have—a rich account holder history of interactions with the institution. Account holder behavior is an institution’s greatest asset in their fight to prevent fraud.
Each individual customer has his or her own unique banking behavior, consisting of a detailed, multi-faceted combination of timing, sequence, channels and the financial and non-financial activities performed via those channels. In any fraud attack, the criminal will do something unusual or suspicious relative to typical or expected client behavior.
Behavioral analytics solutions are designed to understand normal behavior of each individual account holder, calculate the risk of each new activity, and then choose intervention methods commensurate with the risk.
By using behavioral analytics to detect suspicious activity, banks will once again know when a user is legitimate (and engaged in legitimate activity) and not an imposter. Banks will regain control over trust because while fraudsters can worm their way past any identity-based authentication control, they can’t fully mimic the behavior of their victims.
Unprecedented times call for unprecedented action. Banks using behavioral analytics can prevent banking fraud and mitigate the risks associated with expanded services, turning this data-induced identity crisis into improved competitiveness and customer loyalty.
About the author
Craig Priess founded Guardian Analytics, where he is vice-president, in 2005, introducing the industry's first individual behavior-based fraud prevention solution. He leads the company's fraud prevention product and service innovations. He also directs the company's Fraud Intelligence and Analyst teams, producing unique insights into fraud trends and fraud prevention best practices. Priess is a member of the NACHA Internet Council, the Association of Financial Technology, and FS-ISAC.