While security development continues to get more sophisticated, fraudsters keep getting smarter. Bad actors have evolved from sending scam emails from “Nigerian princes” to infiltrating major companies such as Twitter and Wendy’s. As a result, fraud prevention and security must be — and is — a top concern for digital companies.
According to recently released research from PYMNTS, fraud attacks are on the rise, up 215 percent year over year. What’s more, fraudsters are getting smarter, and constantly finding new ways to camouflage their true identity or malicious intent in order to steal money and information.
That’s why, according to Brandon Krieg, co-founder and president of StashInvest, an app that allows consumers to invest in Exchange Traded Funds (ETFs) or stocks for as little as $5, companies must always be re-evaluating and updating their security platforms and strategies to keep up with fraudsters.
PYMNTS recently caught up with Krieg to discuss the importance of security to his offering and how to have confidence in a user’s digital identity. He described security as a constantly evolving struggle to identify who users really are and whether they pose risks.
Smartvesting? Investing in security so customers can invest safely
Stash users invest in Exchange Traded Funds (ETFs) and stocks from their smartphone by initially registering with an email address and Social Security number. That easy access point, however, means that Krieg and his team need to ensure that the users are who they claim to be.
To do this, Krieg said that he and his team work with security experts and vendors in the rapidly evolving FinTech space, so they can be sure that the company’s security protocols are updated frequently in order to match pace with a fraud fraught world.
“One of the things that I think is really important to this business from a security perspective is first knowing who our clients are, and trying to root out fraud before it happens to us,” Krieg said. He added, “I don’t think anyone will ever sit there and tell you that they’re 100 percent secure, because you can never stop.”
Krieg said that, while his company and most other digital companies are concerned with many different facets of security, knowing who each of the company’s roughly 80,000 clients are – and making sure that they’re not posing as someone else – is one of the most important aspects of fraud prevention.
“We look at our users and we try to see, are you who you say you are, and are you going to commit fraud against us? Are you stealing someone’s information? Are you an identity thief? And we try to root them out,” Krieg explained. “Those things are really important for a business like this to be successful.”
In fact, Krieg said, the biggest friction in the space is ensuring that companies have “a high degree of confidence that a user that you don’t know, who is signing up to do banking transactions with you, is not there to commit fraud.”
Verifying users can be more difficult for digital companies like Stash than it was in the past for traditional banks and financial institutions. According to Krieg, millennials don’t build credit in many of the same ways that previous generations did, forcing companies like Stash to develop or integrate new ways to verify users.
That help is crucial, Krieg said, because individual user’s digital identities have evolved and become increasingly multifaceted in the modern age.
“It’s kind of the way that the world is changing,” Krieg said. “In the old days, you would grow up, go to college, you’d start building your credit at an early age, and based on that credit profile you have a presence in the world. You start using that credit at a very young age to build an identity for yourself.”
These days, making a decision on a potential customer can be more complicated than just a credit score. Krieg noted that younger people today often don’t have credit, meaning that companies cannot rely solely on a credit score to make a decision about a potential client. Instead, they have to take a more modern route.
“If you look at an 18-year old or a 19-year-old, they might not have credit, so you can't necessarily feel super confident just by looking up someone's credit history off their Social Security number that you’re going to be able to fully feel confident that they are who they say they are,” Krieg said. “So you have to look at a lot of different aspects now about the user. You can look at their bank account to know it's them, you can look at their social presence.”
As a result, Krieg said, companies have to look at the “bigger picture” – and much more data than they may have considered in the past – to be sure their business is secure.
Sometimes, that means finding out more about a customer by using their email or other aspects of their digital identity to learn more about their history and whether they can be trusted. Krieg noted that the company uses email services that will research the email addresses provided by each individual user when they signed up to learn the answers to important questions about the person behind that account.
“Is the user's email [address] really their email that was used to sign up? Was it an email that has committed fraud in the past or done some shady stuff in the past?” Krieg said.
Enlisting help from experts
Keeping the user experience as simple as possible while also confirming those users are presenting themselves accurately can be a challenge. To answer that challenge, Krieg said that he and his team utilize technology that allows them to do the heavy security lifting without inconveniencing customers.
And it was not too long ago, according to Krieg, that the technology to balance the kind of security a company like Stash requires with an easy user experience was not readily available.
“A lot of those kind of things can happen behind the scenes, and I credit a lot of that actually to the rise of FinTech globally right now,” he said. “If you went in a time machine for a business like Stash and said, ‘Five, 10 years ago could we have done this?’ Probably yes, but it would have been a lot harder.”
Krieg said that this team uses a wide range of solutions in order to keep users secure, including fraud prevention and “know your customer” practices, better known as “KYC.”
“There are so many safeguards you need to put on a platform to make sure you are trying your best to root that out, otherwise you open yourself up to a lot of risk,” Krieg noted. “There are so many amazing companies that are building really great, smart technology around solving these problems, and it’s across the gamut right now. It’s security, it’s KYC, it’s banking regulations, it’s lots of different things.”
But, while they use a diverse web of tactics to ensure security, Krieg said he and his team are not trying to “reinvent the wheel.” Instead, they rely on a team of experts that provide the best solutions to target specific areas of concern.
“By utilizing and leveraging lots of great technology and different companies that are out there, it definitely makes it easier,” Krieg said, citing vendors like Socure and Plaid as important partners in the company’s security platform. “We really try to rely on vendors in places that we don’t have expertise or we don’t have the time spent. Or, if someone’s an expert in a particular area of fraud and security, we’ll use them.”
More than anything, Krieg said, he and his team have to be ever vigilant to protect against fraud attacks.
“You never get to the finish line with something like this” he said, in regard to security. “It’s never over, and anyone who says they’re going to sit back and stop working on security or authentication or anything like that is kind of crazy. We’re not finished and we’re never finished and it’s something that we have to constantly work on.”
Always being smarter
While Krieg said that he often relies on the expertise of companies with years of experience in different aspects of security, he’s also focused on building a strong security team in-house. That’s why nearly everyone hired by Stash has a background in security and coding, he said.
“We have to always be better and smarter,” Krieg said. “It forces our engineers and our team here to be smart and to work efficiently and always work toward this problem.”
And, he said, they are going to need as much help as they can get.
“You can’t just say ‘OK, great, I ticked that box, security is done, KYC is done’ – it’s never done,” Krieg said. “The bad actors are always evolving, so you have to look at how you evolve and how you get smarter to combat that bad behavior.”
To download the June edition of the Digital Identity Tracker™, powered by Socure, click the button below.
About the Tracker:
The PYMNTS.com Digital Identity Tracker™, powered by Socure, is a forum for framing and addressing key issues and trends facing the entities charged with efficiently and securely identifying and granting permission to individuals to access, purchase, transact or otherwise confirm their identity.