What You Don’t Know About Device Reputation Tracking—and Other Security Fails
Originally published on Finovate.com
In an economy that is taking place increasingly online, the recent boost in fraud has left many banks, fintechs, and retailers underprepared in the fight against bad actors.
In a recent conversation, I spoke with Neustar Senior VP Robert McKay, who offered his perspective on the increase in fraud, the use of device reputation tracking, and steps firms can take to minimize their shortcomings.
Catch us up on the current security landscape in fintech and banking
Robert McKay: The pandemic has forced almost all customer interactions with institutions to digital channels. While it offers a new level of convenience for customers, it has exacerbated an existing problem in these types of interactions – increasing ambiguity for seeking secure, trusted connections across anonymous interactions. Institutions and fintechs that deal with highly sensitive customer information have long struggled to properly authenticate the identities of consumers across these digital channels, and fraudsters have developed savvy methods to skirt some of the most prominent forms of identity authentication.
Trust is at the center of successful fraud mitigation. If you can trust, with a high enough level of confidence, that the person on other end of the device is who they claim to be, then financial institutions and fintechs can reduce friction and improve the experience for legitimate customers while limiting additional verification and fraud-fighting resources to suspicious interactions.
2020 disrupted every subsector of fintech. Talk to us about how it changed the online security realm.
McKay: McKinsey cited that the pre-COVID consumer adoption rates for performing balance inquiries and transactions in the digital channels in the U.S. was at 50% while adoption for more complex activities like new account openings or credit card applications was around 36%. Many institutions and fintechs had to quickly address this as consumer activity shifts boomed across digital channels in a ‘survive-or-die’ approach. The combination of branch closures and an under-preparedness for these digital shifts resulted in spikes in call volumes and wait times, for example.
This disruption also shown a light on the robustness of institution’s authentication processes. Throughout 2020, a commonly used method for mitigating fraud was device behavior analysis using device reputation tracking, which determines whether a device has been linked to fraud in the past. Today, fraudsters can easily bypass this method by constantly rotating out devices they use to commit fraud.
Fintechs and their business customers need to take a more comprehensive approach to consumer authentication, exploring who is behind the device rather than focusing exclusively on the device itself.
Discuss what device reputation tracking is and why it is no longer an acceptable form of fraud prevention.
McKay: Device reputation tracking is a method of fraud mitigation that gathers device fingerprints — a series of device characteristics – and assembles a view of that device’s previous association with fraudulent activity. It’s a simple, yet effective, method to catch basic forms of fraud. However, sophisticated fraudsters know this approach relies on backward-looking data, and avoid it by using multiple ‘burner’ devices to commit fraud. Once they complete their interaction, they’ll abandon that device and use a new device to continue their scam. New devices present a big question mark to device reputation solutions since, without past user data, it cannot indicate whether the new device can be trusted.
Additionally, knowing a device is connected to normal or safe behaviors is also not a failsafe solution. It only takes one time for a device to fall into the wrong hands to open the door to fraud.
What is the easiest way for a firm currently using device reputation tracking or fingerprinting to adapt to a more secure fraud prevention technique?
McKay: To adapt, firms should consider a device-based identity resolution technique that connects the device to what is known about a consumer with persistence, and then observe how this online/offline identity graph is honed through continued observations of digital interactions. These online/offline identity graphs should also draw upon historical behavioral data and device fingerprints as just one source element of a multilayered fraud-prevention approach.
Device-based identity resolution determines not only whether a device has been linked to unsafe behaviors in the past, but also whether the device is likely in the hands of the individual who owns it. Hundreds of signals in an array of combinations provide a clear direction to either proceed with the transaction or seek additional verification from the fraud team.
A robust, layered approach like this incorporates data that cannot be hacked and stops fraud in its tracks.
The digital identity conversation is hotter than ever. What are some new developments in this space that we should be paying attention to?
McKay: Consumers, especially digital natives, have developed high expectations for a frictionless customer experience. When considering fraud-mitigation tools, it is critical to remember that most consumers are not fraudsters. If businesses treat all customers as such, it will increase friction and drive good customers away. To provide a smooth customer experience while simultaneously reducing the risk of fraud, businesses need authoritative identity signals that enable them to accurately evaluate the degree of trust in digital interactions.
As fintechs look to accommodate an increasingly remote customer interaction model, it is even more essential to ensure the person on the other end of the interaction is who they claim to be.
What is the number one way you see financial firms fail in terms of security?
McKay: Firms often scrutinize and treat every interaction as possible fraud. This not only impedes the customer experience, but also spreads already thin fraud resources even thinner, leaving the business scrambling and that much more vulnerable to fraud.
Further impeding sound security and efficient fraud mitigation, many firms fail to make the connections across various customer touchpoints (e.g., digital, call center, in-person) and across different business units (e.g., credit card, retail, insurance) to gain the full view of a customer’s identity.
What is the best way for firms to fix this flaw?
McKay: Firms should seek out an identity resolution organization that can help form an identity graph with a singular view of a consumer against every touchpoint, and implement strong and silent authentication measures to automatically authenticate the great majority of interactions that are legitimate. This will allow firms to focus fraud-fighting resources and warranted consumer friction on the minority of interactions that truly represent potential fraud, instead of applying fraud fighting resources against every call center and digital interaction.