Anonymous Interactions: The Threat And Power of Consumer Devices in the Digital Marketplace
Originally published on Forbes.com
The last decade has seen a massive increase in fraud in online channels. Since the introduction of EMV chips on credit cards, fraudsters have transitioned their focus to digital channels, using compromised information — often obtained through data breaches — to exploit businesses. Considering the well-documented surge in data breaches in recent years and especially during the pandemic, it is safe to assume that almost everyone's information has been passed around on the dark web.
Recently, reports emerged of fraudsters using mobile device emulators to steal millions of dollars from online bank accounts. They hack victims' devices to access the device identifiers, spoof the GPS locations that the device is known to use and, ultimately, give the appearance that they are legitimate customers accessing accounts from known customer devices.
This means that many traditional and progressive mechanisms for confirming identities and fighting fraud are no longer effective. No matter the safeguards, the digital channel remains a space of largely anonymous interactions.
So what is the path forward for organizations seeking more secure customer transactions?
Ask the right question.
The first question organizations tend to ask is, "How can we fight increasingly sophisticated fraud?" However, this neglects a few critical considerations. First, this question tends to lead organizations down a path of "guilty until proven innocent," leaving little room for distinction between the good customers and the bad. If customers are forced to jump through too many hoops to prove they are who they say, the increased friction may drive them away.
This fraud-focused mentality, with little consideration for customer experience, tends to neglect the foundational need for customer authentication. A company can't have strong fraud mitigation without implementing strong authentication at the onset of any interaction. The vast majority of consumers engaging with businesses are not fraudsters, but if we treat all customers as such, it not only increases friction but also spreads fraud-fighting resources dangerously thin.
Finally, by starting with a question focused solely on fraud prevention, it overlooks the more basic desire at the heart of all connections — trust. The more critical building block in fraud prevention focuses not just on how to stop bad actors but rather on determining whether you can trust that the person on the other end of the line is who they claim to be. Instilling trust and certainty within the interaction by analyzing the "who" within the equation streamlines the fraud vetting process for good customers and allows the fraud team to direct all of its resources toward verifying high-risk interactions.
Remove anonymity, instill trust.
Both consumers and businesses benefit when businesses are able to spot fraud quickly while processing legitimate customer transactions more efficiently. To provide a smooth online customer experience while simultaneously reducing their risk of fraud, businesses need authoritative identity signals that enable them to accurately evaluate the degree of trust in digital interactions. Solutions that bridge the gap between person-centric offline information and device-centric digital identity can be best positioned to help organizations determine who is on the other end of every interaction.
Device behavior analysis using device reputation tracking (or device fingerprinting) is currently the most common method for mitigating fraud in online channels, relying on historical behavioral data to determine whether a device has been linked to fraud in the past. However, the scope of this method is limited, as it doesn't take into account the fact that there is a first time for fraud on any device and that fraudsters are already well-accustomed to the ways for avoiding such tools — once a fraudster uses a device to commit fraud, they will trash it and move on to a new one.
For a more complete picture of trust in digital interactions, device-based identity resolution takes it a step further, determining not only whether a device has been linked to unsafe behaviors in the past — using device behavior analysis — but also whether the device is likely in the hands of the individual who owns it. This approach is the latest in a path toward smarter, more effective fraud-fighting — a vision of reduced fraud risk for businesses without putting additional strain on fraud teams or impeding streamlined customer experiences.
Market-leading device-based identity resolution solutions are available and can be seamlessly implemented as a component of an existing multifactor authentication and verification process. In the same way that an IVR system intercepts a call to route a service call, an intelligent device-based identity resolution solution intercepts incoming device information and delivers a risk assessment directly to a company's consumer account files — "low risk" for a low-friction customer experience or "high risk" for additional verification.
Very little transition is required when building from a legacy authentication system to a more robust device-based identity resolution solution. Once implemented, companies have the flexibility to hone their fraud mitigation approach — putting additional verification steps in place only for high-risk, potentially fraudulent transactions and pairing down or doing away with less reliable, higher-friction steps (such as knowledge-based authentication) — to improve the customer experience.
Bridging the gap to stop fraud.
Many fraud mitigation solutions would be no match for the mobile device emulator attacks noted at the beginning. However, by examining the data inherent to the device itself — for example, whether it was a burner phone, had a recent SIM swap or call forwarding enabled, had sufficient activity corresponding to the location where the person claimed to be and whether it was from a reputable carrier — a device-based identity resolution approach could have quickly recognized customer and device identity inconsistencies and flagged the interaction to the fraud team for further review.