“The world is full of obvious things which nobody by any chance ever observes.”
Sherlock Holmes, in Arthur Conan Doyle’s The Hound of the Baskervilles
Over twenty-five years ago, in 1993, Don Peppers and Martha Rogers published their landmark book, “The One to One Future.” In it, they foresaw a world in which interaction with customers through mass channels would be replaced by direct relationships through digital channels. This evolution has now largely run its course, opening up great new opportunities in product and service customization through direct marketing. Many industries that built customer relationships through face to face interaction now know their customers as a username and password. This reliance on digital channels has subsequently opened up great new opportunities in fraud and account takeover, especially in financial services.
From recent news, we know the following:
- Mobile originated account takeover attempts at US banks rose 200 per cent between Q1 and Q2 of 2018.
- Fraud in mobile person-to-person transactions is growing at a compound annual growth rate of 23 per cent.
- In 2017, 6.6 million Americans were victims of identity theft, with $16.8 billion in total losses.
While there are a number of factors contributing to this increase in fraud, three of them work together to frustrate the security of digital interactions.
- Data breaches have given fraudsters access to customer information.
- Authentication methods relying on “information only” can be tricked.
- Customers are interacting with their banks through a constantly changing array of devices.
In 2017 and 2018, over 200 million people had personal account data stolen through only two data breaches. In 2018, the Marriott hotel chain exposed the data of 500 million of its rewards customers. Individuals are routinely invited to “verify” their personal information to reactivate accounts purported to be suspended by phishing schemes, and far too many surrender their client credentials. A responsible institution must now consider every client interaction verified by only a username and password as potentially fraudulent.
Banks and other institutions have responded with increasingly sophisticated analytics to help identify fraud attacks. This includes cryptography to bind applications, helping identify returning customers. It includes tracking individual customer behaviour to understand patterns, helping identify any transaction or request that appears suspicious. Layers of additional authentication are added when transactions appear dubious, including knowledge based questions, text based verification codes or personal interaction through call centres. Unfortunately, in our increasingly digital age, personal information is readily available through social media, and call centres have proven notoriously vulnerable to leaking the information that was supposed to keep fraudsters out. Even SMS-based verification codes are vulnerable to more tech savvy fraudsters.
Finally, the devices customers use to interact with banks are in constant transition. With interactions shifting increasingly to mobile devices, each device appears only as an anonymous IP address, with no consistent IP address to serve as a point of reference. About one half of a bank’s customers will get a new mobile device each year. The mobile number of the connecting device is unknown to the bank, leaving the bank to rely on only the device based fingerprinting the mobile operating system makes public. With increasing concern over personal privacy, the amount of device information available for identification is decreasing. Of greater concern, however, is the fact that since this information is available to the bank for verification, it is also available to fraudsters who can use it to spoof the device when planning a fraud attack.
This picture may appear bleak, leaving little alternative to engaging in an arms race with fraudsters, continually deploying increasing sophisticated analytics and intelligence. There is, however, a resource available to the banks that is now gaining significance globally, but as of yet, little used in Canada.
Mobile network operators maintain reliable, secure contact with all devices connected to their networks. They know the mobile number and account responsible for each device. For personal, postpaid accounts (representing the majority of the mobiles in Canada) they know the account owner, who has signed a contract, presented two pieces of ID and had their credit checked. This information, with customer consent, can be available to help verify any digital interaction over a mobile device.
If a fraudster were to try logging into a bank account with hacked or phished credentials, the bank can check whether the device the fraudster is using has the mobile number on file with that bank account. If the mobile number turns out to be unknown to the bank, the bank can check with the mobile network to see if that mobile number is registered to the same person who owns the bank account. If the number again turns out to be unrelated to the bank account owner, the bank can send a link to the mobile device that is associated with the bank account, seeking authorization from the account owner to permit the unknown device access to the bank account.
If we consider what happens in each case, we see that the bank account holder would be granted access to the account, in most cases with little delay, but the fraudster would be shut out. This is true even when the bank account holder gets a new mobile phone, or even a new mobile phone number.
For additional security, the bank can check to see if the mobile phone itself was compromised through a “SIM swap.” This is the criminal takeover of a mobile phone with the intent of executing a fraudulent financial transaction. The bank can check to see if the mobile phone has had its SIM card changed out recently, and take additional action if that were found to be the case.
A responsible institution must now consider every client interaction verified by only a username and password as potentially fraudulent.
All of these mobile verifications can be executed in seconds, or less, working silently and seamlessly in the background. If the bank client is logging in through a suspicious laptop, a mobile device known to the bank can be used, as described above, to get authorization to grant access. All this can be done with a secure, authenticated link to the mobile device, resilient to fraud attacks.
In the one-to-one world in which we now live, we are increasingly identifying ourselves through online interactions. Fortunately, over 90 per cent of Canadians also have a unique, secure credential resident in their smartphone that can be made available to authenticate each individual, managed and verified by the mobile network operator. Some banks in the United States are now using these techniques to verify each digital interaction with their clients. In total, over 50 million such mobile verifications are done in the US each day. While the benefits of mobile authentication are now obvious, this level of security is only starting to be adopted in Canada. When it becomes widespread, the threats we face from identity theft will be greatly reduced.