Biometric Authentication News BAN-050 Release Date : 2018-03-02
Satish: You’re listening to Biometric Authentication News. This is your host Satish, and today on our show we have Keir. He’s a senior business consultant at Experian. Today he’s here to talk about business trends in fraud. Welcome to the show, Keir. How are you?
Keir: Thank you very much for having me. I’m well. Appreciate the time.
Satish: As we get into the interview. The topic for the interview is business trends in fraud, and the first question is Experian is a known name in consumer credit reporting, and it also provides identity and theft protection. What are some of the trends you see in fraud today?
Keir: Well, there are many, but some that I really want to point out in highlighted in our recent global fraud and identity report recently. The least is that fraud has continued to be a growing concern. Specifically about 72 percent of businesses cite fraud as a growing concern over the past 12 months. Nearly the same amount or 63 percent of them have experienced the same or more fraud losses in the past 12 months as well.
Keir: So we know that combined with various analyst reports and loss reports around fraud that it is a growing problem. We also know that businesses in general are looking for better ways to recognize their customers at the identity level to counter the increase in fraud risk and fraud losses.
Keir: Now why are fraud losses increasing? I think there’s a few important reasons to bring up. Number one, the proliferation of identity data being made available for illegitimate or nefarious use. We’re all well aware of the billions of identity records breached year over year, personal information, account information, log-in and password data, and there’s also a dark web marketplace for the monetization and exchange of that information.
Keir: So those criminally minded individuals, that want to consume this information or sell this information have a place to do so. Counter that with historically fraud being pointed at specific financial instruments or point in time schemes, whether it’s check counterfeiting or card counterfeiting, specific account abuse, or fraud tactics. That has shifted away from those specific attacks and more focused on the identity level schemes.
Keir: They are more fruitful. They’re more profitable to fraudsters, and because of the data and the ability to exchange that data available to fraudsters, it’s much, unfortunately much more easy to perpetrate that kind of more holistic fraud. The problem then is you’re not a business who may be victim of these types of fraud schemes or consumers themselves. You’re no longer talking about a single credit card transaction, that may not be legitimate.
Keir: You’re now talking about multiple accounts across multiple institutions, and identity fraud that can manifest itself and mature over months if not years. I really think that’s all contributing to the higher losses and obviously then a concern that is parallel with that.
Satish: Sure. You bring up a very good point. This whole identity is crucial and fit various factors, and that vectors then becomes a lot more complex in handling it. Yeah. Exactly, that brings me to my next question. With so many channels of communication, how do you see fraud landscape changing?
Keir: Well, certainly there’s double-digit growths in mobile and online activities. Or transactions, whether it’s applying for services, whether it’s accessing your accounts, but also there’s an increased depths in the capabilities being offered to us as consumers, through mobile devices, and online channels or non-face-to-face channel.
Keir: It used to be, hey, maybe I can view some portions of my account and I have very maybe little power to take meaningful action on those accounts as an account holder. Now you can do pretty much anything you can face-to-face through mobile or online transactions. So the risk is therefore, greater as well. Monetary transactions, account changes, things like that.
Keir: Combine that with the fact that there’s still a heavy reliance on passwords and security questions, and one-time passcodes, being used as the pop-up indication message. But those are less and less secure over time, and certainly as compared to previously. I mentioned earlier why is that? Well, because a lot of that data, whether it’s passwords or user credentials. Those are also compromised.
Keir: Through data breaches they’re compromised. Through phishing schemes in various other more technically savvy attacks on us as a consumer population. So while we love the convenience of mobile and online transactions, they are now becoming more high-risk if relied upon from a security perspective, using only passwords, and usernames, and passwords, and sort of those secret questions that we’ve all had to create when we open up an account.
Keir: Lastly, what’s also happening is consumers expect more frictionless engagement with their service providers. So the more online accounts or mobile accounts that I have to manage as a consumer, the more usernames and passwords I have to manage, and the more often I’m either going to forget them and has to go through reset mechanisms, or I’m going to use the same one over and over again. If I’m breached once, well that credential is compromised once. Now I’ve opened up all of my accounts to fraudulent attacks.
Satish: Yeah. Very true, very true. You’ve seen enough customer CEO, enough customers, give us an overview of what the customer wants today, what you’re seeing in the industry and what are they reaching out to you for? Give us a brief overview.
Keir: Well, generally speaking, customers want to be … They want to be recognized, but the balance here. The interesting part of this and for me the most interesting part of the report that we’ve published is that there’s a balance. It can seem contradictory, but I think we’re all in the same place. That the majority of consumers 66 percent we cite in the paper, like security protocols, and they tend to want to do business with service providers that give them a sense of security.
Keir: So they want to understand that there are security protocols in place. Now that said, the lack of trust in security is a number one reason consumer abandon online or mobile transaction or application. So there continues to be this idea that, “Hey, I want to feel like if I’m transacting non-face-to-face, that there is some mechanism and some trust on my behalf and a virtual handshake with that service provider that they have my trust in safety in mind, that they have protocols in place, and they are best in class at protecting my data, and protecting my financial future and my financial instruments, etc.”
