There may be no silver bullet but we can still block fraud from occurring: our key takeaways from the Revelock User Conference.
Foot traffic at physical bank branches was on its way down even before the pandemic enforced lockdowns across the globe. When they did shut down, however, those customers who had still been carrying out their banking in person were forced to transition online.
Now, as the effects of the crisis are beginning to subside, the work financial institutions have done to accommodate their online customers has proven to users across diverse age groups and demographics how easy it is to access services via a website or a mobile app. However, it has also created further avenues for bad actors to commit fraud, with new users often serving as easy targets for manipulation attacks that exploit their limited digital know-how.
So, what’s the current state of online bank fraud, and what changes do fraud fighters want to see? Revelock customers, partners, and cybersecurity and fraud experts on Revelock’s Advisory Board came together at the Revelock User Conference to discuss. These are our five key takeaways.
Poor hygiene & Persistent threats - ‘perfect storm’ of online fraud
In a post-breach world, the accelerated influx of online users has created a kind of "perfect storm" for financial institutions.
Poor cyber hygiene and unsafe tendencies of users – particularly those who are less experienced with banking online – such as reusing passwords, coupled with the millions of stolen user credentials and IDs circulating on the dark web as a result of data breaches, meaning that it is becoming harder and harder to spot and prevent fraud attempts.
For example, synthetic identities – where bad actors combine legitimate user data with fake information in order to fraudulently open bank accounts – are becoming a growing problem for financial institutions.
What’s more, cybercriminals are organized, well funded, and persistent. Their use of synthetic identities is an example of how fraud techniques are incessantly evolving. Just as fraud teams begin to work out ways to isolate synthetic identities from legitimate users through more rigorous checks, bad actors are already at work to create synthetic ‘supply chains’, where bad actors are now spoofing credit lines and creating other fake data to back up synthetic identities.
Customers expect Banks to Know Your User
Revelock’s customers explained that it is widely recognized that the onus is very much on banks to protect their users and not the other way around. Users expect that once their money is inside a bank, it is effectively under protection. Regulation too puts the responsibility on financial institutions.
This means that even though financial institutions might prefer their customers to create 15-character online banking passwords that they change every few months, they cannot control users’ behavior and therefore cannot depend upon factors such as passwords – or in fact, any personal information that can be spoofed or obtained from a data breach – as a method of defense.
Banking customers want financial institutions to innovate and improve their verification processes and the technology is already there to make this work. With the proliferation of behavioral biometric and AI technology, financial institutions can move away from authentication methods that rely on passwords and personal information like birthdays and addresses and find alternative methods of checking are you really you.
Technology now allows financial institutions to find things that are unique to each user, which means the key to fighting fraud is no longer what you know, but who you know.
Fraud Fighting Collective - Fraud Fusion Centers
The route to detecting fraud and staying up to date on constantly evolving techniques is often hampered by information silos within financial institutions.
It’s usual for departments and channels – such as web, app, card payments – to be isolated from one another, even so far as using separate databases, and many organizations still struggle to implement more collaborative practices despite the obvious need.
In sharing information between the different elements of a company, once bad actors are identified by one department, they can be blocked from perpetrating fraud across an entire institution.
For this very reason, more and more organizations are beginning to establish fraud fusion centers, where representatives from cyber, fraud, and across channels are collocated or organized as virtual teams for real-time information sharing.
Larger financial institutions have already begun adopting fraud fusion centers as a best practice – especially during the pandemic as collaboration within financial institutions looked set to suffer – as a way to cut down internal barriers and enhance security across the board.
Overwhelmed with Alerts, Automation is key
The panel easily agreed on the one crucial point to remember when coming up against current fraud conditions: that preventing and responding to fraud with automation is just as important as detecting it in the first place.
The issue is, there’s just too much white noise to fight through in order to know how to prioritize and which threats to respond to first. Fraud analysts are inundated with alerts and often spend hours each day sorting between legitimate causes for concern and false positives.
Then, once they’ve isolated those cases with the highest risk of fraud, fraud teams have to make a decision on how to react – whether that’s simply stepping up security or locking an account altogether.
One member of the Advisory Board, Janet Rathod, gained extensive experience catching bad actors while working for the FBI. She emphasized that time is of the essence when fighting fraud online, and therefore effective prevention is all about finding ways to minimize the window of opportunity for bad actors to perpetrate their crimes.
For this reason, the biggest game-changer in fighting online fraud at the moment is the ability to automate fraud responses. If financial institutions can react to fraud signals in real-time, they are effectively closing that window. This can make a huge, real-world difference to getting in front of attempted attacks and comprehensively stopping them.
Clear ‘risk calculation’ - Frictionless First
Financial institutions have to make a risk calculation when it comes to balancing security with ease of use.
In fact, there was a consensus among the panel that if it really came down to it, reducing the friction involved in a user’s journey is the priority for financial institutions. These organizations, therefore, need to find a way to get customers to their funds as quickly and easily as possible while simultaneously guaranteeing their safety.
There is a certain level of acceptable friction, however. If security is stepped up every once in a while, customers are less likely to feel annoyed while also feeling adequately protected. It builds long-term trust to know their bank is looking out for them and monitoring for fraud behind the scenes.
Knowing when to impose extra checks and doing it in real-time with the highest possible accuracy seems to be the trick to getting the balance right.
No silver bullet – but there are best practices
Ultimately, participants at the conference agreed that there is no silver bullet for preventing online fraud. Only one thing is certain: fraud techniques will continue to evolve. And although financial institutions can, and should, continue to educate customers about online safety – including not reusing passwords or clicking on suspicious or unsolicited links – they cannot control their behavior.
As fraud continues to evolve, the focus needs to be on mitigating its effects and acting as quickly as possible, closing the gap between detection and response. In other words, if there is just one thing financial institutions should do today to end the cat-and-mouse game of fraud it should be to prioritize response capabilities.
For these reasons, the panel’s conclusion is that a fraud solution worth its salt right now has to be able to fight fraud in multiple ways on many different fronts, from new account fraud to uncovering intricate networks of synthetic identities and mule accounts already in systems – without impacting the user experience.
Fraud prevention geared towards reacting to fraud in real-time can knock the wind out of bad actors’ sail and help financial institutions evolve alongside ever-changing online fraud techniques.