Account takeovers are among the most insidious threats to banks and consumers.
Fraudsters use all manner of schemes to prey upon vulnerabilities and weak links that exist in the chain of interactions. Key to stealing money from accounts is the fact that criminals use advanced technology to pose as legitimate individuals, which furthers their ability to keep victims and banks from knowing they’ve been compromised.
In an interview with PYMNTS, Entersekt VP Product Development: Authentication Products Mzukisi Rusi said a multifaceted approach to fraud prevention is necessary. Central to it all is moving away from passwords, including one-time passwords, because credential attacks are still the leading cause of account takeovers.
“Banking has come a long way,” Rusi said. “Just a few years ago, passwords were the main authentication methods. But now we have biometrics, we have AI-powered fraud detection and real-time analysis to make transactions safer than ever.”
There’s a convenience factor in the mix, too, said Rusi, who added that using biometrics means consumers don’t need to remember passwords.
But there’s a catch.
It turns out that new banking technologies can represent a double-edged sword — where the same weapons deployed by financial institutions (FIs) can be used against them and aid account takeovers.
“Every new technology brings new risks,” said Rusi, who added that fingerprints can be stolen or duplicated. Artificial intelligence is used to generate deepfakes, giving rise to synthetic identities that bypass security checks. Most people live their lives on their phones, which have been a conduit for one-time passwords. But if an attacker can convince the carrier that a legitimate customer wants a new number (or they’ve lost their phone or want a new SIM card), those OTPs can also be compromised.
In other cases, fraudsters “push bomb” their victims with push notifications that eventually tire or confuse individuals, so much so that they give in, click on a link and wind up at a fraudster’s mercy.
“It’s incumbent” on banks “to stay one step ahead and constantly evolve their defenses,” Rusi said.
In the meantime, consumer perception is critical. If they can be protected but don’t even know that there’s been an attempted attack, so much the better.
The FIs may have taken a siloed approach to fraud management, but now they must bring on what Rusi termed “layered security and intelligent, context-aware authentication.”
A strong approach includes binding devices and accounts to people in a way that authenticates users through the multilayered approach, analyzing everything from typing speeds to how users hold their phones. The context-aware mindset also may move FIs to adjust security measures based on the situation at hand. If a user is adding a payee or doing a transfer while they’re on a call (to name but two examples), those are signals that the FI might harness to introduce some additional friction into the mix. Banks also need to educate their customers directly about social engineering and phishing attacks.
Looking ahead, banks are using “passive-plus authentication,” which means using passkeys to eliminate stolen credentials, Rusi said. Collaborative threat intelligence helps banks report breaches and fraud “signals” to peers, so that the industry overall is bolstered against those attacks. The layered, coordinated efforts assume that no one should be trusted by default, and risk assessment must be done continuously.
As Rusi said: “The future is all about detecting and stopping fraud in real time.”
