Categories: Fraud Prevention

Combating ATOs With Multifactor Authentication, Behaviors Analysis And Customer Education

Customers cannot afford to let fraudsters compromise their bank accounts under any circumstances, but the current economic climate makes attacks all the more painful. Financial institutions (FIs) thus need to ensure they can successfully block ATOs as well as quickly detect and mitigate any that slip through.

Creating secure banking environments without generating undue customer frictions relies on strong front- and back-end approaches to help FIs spot red flags, create login experiences that are harder for bad actors to crack and guide customers on how they can avoid falling victim to ATOs. Ryan Leblond, manager of fraud prevention and investigations at ESL Federal Credit Union, explained these key strategies in a recent PYMNTS interview.

Fighting Username And Password Theft

Bad actors often initiate their ATOs by trying to trick potential victims into revealing their bank login information. Scammers could contact consumers and purport to be software company representatives, for example, asking for access to their devices to make remote repairs. Fraudsters who manage to gain access to customers’ banking profiles in this manner can then set new usernames and passwords, Leblond explained, allowing them to leverage those credentials to tap into the accounts whenever they want while locking out legitimate users.

FIs that keep customers informed about these and other schemes can better enable them to actively protect their accounts. Leblond said that banks and credit unions must still be somewhat measured when sharing fraud-fighting tips with customers to avoid airing too many of their anti-fraud strategies, though.

“We want to give them enough information so they can be as proactive and safe as possible, [while] also balancing not giving the fraudsters a playbook or blueprint of how fraud can be perpetrated and ways around it,” he noted.

FIs can adopt more robust login approaches to make it less likely that bad actors can obtain the necessary information to pass authentication checks. Relying on just one set of details — such as usernames and passwords — is insufficient, Leblond said, especially as some customers use the same password for many accounts. Reusing passwords puts consumers at greater risk because fraudsters who can compromise an account with one business can use those details to gain entry into others. FIs can mitigate this risk by having customers answer certain questions after providing passwords, for example, or asking that they undergo facial- or fingerprint-based biometric authentication.

Customer-Centric Authentication

Effective fraud fighting requires FIs to identify their customers’ preferences and provide security solutions that suit users’ comfort levels and familiarity with certain technologies and banking channels. Mobile banking apps that scan customers’ faces or fingerprints can offer powerful, fast authentication processes, for example, but such solutions will prove unhelpful if consumers cannot or refuse to use them. This consideration is a priority for ESL, Leblond said. The credit union’s membership primarily includes older consumers who may be uncomfortable handling biometric-based apps, while some may not own smartphones that offer such capabilities.

“It’s like buying a really shiny sports car for someone who doesn’t like driving,” Leblond said. “You can put all these technologies and methods and security in place, but if people aren’t using it, they’re not required to update it and you’re not monitoring [its] effectiveness, then those technologies are not going to be helpful to your organization.”

Applying multiple authentication methods is key to good security, and FIs must provide numerous options tailored to customers’ habits and preferred banking methods. Account holders who cannot be authenticated biometrically could be asked to answer additional questions, for example, a practice ESL does for many customers who call its contact centers or visit branches.

Many FIs have also implemented voice-based biometrics at their call centers, Leblond said, and ESL is considering such methods. FIs that utilize these techniques record, analyze and store users’ voices, then leverage technology to compare the rhythm, pitch and other patterns in a given caller’s voice to verify that individual’s identity. One advantage to adopting this approach is that it does not require customers to change their behaviors.

Invisible Security

Behind-the-scenes methods like voice-based authentication can help FIs safeguard the customer experience while tightening security. Leblond said ESL relies on such approaches to monitor suspicious activities that could indicate a fraudster is controlling an account.

“If we see you log in 100 times in New York City, but now [you’ve] got an IP address bouncing in Saudi Arabia, we’ve got an issue there,” he explained.

Catching bad actors early requires examining whether customers’ account activities are out of sync with their normal behaviors. FIs should examine transactions, logins and even minute details such as the web browsers customers typically use when viewing their accounts and where they are using their devices

“It’s not just what hits the statement [that matters] — a lot of people have misconceptions on that,” he said. “We want to look at not [just] what’s posting but [also] what’s in progress, what’s being attempted, [and] we work on the back-end to understand that in a granular detail.”

ATOs can be unsettling and damaging, and FIs’ approaches are evolving as they work to keep customers safe from new fraud tactics. Blending powerful back-end security systems with clear customer communication can help banks and credit unions fend off fraudsters and provide smoother experiences to legitimate users.

Get our hottest stories delivered to your inbox.

Sign up for the Newsletter to get updates on top stories and viral hits.


New PYMNTS Report: Preventing Financial Crimes Playbook – July 2020

Call it the great tug-of-war. Fraudsters are teaming up to form elaborate rings that work in sync to launch account takeovers. Chris Tremont, EVP at Radius Bank, tells PYMNTS that financial institutions (FIs) can beat such highly organized fraudsters at their own game. In the July 2020 Preventing Financial Crimes Playbook, Tremont lays out how.

Recent Posts

Kroger Introduces Contactless Mobile Pay At QFC Stores

Grocery chain Kroger is rolling out a new contactless pay solution at its Quality Food Centers (QFC) locations, according to…

11 mins ago

Goldman Sachs Appoints New Global Digital Asset Leader

Goldman Sachs has named Matthew McDermott its new global head of digital assets, in a move signaling the bank's renewed…

33 mins ago

Paystand Takes Aim At Corporate Expense Cards With New ‘Zero Card’

Goodbye, corporate expense cards and hello, “Zero Card?” Paystand on Thursday (Aug. 6) rolled out its new Zero Card, a…

50 mins ago

Study: California Sees More Than Half Of Unemployment Applicants A Second Time

Evidence of the U.S. economic recovery’s unpredictability in the wake of the coronavirus pandemic is on display in California. More than half,…

1 hour ago

Proposed NY Bill Would Loosen Restrictions On Suing Big Tech

New York State Senate Deputy Leader Michael Gianaris has introduced new legislation to help tamp corporate power and the stifling…

1 hour ago

How QSRs Are Going Digital To Counter COVID-Related Sales Declines

When the history of 2020’s second quarter is written, it will be a tale about companies’ staggering losses and remarkable…

2 hours ago