When Identity Authentication Isn’t Enough
Identity authentication, traditionally based on a customer’s self-identified personal information (name, address, phone, e-mail, Social Security Number, and more), no longer provides an ample defense against online and mobile fraud.
Consumer use of digital channels (mobile and online) is increasing rapidly. While one-third of digital consumption in the U.S. is currently mobile, industry analysts predict that by 2015, the number of digital banking transactions will outnumber branch transactions 300-to-1. Gartner further predicts that mobile payment transaction volumes will grow 42% annually through 2016, reaching $617 billion with 448 million users.
This tremendous growth in online transactions is driving a corresponding increase in online fraud, from account takeover and chargebacks to money laundering, insufficient funds and credit card fraud. On the credit card front, the U.S. move to the Europay, MasterCard and Visa (EMV) global standard for integrated circuit cards (“chip cards”)—which protect against fraud by sending a dynamic value with every transaction—is expected to shift fraudsters’ focus from counterfeit cards to areas like card-not-present transactions. Social media, coupled with online communities such as dating sites, also lets bad actors piece together stolen identities in short order.
Mobile Presents New Headaches
There are a host of new fraud prevention challenges tied to the rise of mobile. Dynamic IP addresses make collection of the reported IP address an ineffective means of identifying a tablet or smart phone. Fraudsters also intentionally spoof IP addresses, often changing them for each transaction. Mobile devices mean frequent changes in geolocation, often not matching an address of record. Velocity has increased, too, with sophisticated fraudsters working together from points around the globe to perpetrate rapid attacks.
Don’t Sacrifice the Customer Experience
Increased fraud losses, coupled with regulatory requirements such as the FFIEC guidance and discussion on layering complex device identification into a defense-in-depth strategy, force financial institutions to send more and more transactions for review by the fraud team. Beware—every transaction or application that you queue for manual review and then end up approving (a false positive) is having a negative and measurable impact on your customer experience. So how can you control fraud AND protect the customer experience?
Device Identification vs. Device Reputation
Savvy fraud analysts have begun to incorporate device identification into their fraud prevention arsenal at key points of customer interaction. In the world of financial services, examples might include protection of credit card applications, account registrations, online banking transactions, account logins, or account maintenance like a password change request.
But is device identification enough? Device ID—based on tracking cookies or tokens, or collecting IP addresses—can tell you limited information about the customer’s device, such as geolocation, the IP address they choose to report, and details of the browser in use. While this is a great addition to other techniques that verify personal information provided by online customers, it is not safe to assume you’ve “got it covered.” A broader view, the device reputation, is needed to bring the picture into focus.
So what is device reputation, and how is it different? Device reputation is a much more comprehensive risk assessment of the Internet-enabled device being used in a given transaction.
Device reputation incorporates four key components:
- Unique Device Identification: Based on hardware, software, and network components, precisely which tablet, mobile phone, laptop or other device is in use? As part of device reputation, unique device identification and fingerprinting take a deeper dive than traditional device identification, uniquely recognizing (or re-recognizing) a device to know whether it is one you have seen before. It also reveals the true location of the device, including physical geolocation and the real IP address (not just the stated one) as determined by proxy piercing.
- History of fraud: Has evidence of fraud been placed against this device in the past? Within Financial Services, iovation subscribers typically see a 4x increase in Deny recommendations when they consider shared data, but fraud evidence placed in industries such as retail, insurance, gambling and social communities is important too, since bad devices are nearly twice as likely to be seen by other online sites.
- Associations: Beyond direct evidence of fraud, device reputation technology can also use the device layer to connect events that might otherwise seem unrelated, even detecting fraud rings. This web of associated devices can prevent huge fraud losses down the road from accounts that individually appear to be good.
- Anomalies: Once you have access to extensive device intelligence, it is important to examine it through the lens of your own company’s policies, experience and tolerance for risk. Setting up automated, customized business rules allows you to do this very efficiently, flagging transactions that are out-of-bounds. For example, is there a mismatch in device details like geolocation and time zone? Does activity associated with the device exceed predefined velocity thresholds, such as opening more than three accounts in a week? Is the geolocation of the device on a country watch list?
Take a Multi-tier Approach
Include device reputation analysis in your automated process to create a multi-tier fraud prevention strategy. This reduces the number of false positives sent to your fraud team for manual review, decreases review queues and associated operational costs, improves the customer experience, and reduces overall fraud losses.
At iovation, our ReputationManager 360 service provides an industry-leading combination of advanced device recognition, shared device reputation and real-time risk evaluation, stopping more than 150,000 fraud attempts around the world every day.