The market share of the main players in the banking sector is shrinking (with the U.K., as an example, market share has slipped from 92 per cent to 70 per cent in a decade). This change is due to challenger banks built on modern technology, which are continuing to grow in popularity; and customer expectations are rising. As such, banks and financial institutions are under growing pressure to provide entirely digital and convenience-based services, while also remaining compliant and keeping customers and their money secure.
However, this shift to digital is taking place in a climate where billions are lost to fraud and scams. As a solution, identity verification is crucial to addressing these issues, as it allows banks to securely offer fully digital processes at all stages of the customer journey, not just account opening.
Digital Journal spoke with Tim Bedard, Director, Security Product Marketing, OneSpan to learn more about identity verification and how it can be used to solve key challenges faced by financial institutions and banks.
Digital Journal: How big an issue is identity fraud in banking?
Tim Bedard: Identity fraud is a major issue that’s costing the UK banking industry an estimated £1.2 billion, with a new incident of financial fraud being reported every 15 seconds in 2018.
Although banks and financial institutions are investing in dedicated staff time to combat fraud and other financial crimes, as well as IT to aid fraud detection and prevention, there’s a constant pressure to stay ahead of the criminals. Today’s fraudsters are organised, sophisticated and can quickly pivot to take advantage of new platforms, operating systems and device weaknesses.
Combined with massive data breaches and social engineering, bad actors are more aggressive and quicker to change tactics compared to traditional fraud prevention solutions. As a result, the number of attacks is exponentially growing and outpacing fraud management solution to spend, presenting a challenging set of circumstances for banks and financial institutions.
DJ: By what methods does identity fraud take place?
Bedard: Data breaches are a major contributor to identity fraud, as personally identifiable information (PII) is exposed across the web. In the aftermath of the 2018 Ticketmaster breach, customers were warned they could be at risk of identity theft, and hotel chain Marriott offered free identity theft monitoring services to victims of its breach that involved 5.3 million unencrypted passport numbers.
Breaches also make it remarkably easy for fraudsters to use and cross-reference stolen information to commit account takeover fraud (ATO) and new account fraud (NAF). For example, cases of card ID theft, made up of card application fraud and card account takeover fraud, increased by a massive 119% in 2018.
With the explosion of mobile banking, the mobile channel has become a prime target for hackers. Indeed, incidences of mobile banking fraud increased 20 per cent from 2017 to 2018. As the popularity of mobile banking grows, threats will only get more dangerous, with overlay attacks, SMS phishing scams, and SIM swap fraud all growing in popularity.
DJ: Are there regions in the world that are a bigger source of identity scammers?
Bedard: Identity fraud is a worldwide problem because of the accelerated adoption of digital banking and payments. The faster the payments, the faster the fraud. Combined with the worldwide reach of the internet, cyber criminals can “reach out” and commit fraud half way around the world without leaving their house or apartment. Because of this, the biggest source of identity scammers is not defined by geo or region. It is only defined by the skill set and tools of the fraudster. Frauders are everywhere and will continue to inflict account takeover, new account and application fraud around the world.
DJ: To what extent is this a result of technological weaknesses?
Bedard: In a 2019 ISMG report titled “Future of Adaptive Authentication in Financial Services”, 96% of respondents stated they still rely on usernames and passwords. While they may supplement them by sending an SMS text, those can be intercepted. Of course, username and password are phenomenally insecure, but legacy systems were built on that. So, until we lessen our dependency on username and password, then breaches will continue to fuel fraud. Combined with poor password hygiene by humans, fraud will continue to rise. No password is safe; every password is vulnerable.
DJ: What strategies need to be undertaken to reduce identity fraud?
Bedard: Banks need to move beyond legacy approaches to identity verification to combat identity fraud.
Data breaches show no signs of stopping any time soon, and the consequences – namely, identity theft exposure – should force them to take a critical look at legacy verification processes and solutions. Banks and financial institutions have long relied on manual methods of identity verification. In the notorious Equifax breach, fraudsters exposed the social security numbers, birth dates, and addresses of more than 140 million people.
And whilst third-party breaches like this are outside of a bank’s control, they do mean that they can no longer rely on static knowledge-based authentication (KBA) for identity verification.
In moving beyond these manual methods, banks need to take a modern risk-based/context-aware approach to identity verification. And have the ability to analyse data from various channels and sources – in real time- to identify and prevent fraud.
DJ: How can technology help?
Bedard: It’s increasingly difficult to identify fraud across multiple digital channels, and rule-based systems simply can no longer keep up with the speed and scale of today’s fraud.
By combining traditional identity verification methods with advanced risk analytics, powered by AI and machine learning technologies, organisations can achieve context-aware identity verification. This will allow banks and financial institutions to make security decisions in real-time based on the total risk associated with a new customer. This technique leverages a variety of checks to enable organisations to review and analyse multiple pieces of information from different sources and across multiple digital channels to better manage their risk of fraud.
DJ: What is the OneSpan solution?
Bedard: Secure Agreement Automation is an end-to-end cloud solution which delivers a completely digital account opening process, whilst reducing application fraud.
A core module of Agreement Automation is our identity Verification Hub (V-Hub). This offers multiple identity checks for banks and financial institutions, including ID documentation, credit checks, multifactor authentication, biometrics – such as the use of “selfies” to establish that it is the same individual whose portrait appears on an ID document – and device geolocation.
This enables organisations to review and analyse multiple pieces of information from different sources and across multiple digital channels – whether that’s web, mobile, branch or call centre – to maximise pass rates, minimise risk and mitigate the exposure to fraud.
Our digital identity and anti-fraud solutions are delivered on an open, cloud-based platform that integrates with third-party and in-house systems, allowing financial institutions to leverage their current technology investments while advancing their digital transformation with next generation technologies.
