HOW NEW APPROACHES TO USER VERIFICATION CAN HELP BANKS TACKLE THE ISSUE OF FRIENDLY ACCOUNT TAKEOVER

By Richard da Silva, VP EMEA at Revelock

 

Banks and other financial institutions are battling hard behind the scenes every day to ensure online fraud attacks are detected and prevented efficiently and effectively. This has become an endless game of cat-and-mouse, with fraud analysts struggling to keep up with what is now a massively lucrative industry populated by increasingly sophisticated bad actors. Meanwhile, financial organisations often err on the side of convenience over security, so as not to add friction to customer journeys.

The complex issue of accurately detecting and responding to one type of ‘account takeover’ in particular – namely friendly account takeover – encapsulates the difficulties of balancing a comprehensive fraud defence with a seamless customer experience.

 

What is friendly account takeover?

Friendly account takeover refers to a circumstance in which a friend or family member helps the account holder with their online banking. It’s important to note that this is different from a generally used term, ‘friendly fraud’, through this distinction: although technically the friendly account takeover is not the legitimate customer, their actions in taking over the account involve no malice. This can be tricky for financial institutions to navigate, because in their perpetual search for ways in which to offer a frictionless user experience, banks don’t want to impose unnecessary restrictions on those friends or family members who have no intention of stealing money and committing fraud.

Instances of this type of harmless account takeover spiked during the pandemic due to the increase in online banking use, especially among users who were inexperienced in using digital services previously. Unfortunately, this influx of new online users is one of the very trends that enticed fraudsters to increase their criminal activities even further during the crisis; in the first half of 2020, complaints of fraud in relation to digital transactions increased by 59%. A rise in friendly account takeover among legitimate users and their friends and family, as well as an increase in malicious attacks means banks were caught between a rock and a hard place in terms of trying to make a distinction between the two in order to both mitigate fraud as well as to maintain a frictionless experience for legitimate customers.

 

Richard da Silva

The issue with traditional fraud prevention solutions

Implementing an online fraud solution is the most accurate way in which to determine whether a user is who they say they are and whether they are being manipulated or impersonated throughout their online session. However, this typically won’t solve the problem here. Financial institutions will be able to establish that the user is not the person with their name on the account, without determining whether the impersonator is a bad actor or a helpful family member. One way to solve this may be triggering stepped up authentication for any user who is not who they say they are, but not only does this add friction for those users who are not attempting to commit fraud, simultaneously it risks letting perpetrators of phishing, remote access trojan (RAT) or other types of attack as well as of friendly fraud slip through the net, leading to fraud losses.

What’s more, traditional fraud prevention methods involving behavioural biometrics most often leverage a profiling technique that compares individual user behaviour to that of groups of bad actors, an approach that inevitably leads to false positives. An increase in alerts produced by detecting friendly account takeover and false positives is also bad news for fraud teams, as it means they will have less time to focus on legitimate threats, as well as other high-value tasks such as identifying mule accounts and tracking down ‘mule-herders’.

 

A new approach to tackling friendly account takeover

Fortunately, a new approach to behavioural biometrics-based fraud prevention can help remediate this tricky issue. Part of this approach involves profiling users in a slightly different but crucial way. Instead of comparing them to bad actors, behavioural biometric analysis can be used to constantly analyse every user’s unique behaviour, such as the speed and pressure with which they type on their device. The data from this analysis can then be used to create a unique digital ID for each online customer, called “BionicID”. This allows fraud analysts to compare every individual user’s current behaviour to their own past behaviours instead of clusters of ‘bad’ users, and from this detect any anomalous behaviour as potential fraud. This analysis can also be used to attribute a ‘risk’ assessment to each alert, which will help fraud teams quickly decide on the most appropriate response.

In short, whilst the traditional profiling method asks users “Are you a bad actor?”, this new approach instead asks “Are you really you?”. Employing this more granular method of profiling means the introduction of an automated detection and response process can then effectively filter out circumstances of friendly account takeover. Using ‘active defence’ technology, institutions can configure automated alerts and responses to threats based on their risk-level, as provided by the continuous behavioural biometric analysis of each user.  In order to effectively tackle friendly account takeover, fraud analysts can configure this automated system to treat anomalous behaviour detected when friends or family are helping account owners as low risk. An automated response for this could then be set accordingly.

Additionally, a solution involving artificial intelligence and deep learning capabilities will recognise the usual operations of the account to an extremely high degree of accuracy; if someone is helping their grandfather access his online banking services regularly, the bank will remember this as benign behaviour and will not trigger any stepped-up authentication.

Using this combined approach of an automated process based on behavioural biometrics and assessed risk ensures that financial institutions need not take any unnecessary action while still protecting customers. At the same time, it does not allow actual fraud to slip through the net, as all activity is still detected, alerted, and responded to depending on fraud analysts’ configurations.

 

spot_img

Explore more