Despite the importance of online banking in our post-pandemic world, confirming a person online is who they say they are is still pretty complicated, especially if a bank doesn’t want to impact its customer experience, says Tim Burton, VP, Global Head of Solution Engineering at digital authentication product company Callsign.
And there are certain times where customer identification is particularly tricky – customer registration, changing a phone number or email address online and re-enrolment (when a customer loses their phone and wants to re-join via a new one).
Currently, many banks still rely on traditional ways to authenticate customers, often resorting to one-time-passwords sent via SMS to complete multi-factor authentication processes. However, this not only disrupts the customer user experience, but these digitised analogue solutions are becoming increasingly vulnerable to the bad guys.
All of this makes one thing clear – digital identity is broken. In order to work out whether someone really is who they say they are while ensuring customer experience remains seamless, businesses need to positively identify users. This is where Callsign comes in. We’ve come up with a series of questions based on risks and previous interactions to determine whether users are exactly who they say they are:
Question one: is the session secure?
The first question is about the website or application the customer is using to access their bank. Here, we’re specifically checking to see if there’s any chance the session has been compromised, as there are several ways fraudsters can use this stage to gain wider access to user accounts.
For instance, man-in-the-middle attacks are when scammers insert a fake web page into the process and the user is unknowingly redirected to a different website where their personal information can be stolen. And if the user is accessing their account through an app, criminals can use debuggers to override the app’s usual functions.
These are the sorts of things Callsign first looks out for when a user begins interacting with their banking services, so that if we detect it, we can notify them that their session isn’t secure before they are compromised in any way.
Question two: is the user human?
Once we have confirmed that the webpage or app the customer is using is secure, the second step is making sure the user claiming to be a person is in fact human – no robots here please.
Automated traffic makes up more than 64% of all internet traffic, with humans making up the other 36%. And while a large chunk of that automated traffic is made up of good bots such as site crawlers, aggregators and marketing bots, a staggering 39% of internet traffic is made up of so called ‘bad bots’ (the Jokers of the pack). These are automated tools that have been leveraged by criminals in the ongoing industrialisation of online scams, allowing them to conduct multiple attacks at once.
A common example is after a criminal has bought stolen usernames and passwords on the dark web, they will program a bot to try and take over the account by stuffing every bit of information they have on them into the log in screen.
So, to figure out whether a person is indeed a person and not a nefarious bot, we use behavioural biometrics. Because the way a human interacts with a webpage and inputs information is very difficult for a bot to mimic convincingly. We’re all unique after all.
And once we’ve detected suspicious bot-like behaviour, we can either terminate that session or flag the risk and notify the user. Happy days!
Question three: is the user legitimate?
But wait, there’s more. Once we’ve confirmed that the user is indeed a person, we then have to make sure they’re a legitimate user and not just someone manually attempting to log in with stolen details. This can be done in two ways.
The first is to use a verification provider that leverages smart devices and asks users to present some form of identification, such as taking a picture of themselves or their passport. The second method is to use the behavioural biometric profile we’ve created for individual users. With their location data, device identification information and other contextual data, we can create a unique digital fingerprint of sorts.
Collectively, this means when a known user tries to log in, both the way they’re inputting their details and from where, we can determine with near certainty that they are the authorised user.
Question four: is the user being tricked?
Here’s where things start to get really difficult. Just because the person logging into an account is authorised to do so, doesn’t mean they aren’t being scammed.
This is what social engineering and Remote Access Trojans (RAT) attacks attempt to do. It usually comes in the form of someone phoning the user claiming to be from their bank and informing them that they’ve been victim of a cyberattack. They then attempt to convince the user to transfer their money into new accounts (controlled by the fraudster), using panic and urgency to persuade them into it.
Catching this sort of attack is complicated and requires us to deploy a solution called dynamic intervention. This helps us detect the tell-tale signs of a social engineering attack, the most obvious of which is a user suddenly transferring a large sum of money to a person they’ve never interacted with before.
Once we’ve detected something along these lines, we’ll throw up a dialogue box asking the user If they’re on the phone with someone claiming to be from their bank at that moment. If they say yes, we’ll inform them that their bank would never contact them this way and encourage them to terminate the transaction – and call – immediately.
Question five: How can we manage risk and user experience?
We’re constantly asking ourselves how we can improve the user’s digital experience while continuously helping them mitigate their risks. So, we’ve made our orchestration capabilities as intuitive as possible so different solutions can be easily linked via our graphical user interface.
All you need to do is drag and drop new nodes and label them with instructions. With practically no coding experience, a business can create a defence security model that’s several layers thick in just a couple of hours, and all in natural language. Fraud is simply a symptom of broken digital identity so it’s vital we’re constantly evolving and positively identifying genuine users from the very start to combat this.
