May 08ThreatMetrix CFO Frank Teruel Explores How Companies Can Authenticate Customers — Without an Involved Process that Loses Their Business.
In a thoughtful and well-reasoned piece, “Trust: The Only Online Currency That Matters,” on wired.com, security expert and ThreatMetrix® CFO Frank Teruel tackles a dilemma facing every company selling products or services online. That is separating the wheat from the chaff. Or, put another way, authenticating real customers from cybercriminals without complicated processes that degrade user experience and cause customers to go elsewhere.
Is your company turning away good customers in an effort to stop bad actors? Regretfully, all too often, Internet fraud mitigation efforts are so constricting they turn away real customers.
The reason businesses often turn away good customers is because every site visit or event immediately manifests the natural query inherent in any online transaction – can this transaction be trusted? Determining whether or not a transaction can be trusted is an immensely complicated issue in a world of big data, compromised credentials, and highly trained, well-funded bad actors whose sole mission in life is to make you believe they are trusted users so they can gain access to your site.
Once cybercriminals gain access to a website, the consequences can be extremely detrimental, not only because of stealing data, or scraping bank accounts, or using stored credit cards and applying for loans or credit, or any other host of resulting bad behaviors, but also from the ire of your legitimate customers who suffer from the impact of a breach of trust. Any executive at a business that operates online, irrespective of industry, who is not focused on the impact of cybercrime and Internet fraud, is risking the most important attribute of any customer relationship – trust – and once lost, it is not easily restored.
Tighten the Screws
How do companies that value their customers wind up in this quandary of lost trust? Frankly, the answer is rooted in a very natural reaction to increased Internet fraud rates. Unless your organization’s cybercrime prevention efforts are based on an intelligent system that provides real-time contextual data, your authentic customers will get caught in a dragnet that may reject them out right or, at a minimum, challenge their attempted interaction. Worse still, if the transaction involves digital goods where a review is impossible, your organization will lose that sale to a legitimate paying customer.
Rejecting and challenging good customers are both ineffective and abrasive approaches to cybercrime prevention. One strategy treats customers with disdain and the other imposes challenge questions or secondary authentication that often leads to transaction abandonment, angry customers and lost revenue. In fact, the CyberSource Online Fraud Report estimates that 75 percent of all manually reviewed transactions are real customers facing system friction.
In addition, business costs of manually reviewing transactions are also significant in terms of personnel costs. Reviewers can take up to 1.5 hours to review a single transaction that on average is accepted 75 percent of the time.
Overall, what are the biggest drawbacks of overly stringent online fraud strategies?
- One: angry customers willing to take their business elsewhere
- Two: lost revenue on abandoned transactions, and
- Three: massive review costs
All significant and all juxtaposed against the other alternative – loose fraud controls that lead to real dollar losses, breaches of customer accounts and data, and large potential charges, fines, and lawsuits. However, there is an approach that enables businesses to solve this trust problem and eliminate the unacceptable alternatives of too much friction or too much fraud.
It turns out that the best way to mitigate some of this tension is to know your customer irrespective of the devices they are using to interact with your site, the credential used to attempt that interaction, and their behavior during the visit. Businesses don’t need to know a customer’s name to know their customers. Instead, they can use real-time global intelligence that correlates a virtual persona with the device or related devices used. That first touch information then can be correlated to that persona’s transaction history and other salient attributes like location and good and bad behavior in real time across a global network.
By using such an approach, businesses can predict with great certainty whether that persona is in fact a legitimate customer or an enterprising bad guy, aka – criminal, masquerading as a customer. As a result, this approach can reduce review challenges and the associated dollars while still reducing Internet fraud rates. Think of this approach as a trusted customer crystal ball.
Global Contextual Trust Intelligence
The key is access to rich transactional intelligence that contextualizes the pending interaction between you and the customer, the method of interaction/device and its attributes and anomalies, and how that customer has behaved or been treated throughout other site interactions in the network. A combination of that critical contextual data, or truth data, is the only way to solve the trust calculus. The challenge is that no one will provide certain truth data for fear of violating personally identifiable information (PII). So what can businesses do to overcome this challenge?
First, find a partner with a global network vast and diverse enough to provide transaction intelligence that is applicable to specific businesses. For example, if you are a bank deliberating on the “trust conundrum,” knowing that the customer in question was just successfully vetted and completed a transaction with another financial institution has much greater utility or trustworthiness than knowing whether the customer successfully logged into their Facebook account.
Second, do not rely on device identification alone. The device may be clean, in the hands of a bad guy with a stolen credential, which can lead to a trust decision businesses will regret. Make sure that the device information is just one component of the vetting process.
Third, ensure that your business has the ability to rate specific risks and set their own policies best suited to the Internet fraud risks and trends facing their business. Relying on canned scores will not align with the unique risks faced by an individual business and may contribute to customer friction.
Fourth, use a solution that encrypts all collected data and only allows you access to it. In a world of incessant breaches, a partner that does not protect PII and associated attribute and transactional data is a breach enabler that may wind up facing congressional committees, hostile media, unimpressed boards and expensive settlement costs.
Fifth, use a partner that has a network vast enough to identify industry specific fraud trends and provide predictive analytics and suggested remediation policies and data well in advance of that risk affecting your business.
Finally, use a partner with a global SaaS solution that scales and provides real-time data across different transaction use cases, whether account takeover protection, securing payments or protecting new account creation. Doing so will eliminate the expense of maintaining enterprise software in your environment, provide an on-boarding experience that is seamless and immediately applicable and deployable, and ensure that the network and service is always evolving in a way where you benefit from the enhanced features and functionality as well as the dynamic growing global dataset.
Shifting your focus to contextual trust intelligence as a force multiplier in the trusted customer verse fraudster construct will result in less fraud, less friction, less manual intervention, and less costs. At the same time, a new focus will ensure more revenue and most importantly, more customer trust; and that is the gift that keeps on giving.