Preventing Real-Time Fraud – Combining Device Information and Risk-Based Authentication
Recently, after purchasing a new iPad, I decided to configure it to access my mobile banking account. After loading the mobile banking application and logging in using my standard credentials, I realized no further authentication was required.
So why didn’t I get challenged when I used the new device? I am set up to receive mobile alerts from my bank, and I had previously set up institutional questions and gone through “out of wallet” questions during registration. Did the bank decide against the use of strong multi-factor authentication as part of their security strategy or were they making a deterministic decision based on certain transaction characteristics? The answer is most likely the latter.
Organizations continuously have to balance usability with security in order to enhance the user experience and avoid alienating their customer base. The approach commonly used involves in-depth verifications and analysis behind the scenes without actively engaging the consumer as part of the transaction. This “frictionless” approach to authentication only invokes stronger forms of authentication (beyond username/password) during high-risk scenarios and typically only affects 5-10% of the total transaction volume depending on the established risk thresholds. So, in my case the risk parameters met the risk levels, thereby meeting the pre-established tolerance thresholds, and I was spared the additional challenge step.
All online or mobile consumer applications generally face the same type of challenge, and there’s no one answer to fit every use case. The Marketing, Security, and Compliance Teams have to collaborate on what security practices best fit their user base and the level of risk they are willing to accept. This may change for each transaction type – for example whether it’s a new registration or a repeated login. The best way to handle different transactions and different users is through a flexible, layered security model – using progressive, risk-based authentication.
Mobile banking best practices calls for device identification and verification (each phone or tablet has a unique identifying code) and establishing IP address and geo-location profiles as part of the risk strategy. This helps determine if the user is legitimate, or has a fraudulent purpose – and also establishes the “risk profile” of the device and how it’s normally used. Information about where a device really is and whether it’s associated with other devices used in known fraudulent circumstances helps passively identify known and potential fraudulent activity before allowing access to your systems and private data.
Having the option and flexibility to dial in the right type of security level is important. Each organization has to weigh their applicable risks and determine how they want to interact with the consumer to ascertain the authenticity of the identity. Layering each of these risk assessments with the most appropriate challenge is important based on the level of risk you are willing to accept. Contact us to discuss available options for fraud protection, using identity screening, verification and authentication tools from Equifax.
Recommended For You
Online consumers can make their purchase with various payment options, like credit card, Apple Pay or PayPal. As a result, […]
A Two-step Authentication Approach Consumers are always on the go, using digital devices to make purchases, check account balances and […]
As an HR professional, it’s your priority to protect employee data. You may not realize it, but responding to employment […]
Meet Credit Union Members Where They Want to Do Business. It takes more than a “smile and a handshake” to […]