Preventing fraud is a major concern for every financial institution. Banks, in particular, must ensure that only the rightful account owner accesses their account and that no incorrect payments are made. This involves tackling issues such as identity theft, accidentally misdirected payments, and Authorised Push Payment (APP) fraud. While a few years ago, this was limited to implementing more complex authentication methods, today banks use a multitude of techniques to protect their customers. This is especially important as banks try to avoid that increased security impacts user experience and leads to more customer questions and complaints to the bank’s customer support. More and more, fraud protection is being considered a competitive differentiator, rather than a necessary cost.
Let us explore in detail the different techniques deployed by modern banks.
Ensuring the Right Person Accesses the Account
This is the first step in avoiding fraud. Unfortunately, it is easier said than done, especially as customers are typically not very security aware. They create security risks by using the same password everywhere, not sufficiently protecting their email accounts used for password resets, not securing their phones, clicking on malicious links, sharing secret credentials, and oversharing personal details on social media, which enables advanced social engineering. At the same time, customers often complain about restrictions on usability due to security measures and may leave the bank because of them.
Therefore, banks must be very inventive with authentication, trying to minimize the impact on usability while still ensuring sufficient security. Additionally, they need to educate their customers about certain security risks.
Multi-Factor Authentication: One of the primary methods of securing user accounts is through multi-factor authentication (MFA). This approach requires users to provide multiple forms of verification before gaining access to their accounts. MFA can include:
PIN codes and passwords
One-time codes sent via email, SMS or authenticator apps
Biometric authentication, such as fingerprint and facial recognition
…
Risk-Based Authentication: Risk-based authentication (RBA) takes security a step further by monitoring user behaviour to detect potential anomalies. Based on this, authentication can be reduced (e.g. for some actions only a PIN code could suffice), while for others, additional authentication methods can be enforced. This method leverages artificial intelligence (AI) to analyse patterns that are not easily captured by traditional rule sets.
RBA analyses several factors to effectively identify suspicious behaviour and prevent unauthorized access. These factors can include:
Geo-location
Type and sequence of previous actions executed
Next action requested (e.g. a consultation does not need the same level of security as initiating a high-value payment)
Mouse movements, keystroke patterns and even how the customer holds his mobile device
Browser model and version
IP address and operating system
Hardware device
…
For more information, see my previous blog: "Multi-Factor Authentication and Identity Fraud Detection in the Financial Services Industry" (https://bankloch.blogspot.com/2020/02/multi-factor-authentication-and.html).
Preventing Incorrect Payments
Preventing unauthorized access to bank accounts is not sufficient to protect against fraud. Numerous fraud cases also involve victims being manipulated into making payments to fraudsters, typically through social engineering attacks involving impersonation.
Examples are
CEO fraud, where criminals pose as the CEO (or another high ranking executive) of a company and urgently ask an employee to transfer money.
Invoice fraud, where real invoices are replaced with fraudulent ones containing different bank account numbers or false QR codes, resulting in payments to another account.
This type of fraud remains common, as many banks do not protect their customers well against these attacks. Increasingly, regulators and governments (e.g. the EU with the Instant Payments Directive and PSD3 mandate) are pushing for better solutions.
Typical measures include:
Extra Controls and Warnings: Banks can implement additional controls and warnings when users make payments to new recipients or transfer large amounts.
Verification of Payee (VoP): This service verifies the recipient of a payment to ensure the funds are going to the correct person, preventing both APP fraud and accidentally misdirected payments. Companies like SurePay, OB Connect, Worldline, Tell Money, iPid, and Banfico offer this service.
While the above practices are becoming common in the financial services industry and are often mandated by regulators, innovative banks are taking extra steps to protect their customers. Recently, several new features have been announced by neobanks.
Some examples:
Check If You Are Being Called in App: Earlier this year, both ING in the Netherlands and Monzo in the UK introduced a new feature allowing users to see immediately if the bank is calling them. This avoids phone fraud, where fraudsters impersonate the bank to obtain secret credential information.
Known Locations or "Leave Your Money at Home": Monzo introduced this feature, allowing users to specify trusted locations, such as their home or workplace, where transactions can be safely conducted. Transactions attempted outside these pre-approved locations are automatically blocked, providing a geographical safety net against unauthorized transactions.
Trusted Contacts: Trusted Contacts introduces a social validation step into the transaction process. Customers can invite a trusted friend or family member to verify transactions that exceed a certain limit. This additional layer of scrutiny helps prevent fraudulent transactions by involving someone the customer trusts. This feature was also recently introduced by Monzo.
Secret QR Codes: Also introduced by Monzo, this feature allows customers to generate unique QR codes, which can be scanned in the app to authorize significant transfers. This code can be stored on a separate device or printed, ensuring that even if a phone is stolen, unauthorized transactions cannot proceed without the QR code. This dual-device requirement adds a robust layer of security.
Selfie Verification: Revolut has introduced Wealth Protection, which requires a selfie verification for withdrawals from investments. This verifies the identity of a customer against the selfie ID checks completed during the initial sign-up, significantly hampering fraudsters' attempts to transfer money out of savings accounts, even if phone security has been compromised.
These new technologies and innovative features are interesting to test out. However, the user adoption of these features remains to be seen, as they are currently opt-in. The ease of enabling these features and ensuring they are used correctly by customers will be critical. For example, secret QR codes are only effective if stored securely on another device.
In any case, in the fight against fraud, financial institutions must continuously innovate and test new security mechanisms to stay ahead of fraudsters and ensure the safety and trust of their customers.
Comments
Post a Comment