Despite the importance of online banking in our post-pandemic world, confirming that an online person is who they say they are is still quite complicated, especially if a bank doesn’t want to impact the customer experience. , says Tim Burton, vice president, global manager. of Solution Engineering to digital authentication products company Call sign.
And there are certain times when customer identification is particularly tricky – registering the customer, changing their phone number or email address online, and re-enrolling (when a customer loses their phone and wants to reach them through a new).
Currently, many banks still rely on traditional methods to authenticate customers, often using one-time passwords sent via SMS to complete multi-factor authentication processes. However, this not only disrupts the customer’s user experience, but these digitized analog solutions are becoming increasingly vulnerable to bad guys.
All of this clarifies one thing: digital identity is shattered. In order to determine if a person is who they say they are while also ensuring that the customer experience remains transparent, companies need to positively identify users. This is where the callsign comes in. We’ve built a series of questions based on risk and previous interactions to determine if users are exactly who they say they are:
First question: is the session secure?
The first question concerns the website or application that the customer uses to access their bank. Here we are specifically checking whether there is a chance that the session has been compromised, as there are several ways that fraudsters can use this step to gain wider access to user accounts.
For example, man-in-the-middle attacks occur when crooks insert a bogus webpage into the process and the user is unknowingly redirected to another website where their personal information can be stolen. And if the user accesses their account through an app, criminals can use debuggers to replace the usual functions of the app.
These are the kinds of things that Callsign looks for first when a user starts interacting with their banking services, so if we detect them, we can let them know that their session is not secure before they go. be compromised in any way.
Second question: is the user human?
Once we’ve confirmed that the webpage or app the customer is using is secure, the second step is to make sure that the user claiming to be a person is in fact a human – no bots here, s’ please.
Automated traffic accounts for over 64% of all internet traffic, with humans making up the remaining 36%. And while a large portion of that automated traffic is made up of good bots such as site crawlers, aggregators, and marketing bots, 39% of internet traffic is made up of so-called “bad ones.” robots ”(the Jokers of the pack). These are automated tools that have been exploited by criminals in the continued industrialization of online scams, allowing them to carry out multiple attacks at once.
A common example is that after a criminal buys stolen usernames and passwords from the dark web, he will program a bot to try to take control of the account by inserting all the information he has in his possession. on him in the login screen.
So, to determine if a person is a person and not a bad bot, we use behavioral biometrics. Because the way a human interacts with a web page and grabs information is very difficult for a bot to convincingly emulate. We are all unique after all.
And once we have detected suspicious bot-like behavior, we can either end that session or report the risk and notify the user. Happy Days!
Third question: is the user legitimate?
But wait, there is more. Once we have confirmed that the user is indeed a person, then we need to make sure that it is a legitimate user and not just someone trying to log in manually with stolen information. This can be done in two ways.
The first is to use a verification provider that operates smart devices and asks users to present some form of identification, for example by taking a photo of themselves or their passport. The second method is to use the behavioral biometric profile that we have created for individual users. With their location data, device credentials, and other contextual data, we can create a kind of unique digital fingerprint.
Collectively this means when a known user tries to log in, both the way they enter their information and from where, we can determine with virtual certainty that they are the authorized user.
Fourth question: is the user deceived?
This is where things start to get really tough. Just because the person signing into an account is authorized to do so doesn’t mean that they are not the victim of a scam.
This is what social engineering and Remote Access Trojan (RAT) attacks attempt to do. It usually comes in the form of a phone call to the user claiming to be from their bank and informing them that they have been the victim of a cyber attack. They then attempt to convince the user to transfer their money to new accounts (controlled by the fraudster), using panic and urgency to persuade them to do so.
Catching this kind of attack is complicated and requires us to deploy a solution called dynamic intervention. This helps us spot the telltale signs of a social engineering attack, the most obvious of which is a user suddenly transferring a large amount of money to someone they’ve never interacted with before.
Once we have detected something like this, we will display a dialog asking the user if they are on the phone with someone claiming to be from their bank at the time. If they say yes, we’ll let them know their bank will never contact them this way and encourage them to end the transaction – and call – immediately.
Fifth question: How can we manage risk and user experience?
We constantly ask ourselves how to improve the digital user experience while continuously helping them mitigate their risk. So we’ve made our orchestration capabilities as intuitive as possible so that different solutions can be easily linked through our graphical user interface.
All you have to do is drag and drop new nodes and label them with instructions. With virtually no coding experience, a company can create a defense security model consisting of many layers of thickness in just a few hours, and all in natural language. Fraud is simply a symptom of a broken digital identity, so it’s critical that we constantly evolve and positively identify genuine users early on to combat this.