Teach a man to phish and he’ll launch a phishing attempt every 30 seconds for the rest of his life. So what can businesses do to keep customers from biting, yet still provide a convenient platform for them to conduct digital payments and financial services?
Customers want to conduct these activities through a digital portal, and the quicker and easier the better. The average U.S. attention span before losing patience with an authentication process is a mere eight seconds. Businesses need to get people through the door quickly while ensuring that the wrong people don’t come through the same door disguised as someone else.
That balance between ease and security is hard to strike. Fraud management solution provider RSA explored the risks and opportunities and devised a five-pronged approach that factors in consumer choice, convenience, demonstrable fraud reduction, a mobile-first approach and regulatory compliance.
RSA Director of Global Product and Strategy, Angel Grant, unpacks this in a digital discussion panel hosted by PYMNTS CEO Karen Webster. Also appearing on the panel were Goode Intelligence Founder and Director Alan Goode and EyeVerify Director Tinna Hung.
“Authentication is an essential component of the user experience,” said Goode, and that’s not going away. As technology offers new methods, however, it’s the consumer who will drive which ones get adopted. That makes the implementation of authenticating technology a bottom-up decision, at least if companies are doing it right.
For example, Samsung saw that consumers wanted more biometric options, so it taught the latest Galaxy phone thumbprint, iris and facial recognition. The availability of such options, or lack thereof, can have a powerful influence on people’s buying activity. TouchID was introduced in 2013, and already nearly half of those who use it refuse to go back to PINs and passwords.
In the EyeVerify study, which was a blind survey of consumers who had used biometrics before, 79 percent of respondents wanted more biometric authentication options to be available to them. Forty-two percent said they wouldn’t use a banking or payment app that didn’t have it.
“People want the convenience,” said Grant. “It’s important to provide choice to the customer to satisfy your different demographics. However, it’s also important to look at it holistically on helping mitigate fraud and offering choices when appropriate.”
When it comes to convenient security, it’s all about “looking for that sweet spot in the middle,” said Goode. “Security authentication doesn’t need to be — and shouldn’t be — difficult.”
And yet, it is. At least for now. Grant said she often has to act as a mediator between security teams who are trying to give companies the best protection they can and business owners who think it’s too much security and will create friction.
Grant said the key is to communicate how many customers will be disrupted during the online experience, leading them to abandon their shopping cart and to translate fraud rates into dollar amounts that business owners will understand. She always makes it a point to emphasize that false positives can cost a business more than successful fraud attempts.
Industry inertia will likely be her friend here. Biometrics live right at the sweet spot, Goode mentioned, between convenience and security, and the more people adopt it, the more they will begin to trust it and adopt it themselves.
“Success breeds success,” Hung said. “Customers see what their peers are doing in the market” and that makes them feel comfortable taking the same steps.
Scanning a finger, face or iris takes just seconds and reduces the rate of fraud 1,000-fold, according to Alipay. Even voice recognition, although not on par with thumb printing and eye printing, still catches more fraud than traditional PINs and passwords and is much less of a hassle than typing a password on a smartphone’s touchscreen.
“There’s a rush to provide apps and mobile services without making security a priority, and that’s the biggest source of fraud,” said Hung. When EyeVerify was born, making it seamless and fast was high on the list, but making it accurate was the top mission.
The technology scans the entire eyeball and registers micro details, including the tiny red veins known as vasculatures on the whites of the eye. These, said Hung, are very stable — they’re one of the most permanent features about a person, making an eye print every bit as personal as a thumbprint.
Hung thinks education will be the most powerful tool in getting people on board with biometrics. Once people understand and accept that it’s secure, adoption will follow.
Demonstrable Fraud Reduction
Panelists agreed that business owners should be identifying at least 90 percent of fraud attempts; otherwise, they need to revisit their benchmarks. It may be that they need to better integrate their third-party fraud tools so they’re not working in silos. Or maybe they need help getting inside cybercriminals’ heads.
Cybercriminals work fast, and they work smart. They know where the weak points are. Many are setting up accounts and cashing out quickly, often within 10 days or less. New accounts have a 15-times higher fraud rate than ones that are older than 30 days.
But the biggest vulnerability isn’t in an app or a web portal or a network infrastructure. “They know that humans are still the weakest link,” said Grant.
Cybercriminals therefore exploit humans through social engineering or by taking advantage of that eight-second attention span to search for a point of entry. That’s part of the reason phishing attacks are spiking, with a new one identified every 30 seconds, according to RSA’s study. The promulgation of ransomware is also a factor.
When it comes to harmful emails, knowledge may be a better weapon than biometrics. Grant recommends keeping a finger on the pulse of the cybercrime underground and providing ongoing education to members of the organization so they know what kinds of campaigns may target them.
Mobile-First Security Strategy
Mobile has become the dominant screen for users. Last Black Friday, 56 percent of site views and 40 percent of sales were conducted from a mobile device, said Goode. Sixty percent of all fraud is coming from mobile channels.
For both commerce and services, “Mobile is going to be the prime commerce tool, main screen and main authenticator,” said Goode. “Businesses have to integrate authentication into the user experience.”
Software Development Kits (SDKs) are going to play a big role in that.
There are SDKs that collect information from WiFi, GPS, cell towers and more to map consumers’ movement patterns. They can sound the alarm for transactions that seem unusual. For instance, if a person appears to conduct a transaction in Boston and then in Russia immediately after, that activity would be flagged.
Other SDKs enable platforms to log metrics, such as a consumer’s phone model, language and screen size. Many fraudsters will use a new device rather than try to replicate the victim’s device, and if this happens, the switch in devices would be flagged.
There are myriad regulations from one country to the next, but according to Grant, they all equate to basically the same thing: protecting users both at the point of login and at the point of transaction.
The question all business owners should be asking, according to RSA, is this: “Does your current authentication partner have the ability to provide you with insight into the impact on your authentication services from regulation that is coming, and also to influence regulators in creating regulation that meets your business strategy?”
“Organizations are struggling to answer the basic questions,” said Grant. When fraud strikes, they don’t know how bad it is, what it impacted, whether it’s part of a pattern of being targeted, or whether it’s a precursor or symptom of a bigger problem. They struggle to enumerate how it will affect customer loyalty and revenue projections.
Businesses are afraid to change authentication methods because they don’t want to drive away transactions — and thereby revenue — by disrupting the user experience. But they’re afraid of the wrong thing. As threats evolve, so must security, and that needs to happen before disaster strikes.