Customers cannot afford to let fraudsters compromise their bank accounts under any circumstances, but the current economic climate makes attacks all the more painful. Financial institutions (FIs) thus need to ensure they can successfully block ATOs as well as quickly detect and mitigate any that slip through.
Creating secure banking environments without generating undue customer frictions relies on strong front- and back-end approaches to help FIs spot red flags, create login experiences that are harder for bad actors to crack and guide customers on how they can avoid falling victim to ATOs. Ryan Leblond, manager of fraud prevention and investigations at ESL Federal Credit Union, explained these key strategies in a recent PYMNTS interview.
Fighting Username And Password Theft
Bad actors often initiate their ATOs by trying to trick potential victims into revealing their bank login information. Scammers could contact consumers and purport to be software company representatives, for example, asking for access to their devices to make remote repairs. Fraudsters who manage to gain access to customers’ banking profiles in this manner can then set new usernames and passwords, Leblond explained, allowing them to leverage those credentials to tap into the accounts whenever they want while locking out legitimate users.
FIs that keep customers informed about these and other schemes can better enable them to actively protect their accounts. Leblond said that banks and credit unions must still be somewhat measured when sharing fraud-fighting tips with customers to avoid airing too many of their anti-fraud strategies, though.
“We want to give them enough information so they can be as proactive and safe as possible, [while] also balancing not giving the fraudsters a playbook or blueprint of how fraud can be perpetrated and ways around it,” he noted.
FIs can adopt more robust login approaches to make it less likely that bad actors can obtain the necessary information to pass authentication checks. Relying on just one set of details — such as usernames and passwords — is insufficient, Leblond said, especially as some customers use the same password for many accounts. Reusing passwords puts consumers at greater risk because fraudsters who can compromise an account with one business can use those details to gain entry into others. FIs can mitigate this risk by having customers answer certain questions after providing passwords, for example, or asking that they undergo facial- or fingerprint-based biometric authentication.
Effective fraud fighting requires FIs to identify their customers’ preferences and provide security solutions that suit users’ comfort levels and familiarity with certain technologies and banking channels. Mobile banking apps that scan customers’ faces or fingerprints can offer powerful, fast authentication processes, for example, but such solutions will prove unhelpful if consumers cannot or refuse to use them. This consideration is a priority for ESL, Leblond said. The credit union’s membership primarily includes older consumers who may be uncomfortable handling biometric-based apps, while some may not own smartphones that offer such capabilities.
“It’s like buying a really shiny sports car for someone who doesn’t like driving,” Leblond said. “You can put all these technologies and methods and security in place, but if people aren’t using it, they’re not required to update it and you’re not monitoring [its] effectiveness, then those technologies are not going to be helpful to your organization.”
Applying multiple authentication methods is key to good security, and FIs must provide numerous options tailored to customers’ habits and preferred banking methods. Account holders who cannot be authenticated biometrically could be asked to answer additional questions, for example, a practice ESL does for many customers who call its contact centers or visit branches.
Many FIs have also implemented voice-based biometrics at their call centers, Leblond said, and ESL is considering such methods. FIs that utilize these techniques record, analyze and store users’ voices, then leverage technology to compare the rhythm, pitch and other patterns in a given caller’s voice to verify that individual’s identity. One advantage to adopting this approach is that it does not require customers to change their behaviors.
Behind-the-scenes methods like voice-based authentication can help FIs safeguard the customer experience while tightening security. Leblond said ESL relies on such approaches to monitor suspicious activities that could indicate a fraudster is controlling an account.
“If we see you log in 100 times in New York City, but now [you’ve] got an IP address bouncing in Saudi Arabia, we’ve got an issue there,” he explained.
Catching bad actors early requires examining whether customers’ account activities are out of sync with their normal behaviors. FIs should examine transactions, logins and even minute details such as the web browsers customers typically use when viewing their accounts and where they are using their devices
“It’s not just what hits the statement [that matters] — a lot of people have misconceptions on that,” he said. “We want to look at not [just] what’s posting but [also] what’s in progress, what’s being attempted, [and] we work on the back-end to understand that in a granular detail.”
ATOs can be unsettling and damaging, and FIs’ approaches are evolving as they work to keep customers safe from new fraud tactics. Blending powerful back-end security systems with clear customer communication can help banks and credit unions fend off fraudsters and provide smoother experiences to legitimate users.