Keir: Counter that however, with the fact that Millennials, and we pick on Millennials a lot, but they are a critical population and as time goes on, they will be more and more a critical population. We cite the example that 42 percent of them say they would conduct more online transactions, if there weren’t so many security hurdles. Now there’s the contradiction. Right?
Satish: Mm-hmm (affirmative).
Keir: Or there’s the balance.
Keir: Right. If you look at that population, they want to understand that there’s security in place, but they don’t want to have them be full of friction. They want them to be more passive. They want to be recognized, but they also want to understand that they are being recognized if that makes sense.
Keir: So that’s where the sweet spot is for financial institutions, public sector agencies, e-commerce merchants, etc. is if you can make sure your consumers, your customers understand that they’re being protected without putting them through high friction processes. That’s how you’re going to win competitively.
Satish: Sure. Makes sense and I think as you just said Millennials do a lot more online transactions than the other age groups, but also friction is something which is very important and which works again … Security and usability are both at a lot of our heads and the best solution is something which handles both of it. So let’s-
Keir: Yeah, no, I think it’s … Again, not being so passive that the consumer doesn’t understand that there are those security protocols.
Keir: Right. But being passive enough where they’re not having to provide additional data and answer a bunch of questions and go through additional kind of that pop-up indication methodology that some of us on the older side of the generational spectrum are used to doing. That used to be fine 10 years ago, but now there’s an understanding with the younger populations.
Keir: I shouldn’t have to do that. You should recognize my device. You should recognize my voice. You should recognize me by my keystrokes. You should recognize me because I’ve logged in from the same iPhone of smartphone. Right?
Keir: That’s the expectation and that’s going to continue to rise as these younger generations become the vast majority.
Satish: Yeah, and that kind of brings up an interesting topic, which maybe a discussion for some other time, but it’s about implicit authentication versus explicit authentication. But that’s a good interesting topic, but let’s get into some details around account opening fraud. That’s a little bit something which you … I’m assuming your organization’s guest just see a lot and I wanted to get a little bit of detail around that.
Keir: Absolutely, so account opening fraud and account opening best practices are something that I certainly work on with our clients. Specifically it is the initial handshake with a customer. It’s not the only opportunity, but it’s the best opportunity to establish trust and a level of confidence and a level of recognition early on in that kind of customer relationship, that can be carried forward throughout the customer life cycles.
Keir: You get it right at account opening. If you establish an understanding of that identity and recognition tactics that can be employed throughout the life cycle. Again, less friction, happier customers, more competitive advantages we’ve talked about.
Keir: Now what’s happening in account opening specifically as we cite in the report, one of the main reasons as I mentioned earlier for abandoned transaction was the asking of too much information to set up an account. But we see a pull back on asking for personally identifiable information. So in the past, we may have been very comfortable providing a name, address, social security number, date of birth, phone number, email address, driver’s license number, a photo copy of a passport. All of that information.
Keir: Today that would give us pause for a couple of reasons. One, we’re a little bit more skeptical population. We understand and we’re a little bit more educated. We understand that that data, the more that data is released by us into the ecosystem, the more risk there is for that data to be compromised, breached, and used for fraudulent purposes down the line. Secondly, we also understand technology a little bit better than we may have in years passed. So we understand that we should be again, recognize as we talked about earlier. Based on less information.
Keir: So we work very intently with our clients to find the right balance. Asking for the information that is useful in predicting risk, and is useful in recognizing that customer at account opening and throughout the life cycle. I’ll say it again, the fact that half the businesses still rely on passwords as the top form of authentication when they’re setting up accounts. So when you …
Keir: I think we’re all there as we transact online or through mobile devices. We are still usually asked, “Hey, you need to set up a username and password.” Well, we already talked about why that may not be the best password. The more I have, the more I’m going to forget. The more I have, the more I may use singular usernames and passwords across different accounts. I get that compromised, and now I’m in real trouble as are my service providers.
Keir: So the fact that half the businesses are really still relying on that rather archaic methodology is very concerning. There are other methodologies we work with with our clients on around device recognition, biometrics, more advanced analytics, and the ability to open an account, with very high confidence and again, not even a lot of friction at account opening, and then you also have to have that safety net. You have to have the ability to open an account, but also have a safety net of identity monitoring.
Keir: In a constant understanding of that identity risk as it evolves over time. So the identity risk you may view or the level of confidence you may have when you open an account or a customer. I’m speaking on behalf of a client at this point, may not hold true for the next two or three years. Things happen. Data is breached. Identity start to take on different levels of risk, and different levels of clarity.
Keir: So you may suddenly be more confident in identity six months down the line, or you maybe be less confident. The ability to dial in your identity treatment strategies over time. How you authenticate this person, the next time they come in to your application. That is really important. So account opening is not just a one-time deal. It’s how you establish that trust and then tune your treatment strategy of your customers along the way.
Satish: Yeah? That makes very much sense and that’s a good level of detail which I was looking for. Also, can you please share your findings around that transaction fraud.
