Balancing security and convenience to beat fraud

Access & Identity Management Handbook 2013 Access Control & Identity Management

How can financial services organisations enable valid users to complete transactions easily, and still stop fraudsters from criminal activity? That question has been taxing the minds of the brightest security specialists for the last 30 years, and with identity theft, data breaches and fraud at an all-time high, the question has never been more relevant to financial institutions.

It has never been more difficult to answer either. Consumers interact with their banks anywhere in the world through many different and fragmented channels, ranging from the bank website, an ATM machine, and an in-store chip and PIN transaction, to online shopping, the phone, or – just occasionally – at a bank branch. Fraudsters are waiting to strike at any opportunity to misuse user credentials at any of these touch points, whether it is through malware, phishing, card skimming, or other evolving threats.

Financial institutions typically struggle to collate the risk across the various customer touchpoints. For example, if a fraudulent individual steals a credit card and attempts to take money out of an ATM machine, afterwards tries to buy a television using a store’s POS system, and then follows that up with an attempted online money transfer, many banks would treat each of these breaches as separate events because of the different systems and personnel that service each channel. This severely undermines their ability to detect misuse.

Ugan Naidoo
Ugan Naidoo

Convenience trumps security

The fact is that today’s consumers want the least possible degree of friction when it comes to online transactions. Time is of the essence and only a certain degree of inconvenience will be accepted – especially for lower risk activities. People understand and tolerate proportionate responses rather than a fixed amount of security under all circumstances.

For example, when banking online, customers will tolerate the process of using their hardware/software PKI token to make a payment to a new payee but will be less tolerant when making a repeat payment to the same payee or simply checking their bank balance.

Similarly, is it not more reasonable to be asked to verify your identity when buying an expensive piece of jewellery than it would be if simply buying groceries at the supermarket? Ideally, the process for low-risk transactions should be as instant and painless as paying in cash. And for the higher risk transactions, the bank should use proportionate security that is related to the risk. Customers understand this and actually enjoy the benefits of the protection.

To keep the valid users in and the fraudsters locked out, financial institutions need to strike a balance between convenience, cost, and security – simultaneously keeping customers satisfied and their money safe. That puts them in a dilemma: on the one hand they need to enable financial transaction services with the least degree of friction; on the other hand they must verify that it is the right person before allowing any access – typically authenticating the user via a password and another credential.

Layered fraud detection and risk-based authentication

To effectively separate the ‘goodies’ from the ‘baddies’, financial institutions need a layered fraud detection strategy that combines risk-based authentication with a number of different methods of authentication to ensure that the security is proportionate to the risk of what the user is doing. This sophisticated risk analysis can include many items such as the user location, the device they are using online, the value of the transaction, or the type of goods they are purchasing. Typically, only a small number of transactions are considered risky and the ideal solution would identify these activities and then increase the security level required, in the most convenient manner possible. Such a solution would help prevent fraud in real-time on consumer online services without inconveniencing legitimate users in the vast majority of their activities.

An advanced authentication solution creates an adaptive risk analysis process to assess the fraud potential of every online login and transaction. The technology provides a variety of two-factor and risk-based authentication methods – all geared to frictionless, multichannel authentication. For example, financial institutions can examine a wide range of data collected automatically about each login or transaction. A risk score can be calculated to help determine what action to take on a given transaction. Tolerance thresholds can be set to adjust the impact on legitimate users. And there is the flexibility to determine the response to that score based on policies and risk tolerance. This approach transforms authentication and fraud prevention – while optimising convenience. Imagine, for example, a customer is visiting London for the Olympics. At the hotel, they use their credit card with a chip and pin machine so that their card is authorised for purchases during their stay. In their hotel room, they make an online banking payment using their laptop. During the evening, another purchase is made via an iPad. Using multichannel advanced authentication, the customer’s bank has verified the chip-and-pin card transaction, acknowledged that the customer is in the UK, and monitors subsequent transactions through other channels, whilst considering this first authorised transaction at the hotel.

For more information contact CA Southern Africa, +27 (0)11 417 8645,  joanne.cawrse@caafrica.co.za www.caafrica.co.za





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Defending against SIM swap fraud
Access Control & Identity Management
Mobile networks must not be complacent about SIM swap fraud, and they need to prioritise the protection of customers, according to Gur Geva, Founder and CEO of iiDENTIFii.

Read more...
Access Selection Guide 2024
Access Control & Identity Management
The Access Selection Guide 2024 includes a range of devices geared specifically for the access control and identity management market.

Read more...
Biometrics Selection Guide 2024
Access Control & Identity Management
The Biometrics Selection Guide 2024 incorporates a number of hardware and software biometric identification systems aimed at the access and identity management market of today.

Read more...
Smart intercoms for Sky House Projects
Nology Access Control & Identity Management Residential Estate (Industry)
DNAKE’s easy and smart intercom solution has everything in place for modern residential buildings. Hence, the developer selected DNAKE video intercoms to round out upmarket apartment complexes, supported by the mobile app.

Read more...
Authentic identity
HID Global Access Control & Identity Management
As the world has become global and digital, traditional means for confirming authentic identity, and understanding what is real and what is fake have become impractical.

Read more...
Research labs secured with STid Mobile ID
Access Control & Identity Management
When NTT opened its research centre in Silicon Valley, it was looking for a high-security expert capable of protecting the company’s sensitive data. STid readers and mobile ID solutions formed part of the solution.

Read more...
Is voice biometrics in banking secure enough?
Access Control & Identity Management AI & Data Analytics
As incidents of banking fraud grow exponentially and become increasingly sophisticated, it is time to question whether voice banking is a safe option for consumers.

Read more...
Unlocking efficiency and convenience
OPTEX Access Control & Identity Management Transport (Industry)
The OVS-02GT vehicle detection sensor is the newest member of Optex’s vehicle sensor range, also known as ‘virtual loop’, and offers reliable motion detection of cars, trucks, vans, and other motorised vehicles using microwave technology.

Read more...
Protecting our most vulnerable
NEC XON Access Control & Identity Management Products & Solutions
In a nation grappling with the distressing rise in child kidnappings, the need for innovative solutions to protect our infants has never been more critical. South Africa finds itself in the throes of a child abduction pandemic.

Read more...
Understanding the power of digital identity
Access Control & Identity Management Security Services & Risk Management Financial (Industry)
The way we perceive business flourishing is undergoing a paradigm shift, as digital identity and consumer consent redefine the dynamics of transactions, says Shanaaz Trethewey.

Read more...