Digital Transactions Authoritative, insightful and timely information for payments professionals
There are no perfect solutions for account-takeover fraud, but tactics such as consumer education and prevention at log-in can make a big difference, says Rich Huffman.
According to Javelin Strategy & Research’s report entitled, “2018 Identity Fraud: Fraud Enters a New Era of Complexity,” account takeovers (ATOs) tripled in 2017, resulting in $5.1 billion in associated losses. And the losses are more than just monetary. The same report estimates this crime takes, on average, 15 dedicated hours and $290 in out-of-pocket expenses for a victim to resolve. This doesn’t even factor in the costs of churn by estimating the average lifetime value of lost customers.
ATO is a criminal’s gold mine in more ways than one. This type of fraud offers a lot of information for criminals to use because of the associated account credentials accessed with tactics such as man-in-the-middle (MITM) attacks. An MITM attack occurs when a fraudster either taps into a call between a user and service provider, or impersonates a service provider, to obtain personal information.
Whether it’s through MITM or hacking, once criminals have their entry points, they can do more damage through password testing on popular Web sites by trying to find relevant matches. Automation, specifically the use of bots, makes this process even easier.
But with the uptick in ATO comes more options for addressing this challenge. To face the rising incidents of ATOs in today’s digital environment, businesses, including retail bankers and processors, must address the issue with knowledge and newer, relevant technologies.
An Enterprise Issue
Gone are the days when fraud was finite. According to the National Institute for Technology Standards (NIST), using SMS or email for out-of-band or multifactor authentication is no longer secure. Reliance on passwords and “what-you-know” authentication methods actually increases fraud due to tactics such as MITM attacks.
Criminals are using automated attacks through online and mobile channels to exponentially expand the account-takeover fraud damage. Both financial and secondary accounts, such as email accounts, are targeted because they provide criminals with validity and help them conceal the crime, as email accounts are often the destination for password-change alerts.
Moreover, there’s a false sense of security as Touch ID and other native phone biometrics don’t eliminate password vulnerability. They simply make it easier for consumers to unlock their phones.
Consumers’ expectations of convenience, combined with a general lack of knowledge about security, compound the issue. Consumers expect ease of use in their payments and retail and bank accounts, but at the same time, they blame the merchant or bank when an account takeover happens.
In today’s consumer-driven environment, convenience is considered table stakes for a good customer experience. Nearly 40% of consumers would change their banks for a better mobile app. This new lack of stickiness underscores the importance of driving convenience at every stage of the customer’s journey.
While companies are hesitant to disrupt consumer convenience, ATO can severely damage brand reputation among customers. When debating between the two, consider the lifetime value of a lost customer.
The key to thwarting ATO attacks is detection at login. And while many merchants worry about increasing consumer friction through added security, there are many fraud-prevention tools designed to be transparent and consumer-friendly.
Everyone’s Business
Only about half of consumers are familiar with online/mobile authentication, and this number is likely lower for certain segments of the population, like Baby Boomers.
Because Millennials are more likely to be acceptors and early adopters of security measures, it is important to focus on giving them the education and tools to continue fostering their openness towards fraud prevention and security.
But while a lot of businesses are focusing on Millennial engagement, it’s also imperative to focus on educating the generations that are not as accepting of this new technology. Take a good look at the ways you educate your entire customer base about security solutions, especially older generations who lack awareness or understanding of identity theft and other security threats.
It’s important to communicate the damage account takeovers can do. By doing this, you can educate your entire customer base on the more secure encryption offerings available to prevent identity theft.
Consumers know that passwords, by themselves, are not the best security method. Yet, there are many misconceptions about which security solutions work. Customer knowledge and participation is key to driving stronger, practical security options at account opening and beyond.
No Silver Bullet
When it comes to eliminating digital fraud, there’s no one-size-fits-all approach. However, accuracy and response times are critical in reducing it.
Financial institutions need to explore the online-account and fraud-detection solutions that work best for them, including ones that offer more insights into consumers’ identities and provide the ability to stop fraud at the login process. This is a key way to prevent enterprisewide and multichannel ATO.
There are also many protection services that combat ATO at login. Monitoring geographic IP change, device change, password-entry behavior, time-of-day differences, and browsing time before logins can be impactful in thwarting ATO, without harming the consumer experience.
Account takeover numbers are increasing exponentially, with some reports indicating year-over-year growth as high as 160%. This high number, combined with the higher number of solutions to tackle this issue, can be overwhelming to merchants and financial institutions.
While there is not one solution that reduces this number to zero, the goal is to see numbers trending down. Financial institutions and card issuers can take certain steps to improve security in their digital channels without adding friction to the customer experience.
With the proper technology and monitoring solutions, you can help significantly reduce ATO at login and protect your customers’ most important data, without causing them to completely disengage from your brand.
—Rich Huffman is senior director, product management, at Equifax Inc., Atlanta.
