How financial services companies are using technology to fight the fraudsters [Q&A]
Account takeover attacks and online fraud of all types have skyrocketed during the pandemic as consumers have shifted almost all of their most important transactions to digital channels.
We spoke to David Vergara, senior director of security product marketing anti-fraud and digital identity solutions company OneSpan, to discover more about the emerging technologies that banks are beginning to use in the fight against fraud, including artificial intelligence, real-time risk analytics and behavioral biometrics.
BN: What sort of factors feed in to being able to spot a potential fraud?
DV: It's about context because if you look at today's world a wave of consumers have really pivoted almost exclusively to online and mobile channels. The fraudsters and cybercriminals, they follow the path of least resistance, they look for weakness in those channels to be able to exploit. So of course fraud is has gone up exponentially in these channels, account takeover attacks have increased 72 percent, phishing is up 600 percent since the start of the pandemic.
The reality is that, just from a historical perspective, the banks really have had to rely on a number of legacy technologies to try to manage fraud, which clearly is not working today because those technologies were essentially geared towards leveraging rules. While rules are very powerful and banks have used them for a long time and continue to use them and expand them, but they're exceptionally good at spotting known fraud. If we fast forward to today where the velocity, the innovation around the attacks that are happening is occurring almost instantly, you're seeing new types of attacks come up daily. The rules are not designed to be able to attack those emerging fraud techniques.
Our solution actually employs a set of pre-configured rules that the banks leverage, but it's also marrying that with a sophisticated analytics engine. That includes machine learning, and the reason that that's important is that now you're able to still get the benefits of using those raw rules to detect fraud, but now you're actually leveraging machine learning to look for anomalous patterns that are indicative of fraud and use real time scoring. This means they can manage and stop fraud in real time before they actually take a hit.
BN: How does the use of AI play a part?
DV: We use both unsupervised and supervised sets of models, which not every vendor does. The unsupervised model is looking to detect patterns in the data and trying to analyze them to try to spot anomalies, but those anomalies may or may not be fraud. By combining supervised machine learning we're able to increase the accuracy of those models. That's important because when banks are starting out they're not going to have a lot of access to, or may not have a lot of data, on fraud events, but they still need to understand what looks a bit odd or anomalous.
What's also important is that a number of technologies and platforms out there operate in near real time, or even in batch mode, but are not truly operating in real time. It's absolutely critical to be able to consume vast amounts of disparate data across those digital channels, whether it's online, whether it's mobile, and to be able to do that in true real time, because those scores will ultimately dictate the type of security that is utilized and applied in a specific case.
BN: How does this affect the user experience for the customer?
DV: if you're operating within your normal parameters of behavior you're not having any additional security measures taking place, it's seamless, so you have a great user experience as a bank customer. You can operate normally without any additional friction or security measures. But if something unique happens, based on what that risk score is, this could be any characteristics such as location, the funds amount, or if the device where the device has been jailbroken or rooted -- there are literally thousands of data points that we consume across the user's behavior -- that's where we will start to ratchet up the level of security so if you authenticated originally with facial recognition, maybe in a higher risk transaction that's going to require a pin or fingerprint or something else too.
We're using very basic examples here but they get to be much more sophisticated, so for example, some data elements that are consumed within our platform include behavioral biometrics. You're talking about literally dozens of data points that include the angle I'm holding my phone, the pressure which I touched my screen, the swipe patterns that are unique to me and so on.
BN: How much of a pandemic effect has there been in terms of the level of threats?
DV: There's really been two waves, one of which was the immediate knee jerk reaction to the pandemic and this shift to remote work. So, how can we support our employees and be able to get them securely working remotely? Obviously, that's more of an enterprise security consideration.
The second wave, which has been overlapping in parallel, has been how do we support this fully digital kind of experience for our customers? Obviously some of that pain has been different based whether you have been operating as a challenger bank or a fully digital bank, or have you been operating some larger legacy security platform-oriented banking institution. But I would say that there's a common thread that businesses in this position are looking for ways to optimize and figure out how to offer better incorporate security technologies for their customers.
BN: Will security become a selling point for banks and financial organizations, so they'll need to show that they're taking these sort of measures in order to be able to retain customers?
DV: It's an interesting point about evangelizing and promoting the security measures they're taking. I guess the lowest common denominator in this equation is in the end that they're looking at business growth. And business growth is really about user experience, so wherever you can remove friction from it you naturally are going to increase your business. A lot of the research that I've seen indicates that banks have had an unwillingness to sacrifice user experience in order to mitigate or manage fraud.
We offer technology that provides for secure transactions called Cronto. Essentially, it's a color QR like code and that code actually operates to encrypt details of a transaction. That includes the date and all this other stuff where, as the bank customer, you look to validate yes, this is the amount and this is the transfer that has been made, and you authorize that just by scanning that code on your screen. What we're seeing and what we're hearing from our customers is that unique colored QR code is an indicator that the bank is taking an additional step for securing the transaction.