As long as there is financial incentive to steal, fraudsters will do what they can to take what isn’t rightfully theirs.
But here’s the good news: Financial services have become advanced enough to stay a few steps ahead using data to the customers’ advantage and implementing robust fraud prevention measures, Alloy CTO and co-founder Charles Hearn tells us on a recent episode of Converge.
Hearn says most identity thieves are akin to a burglar walking down the street and pulling on every door handle to see which cars are unlocked. Victims usually aren’t methodically researched and targeted. Rather, identity theft is typically a crime of opportunity when someone’s financial accounts are not protected and easily accessed through dated authentication systems. “If it’s easy and there’s a financial incentive, then that’s the worst combination,” Hearn says. “We’re just trying to cut down on that and protect people.”
Understanding knowledge-based authentication (KBA)
For years, the standard practice of identity verification has been the knowledge-based authentication (KBA) method.
KBA verifies an individual’s identity based on information that, in theory, only the user could know. It usually involves answering specific questions where the answers are assumed to be known only to the legitimate user. KBA is used for a wide variety of security processes such as online account recovery, financial transactions, and safeguarding access to sensitive information.
Dynamic KBA generates real-time questions to authenticate users by utilizing public or private records. These questions might cite someone’s recent transactions, locations where they have lived, or personal details that a fraudster would not guess. Compared to static KBA, this method can offer even more security but is more complex to integrate into a company’s existing systems.
There are two types of knowledge-based authentication systems, static and dynamic.
Static KBA uses pre-defined questions — such as “what was your first grade teacher’s name?” or “what is your favorite food” — to verify a user. These are simple to implement, but don’t always offer the highest level of security as the answers could be guessed.
Dynamic KBA, on the other hand, generates real-time questions utilizing public or private records. These questions might cite someone’s recent transactions, locations where they have lived, or personal details that a fraudster would not guess. Compared to static KBA, this method can offer even more security but is more complex to integrate into a company’s existing systems.
Implementing multi-factor authentication (MFA) is crucial in enhancing security by adding an extra layer of protection against unauthorized access and identity theft.
A holistic approach to identity verification online and fighting financial fraud
Financial service users provide a great deal of data across the platforms they use. While providing personal details might seem like a smart method to verify one’s identity, it actually can be counterproductive. That’s because fraudsters have access to much of the customer data as well; asking questions based on accessible information doesn’t really prove one’s identity.
“When a website asks what was the make and model of your first car, [it is] more likely to be answered properly by a fraudster than an actual person,” Hearn says, noting that many people don’t even remember these types of personal details from a long time ago. “It can be really unreliable.”
Alloy helps clients protect their customers by tracking behaviors, including what device they’re using, where they’re transmitting from, and how often they’re accessing the account. This holistic approach is more effective and can also be paired with knowledge-based authentication through Alloy’s vast network of data partners.
Financial institutions use KBA for identity verification to ensure that only authorized users can access sensitive information.
Fraudsters often gain access to systems or accounts through hacking, phishing, or social-engineering tactics. This unauthorized access allows them to retrieve sensitive information or misuse the compromised access for fraudulent activities.
Protecting user identity information is crucial to prevent fraud and ensure the security of financial transactions.
Stepping up multi-factor authentication practices without disrupting user experiences
While protecting customers’ identity from fraud is a top priority for fintechs, creating a user-friendly experience is often a close second in an effective authentication system.
Once a user has seamlessly entered a fintech portal through a first round of identification, Hearn suggests deploying a “step-up” authentication. That might mean texting the phone on record for re-verification or asking for a photo of a driver’s license.
Protecting account access through multi-factor authentication methods such as Auth0 Guardian, TOTP, SMS, voice, Duo, and email is crucial to ensure security.
“The more data you collect about somebody and the more data that’s involved in making a decision, the more confident you can be in it,” Hearn says.
A third party like Alloy can be invaluable in this area because many institutions don’t have the capacity or authority to execute such techniques.
“Historically, it’s been difficult for banks to provide access to more data on the backend because they have to make relationships with all these different data providers,” Hearn says. “That’s often very difficult for a bank to do for compliance reasons.”
He added that Alloy is ideal for cross-border transactions because the company uses flexible rule engines that can easily adapt to the compliance requirements of different countries.
Want more insights on the topics shaping the future of cross-border payments? Tune in to Converge, with new episodes every Wednesday.
*The information shared on this blog is for informational purposes only and should not be considered financial advice. Please note that the opinions expressed on Converge are solely the opinions of the host and the guests, not Convera’s.
