Balancing security and convenience to beat fraud

October 2012 Access Control & Identity Management

How can financial services organisations enable valid users to complete transactions easily, and still stop fraudsters from criminal activity? That question has been taxing the minds of the brightest security specialists for the last 30 years, and with identity theft, data breaches and fraud at an all-time high, the question has never been more relevant to financial institutions.

It has never been more difficult to answer either. Consumers interact with their banks anywhere in the world through many different and fragmented channels, ranging from the bank website, an ATM machine, and an in-store chip and PIN transaction, to online shopping, the phone, or – just occasionally – at a bank branch. Fraudsters are waiting to strike at any opportunity to misuse user credentials at any of these touch points, whether it is through malware, phishing, card skimming, or other evolving threats.

Financial institutions typically struggle to collate the risk across the various customer touchpoints. For example, if a fraudulent individual steals a credit card and attempts to take money out of an ATM machine, afterwards tries to buy a television using a store’s POS system, and then follows that up with an attempted online money transfer, many banks would treat each of these breaches as separate events because of the different systems and personnel that service each channel. This severely undermines their ability to detect misuse.

Ugan Naidoo
Ugan Naidoo

Convenience trumps security

The fact is that today’s consumers want the least possible degree of friction when it comes to online transactions. Time is of the essence and only a certain degree of inconvenience will be accepted – especially for lower risk activities. People understand and tolerate proportionate responses rather than a fixed amount of security under all circumstances.

For example, when banking online, customers will tolerate the process of using their hardware/software PKI token to make a payment to a new payee but will be less tolerant when making a repeat payment to the same payee or simply checking their bank balance.

Similarly, is it not more reasonable to be asked to verify your identity when buying an expensive piece of jewellery than it would be if simply buying groceries at the supermarket? Ideally, the process for low-risk transactions should be as instant and painless as paying in cash. And for the higher risk transactions, the bank should use proportionate security that is related to the risk. Customers understand this and actually enjoy the benefits of the protection.

To keep the valid users in and the fraudsters locked out, financial institutions need to strike a balance between convenience, cost, and security – simultaneously keeping customers satisfied and their money safe. That puts them in a dilemma: on the one hand they need to enable financial transaction services with the least degree of friction; on the other hand they must verify that it is the right person before allowing any access – typically authenticating the user via a password and another credential.

Layered fraud detection and risk-based authentication

To effectively separate the ‘goodies’ from the ‘baddies’, financial institutions need a layered fraud detection strategy that combines risk-based authentication with a number of different methods of authentication to ensure that the security is proportionate to the risk of what the user is doing. This sophisticated risk analysis can include many items such as the user location, the device they are using online, the value of the transaction, or the type of goods they are purchasing. Typically, only a small number of transactions are considered risky and the ideal solution would identify these activities and then increase the security level required, in the most convenient manner possible. Such a solution would help prevent fraud in real-time on consumer online services without inconveniencing legitimate users in the vast majority of their activities.

An advanced authentication solution creates an adaptive risk analysis process to assess the fraud potential of every online login and transaction. The technology provides a variety of two-factor and risk-based authentication methods – all geared to frictionless, multichannel authentication. For example, financial institutions can examine a wide range of data collected automatically about each login or transaction. A risk score can be calculated to help determine what action to take on a given transaction. Tolerance thresholds can be set to adjust the impact on legitimate users. And there is the flexibility to determine the response to that score based on policies and risk tolerance. This approach transforms authentication and fraud prevention – while optimising convenience. Imagine, for example, a customer is visiting London for the Olympics. At the hotel, they use their credit card with a chip and pin machine so that their card is authorised for purchases during their stay. In their hotel room, they make an online banking payment using their laptop. During the evening, another purchase is made via an iPad. Using multichannel advanced authentication, the customer’s bank has verified the chip-and-pin card transaction, acknowledged that the customer is in the UK, and monitors subsequent transactions through other channels, whilst considering this first authorised transaction at the hotel.

For more information contact CA Southern Africa, +27 (0)11 417 8645,


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

The benefits of electronic visitor management
August 2019, Powell Tronics , Access Control & Identity Management, Residential Estate (Industry)
Access control is a critical aspect of estate security as it represents the controls put in place to restrict entry (and possibly exit) along the outer boundary of the location.

Addressing risks by means of access control layout and design
August 2019 , Access Control & Identity Management, Security Services & Risk Management
In order to develop a suitable, practical and appropriate security system for any organisation, it is essential to first develop a master security and life safety plan strategy.

Secure hands-free access
August 2019, Suprema , Access Control & Identity Management, Residential Estate (Industry)
Suprema’s facial biometric terminals bring no-touch access into secure residential estates, high-rise apartments and luxury homes providing fast, easy and intuitive user authentication with the added benefit of hygiene.

MorphoAccess Sigma Extreme
August 2019, IDEMIA , Products, Access Control & Identity Management
MorphoAccess Sigma Extreme from IDEMIA is a touchscreen device with multiple recognition device interfaces (NFC chip reader, PIN and BioPIN codes, contactless card readers).

Outdoor access terminals
August 2019, Suprema , Access Control & Identity Management, Residential Estate (Industry), Products
Rugged, dust- and weather-proof access control solutions that provide exceptional durability in extreme conditions is a strong requirement for many residential estates.

MorphoWave Compact
August 2019, IDEMIA , Products, Access Control & Identity Management
The MorphoWave Compact captures and matches four fingerprints on either the right or left hand in any direction. It is robust to environmental factors such as extreme light or dust.

MorphoAccess Sigma Lite
August 2019, IDEMIA , Products, Access Control & Identity Management
IDEMIA’s MorphoAccess Sigma Lite and Lite + are fingerprint access control terminals, offering time and attendance in and out function keys.

Eliminating forced gate opening scenarios
August 2019, ET Nice , Home Security, Access Control & Identity Management
When activated by the gate forced open alarm feature, the transmitter transmits a wireless alarm signal up to 750 metres in any direction.

IAM has business on high alert
August 2019 , Access Control & Identity Management
Identity and Access Management (IAM) is now a must in commerce and the need to protect digital assets is driving the development of solutions and widespread adoption

Came acquires Turkish company Özak
August 2019, CAME BPT South Africa , News, Access Control & Identity Management
Came broadens its market horizons and signals growth and consolidation in the Middle East.