In the first part of our series, we uncovered a multitude of statistics regarding the very real fraud threats that financial institutions, consumers, and merchants face on a daily basis. For part two, we spoke with several fraud experts to gain their perspectives on the most significant threats, gaps in protection, and strategies to navigate the multitude of ways fraudsters are taking advantage of our financial system.
Jason Malo, senior executive advisor for CEB shared that changes in the fraud landscape over the past several years signal we must place a renewed focus on security. “Don’t alarm the customer” was the mantra even as little as five years ago, but now consumers are very aware of the problem because breaches are so highly publicized and they’re looking to their financial institutions to better protect them. The good news is that now mobile devices have solved a distribution challenge and provided a cost-effective channel for getting enhanced security into consumers’ hands while advancements in analytics allow banks to assess fraud transactionally.
Malo believes the idea of a “frictionless” customer experience is now an outdated and overreaching goal in effective fraud protection. He expressed it is not only okay, but advisable to engage customers because they want two things from their bank: access to their money and their money to be protected. But he advises that the pendulum shouldn’t swing all the way back either. Security experiences should be tailored to the transactional risk at hand; should be relevant and easy to deal with.
Further, different fraud management and customer engagement strategies should be aware of one another and take a cross-channel perspective. For example, voice biometrics is helping with call center fraud but it isn’t necessarily integrated with other channels. Fraudsters will simply move to another channel if they aren’t successful in one. The most effective strategies will be those where information about known fraudsters is shared.
“At one time the focus on fraud was almost entirely online, we have a broader awareness now. There are a lot of entry points for consumers, but there are an equal number for criminals. We have to be able to identify criminals in the same way we authenticate customers and share that knowledge across the enterprise,” said Malo.
The pace of cybercrime and the lack of deterrents to those behind the crime are two of the biggest fraud threats facing the financial industry today, according to Julie Conroy, research director for Aite’s Retail Banking practice.
Banks today are walking a line between customer experience and security. Multi-factor authentication is common globally; consumers in Europe and Australia are well-trained to expect one-time password prompts at the time of login or high risk transactions. Not so much here in the U.S., where banks have a strong preference for keeping security mechanisms behind the scenes. The reason? They worry about the customer experience being too clunky.
An interesting example of the extremes of friction-avoidance: Many merchants don’t even want to ask consumers to input their CVV2 codes because they perceive it as too much friction. Some issuers won’t decline a transaction due to a CVV2 mismatch, because they believe it isn’t predictive—due to consumers entering it incorrectly with high frequency.
“We have trained our consumers to expect zero friction and criminals are taking advantage of that,” says Conroy. “It’s a double edged sword. The customer gets a great experience but criminals are sitting on breached data longer and longer. This includes PII as well as stolen card data. While consumers don’t have a lot of skin in the game when it comes to card security, we’re seeing a rising tide of application fraud using stolen identities that is very painful from the perspective of the victim.”
Conroy says a layered security approach is realistically the model we need and some forward thinking banks are already doing this. Robust security measures that take into account both consumer behavior and device recognition are highly effective. Depending on the transaction, and the likelihood it is fraud, banks could add a one-time access code for increased security.
“The U.S. is the largest, most fragmented, most competitive financial market in the world. When FI executives are asked what is driving their investments, customer experience is at the top of the list. There is a lot of tension between making it easier for customers and increasing security,” adds Conroy.
iovation, a provider of device intelligence for authentication and fraud prevention says dated, password-based security is falling short, leaving financial services organizations to cope with growing account takeover, new account fraud, and Card Not Present (CNP) fraud.
This is supported by the rising frequency of data breaches across the board and a Javelin report that predicts a rise in losses from data breaches to $8 billion by 2018, with much of those losses being driven by a 60% jump in account takeover and new account fraud.
“There are several key touch points of attack along the customer journey where fraud can happen, including login, account creation, account management and online purchases. Unfortunately, passwords and other forms of user-submitted data can be easily compromised following a data breach, and, as a result are often grossly ineffective in combating fraud at these points,” said Max Anhoury, VP of Global Partnerships for iovation.
When data breaches are the driver of attacks, device intelligence plays an even more important role—especially if its insights are independent of the user submitted data. “Understanding the risk associated with a device both across your organization as well as other online businesses can help you identify fraud history and other significant risk elements,” said Anhoury.
Banking and cybersecurity expert Ben Lawsky concurs. In a recent interview with CNBC he warned of the potential for a really bad cyberattack, encouraging banks to move away from a username and password model and toward multifactor authentication.
“If you sign onto your bank account and your bank doesn’t ask you for a second identifier beyond your password that’s randomly generated at that time and sent to your phone, you should be worried. And you should be worried about waking up tomorrow and looking at your bank account and maybe your money’s gone,” says Lawsky.
The fight against fraud needs to get fierce. This means higher engagement with consumers as partners with their financial institutions to keep their money and identities safe. A little bit of friction to save a lot of headache doesn’t seem like a bad trade-off.