How Can Banks Mitigate the Risks of Consumers’ Poor Cyber Hygiene Practices?
80% of UK residents now regularly use online banking, a figure that has risen considerably over the last 12 months as consumers have adjusted to pandemic-related branch closures and social distancing measures. Unfortunately, fraudsters too have adapted. UK Finance reports that the frequency of impersonation scams rose by 84% in the first half of 2020, compared to the same period in 2019.
For instance, an astonishing 15% of the UK population use their pet’s name as a password and 6% of people are still using the word “password” as all or part of theirs. Plus, the majority of UK residents still have the same password for most, or even all, of their online accounts.
With digital identity hygiene practices still woefully behind the pace of digital change, fraudsters are gaining access to more highly sensitive information about their customers. This allows criminals to build extremely detailed personal profiles for sophisticated social engineering attacks. With banking and financial digital platforms at the fingertips of the majority of the UK population today, it’s all too easy to unwittingly transfer funds or handover account access.
Therefore, every bank and financial institution needs to deploy every tool at their disposal to protect customers who are relying on their digital platforms. Aside from educating consumers, what can they do to accurately verify a customer’s identity and offer them a secure banking experience?
Digital identity verification
With the explosion of remote banking, and data breaches exposing increasing amounts of personal information online, relying on manual identity verification methods, such as coming into a branch with ID or sending a scanned copy, is less and less feasible for banks.
Not only is manual identity verification risky from a security perspective, but it also harms the customer experience in a way that many find unacceptable. From online shopping to gaining academic qualifications virtually, younger consumers are already used to living digitally and have little appetite for navigating the legacy systems of many banks and financial institutions.
Digital identity document verification solutions – using one’s smartphone camera to take a live image of an identity document – present an alternative to manual verification methods. For added security, this can be combined with biometric identity verification. Driven by artificial intelligence (AI) and machine learning, biometric verification compares a live selfie to an image presented in an identity document. Liveness detection techniques, such as asking the taker to smile, help to pick-up spoofing attacks like videos, face masks, or images of photos.
For the consumer, digital identity document verification makes the experience of verifying their identity quick and simple – and for banks, it reduces abandonment rates. Moreover, the technology speeds up account opening, lending and financing, while protecting against fraud.
Authenticate, adapt, overcome
Relying on knowledge-based questions when authenticating transactions is quickly becoming a thing of the past. Due to countless major data breaches, many consumers’ card details and previous addresses are readily available for sale on the Dark Web.
Owing to this rapidly shifting threat landscape, banks and financial institutions worldwide are making the leap to adaptive authentication. This is the process of applying the precise amount of security – at the right time – to each unique customer transaction based on the level of risk.
When a bank implements adaptive authentication, they build a picture of each customer. Where do they usually withdraw cash? Do they regularly travel to another city to visit family? Through this method, adaptive authentication can be used to cross reference transactions against usual behaviour and flag if a risk is involved – like if a homebody suddenly purchased a set of first-class flights to Las Vegas! Once flagged, a customer would be asked to authenticate themselves via methods which could include a software or hardware token, biometrics or a one-time password.
AI-powered risk analytics
To successfully implement adaptive authentication, banks and financial institutions must implement robust risk analytics – a sphere in which AI is playing an increasingly large role. This is no surprise, given that the threats to banks are becoming more sophisticated, with the emergence of attacks-as-a-service, automated attack tools, and close collaboration amongst bad actors enabling fraud at an unprecedented scale.
An AI-powered decision engine and machine learning model can continuously analyse a broad range of data, events and context. Rather than simply detecting login and transaction data, they look at a whole variety of indicators of compromise and learn from them. These include malicious headers, referrers from a phishing site, malicious cookies, a malicious device or IP, inhuman speed, keyboard overlay, a debugger running and many more. Based on the risk level of each user action, a smart risk analytics solution can generate a score and provide a recommended next step in real time – enabling banks to remain proactive, rather than reactive.
So, with the complexity of attacks growing and fraudsters’ sophistication evolving on an almost a daily basis, it’s clear that users cannot and should not be expected to keep up. Just as the responsibility of fixing a boiler rests firmly with a plumber, user security should be the responsibility of a consumer’s bank or financial institution. Banks should focus on remaining nimble by increasing responsiveness, prioritising innovation and decreasing rollout times for new security solutions.
This article, written by Michael Magrath, Director of Global Regulations and Standards at OneSpan, was first published in Information Age on 24 May, 2021.