Keir: Absolutely. I think the main takeaway I glean from our recent report is that businesses are still airing on the side of suspicion versus permission and trust. The majority of businesses still claim rightfully so that they’re denying more transactions than they should, due to that suspicion. We’ll call that false positives, right?
Keir: This looks suspicious but it’s not. Traditionally, and I’m … I’ll just use example, statistics. It makes you … In the past, there may be acceptance that if I isolate 20 transactions that look high risk, as long as one or two of those is actually fraud, I’m okay. I understand that. I found two and 18 of them were good, but I had to sort of cut them loose to prevent the fraud.
Keir: Well, we’ve already talked about why that’s a bad idea from a friction perspective. Because one good customers are going to find another alternative. Number two, the dollar value of these lost transaction is rising as well. So really the main issue still is the reliance on strategies to detect fraud that have a high false positive. One in 20, one in 30 sometimes. So there are opportunities to improve that, clearly. Through better recognition techniques.
Keir: So I may have an ability to detect fraud at that level. But if I can reconcile some of those false positive, some of those high risk “transactions” that initially give me pause. But if I can reconcile them, and put them back into the good bucket, by better recognition techniques. Now I’ve narrowed that haystack and the fraud needles in that haystack are more apparent, and I’m not dismissing as many good transactions, right?
Keir: Then last down the transactional that leads in to the point of there really is no silver bullet. I know it’s a bit of a cliché term, but it is absolutely true. You cannot employ a single fraud model, or a single technology to open an account or monitor transaction. It has to be a continuous tuning process that looks at emerging technologies, that brings together more traditional capabilities, and those emerging technologies, marries them at the right process point across the lifecycle, and continues to monitor their effectiveness.
Keir: There are hundred of emerging capabilities in the marketplace, which is fantastic. It’s a great time to be in fraud and identity. There’s no shortage of innovative capabilities in the marketplace. Many of them are experienced. Many of them are our partners. We’ve worked to bring all of that together on behalf of our clients. Because again, we have to be able to future proof for our clients. Their account opening, and account management, and customer management activities for the long term.
Keir: That requires again, ongoing monitoring, tuning, adjustment, test and learn. Really in real-time. So that’s really where we are on the transaction side of the business.
Satish: Sure. As we wrap up the show, can you please share a few emerging trends, which you have noticed in your analysis, and if you could share them with us, that would be wonderful.
Keir: Oh, absolutely. As we told and surveyed the businesses in the report, three-quarters of them are very interested in more advanced measures and authentication. We talked about frictionless customer experience. I will say as I talked specifically to clients one-on-one. Customer experience is the number one or number two business driver. We talked about the fraud concerns.
Keir: We talked about the growing fraud rates, but I will still tell you that when you sit across the table from one of our clients, their main concern is competitive advantage and making sure that their customers go through a very positive experience when they open accounts, and when they log into their account, and when they interact, particularly in a non-face-to-face manner, with their service providers. So that is accomplished through emerging technologies we’ve talked to.
Keir: So another emerging trend is an appetite that I would suggest is more robust than it ever has been for some of these I’ll call alternative capabilities in the marketplace, whether it’s device intelligence, whether it’s behavioral biometrics, for example. These in the past, maybe five, 10 years ago were considered very much alternative. But they’re becoming much more mainstream, because they are again, more passive frictionless or friction-free mechanisms or capabilities to recognize customers.
Keir: So there is a desire and appetite to bring all those basic capabilities into the fold, whether you’re opening accounts or managing accounts and cost for us. The last thing I will say is that to do that, again, requires consultative partnership with service providers. Experian does that by design, and so, we know that there is an again, one single technology that’s going to solve all these problems, and it’s bringing them together in a single platform. In a single integrated approach across our clients’ customer life cycle.
Keir: That is the win for them competitively, and the win for us as we partner with them to help them solve the identity problems, going forward. In the report, it was clear there’s a couple of quotes in there that I found very interesting, but one executive at one of the institutions said very specifically that our main problem is that we’re trying to tie together two or three district systems, and you see that so much. It’s still a very siloed organizational structure and operational structure at many institutions.
Keir: That is causing problems. That is causing more of a linear progression of identity management more personal than a holistic addressing of the problem.
Keir: It is also creating a lot of operational inefficiencies and really poor customer service. You log into your bank account. You have a problem. You’re kicked over to a call center agent. The call center agent asked you for the same information. You just answered. That is not a great customer experience. Right?
Satish: Very true.
Keir: There’s ways to improve that. That’s just a simple example, that one drives me crazy and I think that’s an example of a siloed process. A siloed recognition method, a siloed authentication method across two channels, online and call center. That has to change. Because if I get annoyed enough at that too many more times, I’m going to find an alternate bank, and there’s many available. So I just want to leave you to that anecdote. That’s absolutely real.
Satish: Yeah. Thanks a lot for being on the show, Keir. I appreciate all your time. We will talk soon. I appreciate a lot. Thanks for your time.
Keir: Yeah, I appreciate your time. Good speaking to you. Hope to do so again. Take care.
Satish: Thank you, bye.