The bad guys are winning. This is the sentiment of many financial institution (FI) and merchant fraud mitigation executives, who are finding it increasingly difficult to keep pace with the rapidly changing fraud landscape.
Personally identifiable information (PII) and login credentials are no longer reliable means of identifying customers, since FIs and merchants alike have to assume that the criminals already have this data in their possession – according to a report on mobile fraud by Aite.
At the same time that the threat environment is escalating, fraud executives face strong internal pressure to ensure that their risk controls do not adversely impact the customer experience. The new bar for customer experience has been set by Amazon 1-Click and Apple and, along with it, the customer expectation for elegant interactions with minimal friction.
Fortunately, a vision is emerging that balances effective fraud prevention with a delightful customer experience. Customer identification and authentication are no longer just about the customer’s PII and static authenticators—in this environment, it is equally important to have a good understanding of the end user’s digital identity and incorporate dynamic means of authentication.
The mobile device sits at the centre of this vision. Properly secured, the mobile device can not only facilitate safer transactions within its own channel but can also be used to better secure other channels with minimal customer friction.
Against the daunting backdrop of increasing account takeovers and CNP fraud, fraud executives are finding that the increasing ubiquity of the mobile device presents new opportunities in fraud mitigation.
72% of US consumers, 68% of UK consumers, and 67% of Canadians now own a smartphone. They are using these devices more and more for day-to-day activities. 51% of transactions in retail e-commerce originate from the mobile device, and 42% of financial services’ digital transactions are mobile.
The high levels of smartphone penetration and use represent a great opportunity to bring more security to transactions with minimal impact to the customer experience. The ubiquity and computing power of the smartphone enables it to serve as a form of security token—one that consumers willingly carry wherever they go and are likely to have in close proximity at all times. Properly secured, the mobile device can not only facilitate safer transactions within its own channel but can also be used to better secure other channels. The building blocks of this vision include the following technologies:
- Geolocation: Geolocation technology uses GPS to identify the position of the mobile device. Geolocation can be used in a number of ways – everything from geofencing (in which the customer identifies a range of trusted locations, such as “home” or “office” in which less authentication is required) to using proximity of the mobile device to a payment transaction as an additional factor in authorization risk assessment.
- Device authentication: Device authentication uses mobile carrier data to perform the same device hardware-based network authentication (e.g., SIM card) as mobile operators to secure a company’s services and provide positive verification that the device belongs to the person authorised on the mobile account, to indicate whether the phone is prepaid or post-paid as well as to provide notification if the device is lost or stolen.
- Device identification and risk assessment: Once the device is authenticated, the business must continually verify and assess risk of the device itself. Device fingerprinting technology is particularly effective on the mobile device, since it offers such a wealth of data that can be ingested and analysed. This results in a long-lasting and highly reliable device identification capability.
- Risk-based authentication: Based on the risk analysis performed in all of the preceding steps, businesses may choose to perform some form of authentication, commensurate with the risk of the transaction. This can be accomplished using a one-time password that is pushed from the mobile application, a fingerprint biometric, or facial recognition, among other forms of stepped-up authentication.
Large banks are the leaders in executing against this vision; a few have already embedded many elements of this into their mobile app. With enough knowledge about the mobile device and its users, businesses can enable higher-risk transactions or actually begin performing stepped-down authentication (i.e., reducing the amount of friction for customers). The following provide some real-world applications of this concept:
- Contact centre: When a consumer calls into the contact centre using his or her secured and identified mobile device, the business can skip the usual round of challenge questions and just address the customer’s need.
- Payment card authorisation: Payment card authorisation can be enhanced in a couple of ways using the mobile device. FIs can use mobile geolocation to determine whether the mobile device is in close proximity to a payment card transaction and reduce false positive declines. Some FIs are also using two-way text or mobile app push to engage the customer and verify anomalous payment card transactions.
- Online verification: The mobile device can be used to better secure online experiences in a variety of ways. Using geolocation, the proximity of the mobile device to the online session can be used as a factor of authentication and will remove the need for stepped-up authentication for lower-risk transactions. For higher-risk transactions, such as funds transfers, various forms of stepped-up authentication can be invoked via the mobile device, such as a one-time password pushed from the mobile app or a biometric. The latter authentication scenario is particularly secure, since it is validating not only something users have but also something they are.
Customer education is important, too. While less necessary in the contact center scenario, when nothing new is being asked of the customer, FIs need to be prepared to provide clear messaging to the customer when biometrics or other forms of stepped-up authentication are invoked so that customers know what they need to do, how, and why.
The smartphone is a powerful tool in the arsenal of fraud executives as they strive to strike that difficult balance between fraud mitigation and the user experience. Over the coming months and years, expect to see this device play an increasingly pivotal role in financial institutions’ fraud mitigation strategies.
The post Mobile: The centre of the fraud prevention universe appeared first on Payments Cards & Mobile.