Customer A is a creature of habit. He values order and tends to do things in the same way, from the same place, and normally around the same time. There is a stability to this kind of consistency, and he finds comfort in routine. Customer B, on the other hand, is always on the go. Her job takes her on the road to different countries in different time zones, and she spends a good deal of time in hotel rooms, board rooms, and in the skies.
End users can have wildly different transaction behavior profiles when banking online, and financial institutions need to spend time calculating and anticipating changes to many behavioral variables – not only to keep customers safe, but to ensure they are not inadvertently locked out of their digital accounts.
Similarly, it is important for financial institutions to have greater visibility and control over the devices connecting to their web banking platforms to protect themselves and their account holders. The digital health of their customers’ laptops or desktop computers is out of a bank’s control. However, a view into machines that contain malware or are otherwise deemed risky empowers an institution to decide whether such machines should be allowed to connect to their platform at all.
Striking a balance is tricky: banks must walk a fine line between keeping accounts highly secure and ensuring that customers can easily access their money at all times and from any location.
Too Many Banks Are Failing at Security
To the chagrin of financial institutions, many bank accounts are still unsecured. A recent study on account takeovers (often referred to as ATOs) — in which thieves use stolen login information to access a customer’s funds online — found that they accounted for $5.1 billion USD in losses in the US in 2017, three times as much as was lost to this kind of cybercrime the previous year.
The study also found that the ease with which cybercriminals can make quick money from ATOs is why compromised credentials to online bank accounts are now considered more valuable than stolen credit card numbers on the black market.
If banks do not do a better job at giving genuine end users easy access while keeping cybercriminals out, this trend is likely to continue.
Unfortunately, the answer is not to put in place highly secure anti-fraud protection strategies that are rigid and difficult for customers to use. Without a flexible, user-centric security platform, banks risk alienating their customers. An unsatisfied or frustrated customer is one that is motivated to find another bank that won’t put too many security obstacles in their way – even if those obstacles are for their own security.
So, what is the solution? In a word: visibility. Many deficiencies in fraud protection are borne out of the fact that financial institutions have blind spots in their security. Many legacy solutions tend to function as a black box and do not give the institution a view into how it detects and deals with malware and other risks, or what else is going on in the fraud ecosystem in which they operate.
A bird’s-eye view is only half of the equation. Banks also need greater control; they should be able to decide who gets to connect to their digital banking platforms and who doesn’t. An end user who is operating from a machine infected with dangerous malware, unknowingly or otherwise, is likely to become the victim of a cyberattack. Though the customer may not like or understand why they have been denied access this one time, they would surely be far unhappier if a fraudster was able to get into their account and drain it of all its funds.
With this in mind, there are features and functionalities that financial institutions should be looking to incorporate into their fraud security systems:
- End-user behavior history analysis – Deploying technology that leverages machine learning, so that current end-user browsing, login, and transaction behavior can be compared to previous behavioral patterns. One or two differences from a user’s “normal” behavioral pattern may not arouse suspicion, but enough of a deviation in those patterns could indicate that an account takeover is about to take place or is in progress.
- Visibility into banking platform connections – The fact that end users never know when their laptops or desktops have been infected by malware – either on their hard drive or their web browser – means that any customer connected to the bank’s transactional pages could pose a threat. The institution should know whether an end user’s machine is infected or otherwise vulnerable so that the organization can manage the risk of that connected device as they see fit.
From the jetsetter to the homebody, and everyone in between, the customer population of financial institutions is heterogeneous in nature. Customers have wide-ranging transaction behavior profiles, as well as the varying likelihood that their machines are infected by malware, viruses, or Trojans. Banks need to be cognizant of this and plan for any possibility. Their ability to detect and prevent account takeovers may depend on it.
To learn more about how to defend against an ATO attack by clicking here.