Protecting the Customer, Not the Money

Posted December 18, 2018

Protecting the Customer, Not the Money

“The customer comes first” started out as the secret to success in business. Now it’s the secret to 21st century cybersecurity, too.

Sure, the phrase always seemed more like an empty platitude, really—something slick salespeople might extol in the showroom before rolling their eyes in the back office. But for a growing number of banks and other financial institutions, it’s quickly becoming a critical element of online, mobile and omni-channel fraud prevention.

Here’s what I mean. Since the dawn of the digital age, financial institutions have been on the lookout for fraudulent transactions in hopes of preventing funds from being illegally withdrawn from customer bank accounts. But in a world of endless data breaches and personalized customer targeting, things like usernames and passwords have grown increasingly irrelevant as a proof of identity and ownership.

Today, cybercriminals can easily harvest all manner of personal identity credentials from the dark web, log into customer accounts, make transfers or payments with the legitimate customer none the wiser—at least until their next login or a transaction is declined due to insufficient funds. Automated bots have transformed the scale of fraudulent activity, with automation enabling fraud to occur at unprecedented speed and at new volumes. These attacks can compromise accounts and harvest stolen data, meaning that additional channels, services and companies become exposed to ever-greater risk.

Efforts to stop these nefarious activities have sometimes led to overly-aggressive policies and additional identity proofing requirements. Customers get frustrated when they’ve got to jump through hoops to log in or complete a transaction, even as cybercriminals continue to find inventive new ways to bypass these same controls. This year alone, online and mobile fraud will lead to $1.4 trillion in losses for financial institutions, payment processors and other businesses.

From my personal experience, I have found that it is increasingly relevant that focusing solely on disrupting fraudulent financial transactions can only go so far. We need to stop viewing the customer as a financial event, or a financial risk to be contained.

We must start treating the customer as an individual – not just a stand-alone transaction – in order to effectively protect them across all touchpoints.

Customers Are Their Data

Think about it this way. Your customers are their data. And that data is as valuable as their money sometimes, at least when it comes to visibility into fraud and how to stop it.

Information within a banking relationship can be useful to criminals, not only for the immediate opportunity it presents to commit fraud during that interaction, but also because compromising that information exposes the consumer to wider risks, outside that specific application.

You could, for instance, use it to open up additional accounts or new lines of credit using the victim’s identity credentials. And with access to online banking information, fraudsters can easily circumvent security questions such as confirming your last three transactions, and other information ostensibly known only to the customer is at your fingertips. As the Guardian pointed out in November, call-back numbers and text messages meant to confirm identity are pointless if the fraudster has added his phone to the account, or used that information to help re-direct the phone.

While not immediately impacted, make no mistake: The bank will become entangled in that mess at some point, either through a seemingly legitimate transaction, or when the customer spots the fraud. Customers don’t like that kind of breach. Neither do regulators.

Smarter Security

In these scenarios, there are signals that the bank could receive that can stop this kind of fraud in its tracks.

Recent changes to account information is one signal, for instance. The login itself is important, too. The fact that the customer logged in from location A 15 minutes ago, but is now logging from location B using another device may be significant. So are literally hundreds of other dynamic data elements associated with the legitimate user, and the device being used. None of which can be stolen or manipulated.

Also critical: real-time and historical intelligence on how the customer’s legitimate identity is being used in other interactions, on other sites or apps, everywhere around the world. Instead of focusing on trying to ferret out “the bad,” the emphasis shifts to establishing “the good” in terms of normative devices and behaviours informed by global-scale intelligence, so that anomalies become instantly evident. But the key is to then ensure the identification of anomalies and proactive action at every moment of truth – not just when the financial transaction is taking place.

All of this is attainable through modern, digital identity-based technologies. The ThreatMetrix solution, for instance, combines device and identity intelligence with the kind of globally sourced online and offline threat intelligence needed to protect your customers, and your institution, from fraud and its repercussions.

Bigger Value

For all of this, the other side of the equation is just as important. Recalling “the customer comes first,” this focus on protecting the customer also pays serious dividends for the institutions they do business with. Finally, the brand experience matches the brand marketing.

Instead of an uncaring, faceless institution, you’re adding value to the customer’s life—protecting them from fraudsters, even when there isn’t an immediate connection to financial losses for the bank. What’s more, institutions using digital identity to break down silos between account creation, logins and payments, as well as different channels such as mobile and desktop, are able to deliver a faster, more consistent experience across the entire digital customer journey.

In this way, cybersecurity moves from being strictly a cost center to being a profit center by enabling significant differentiation for the brand. According to Forrester, less than 10% of organizations ever crack that code. By giving new currency to the phrase, “the customer comes first,” a digital identity-based approach to online and mobile fraud prevention may just crack it for you.

Download a case study on how Lloyds Banking Group’s digital identity-based approach to user authentication helps it differentiate fraudsters from legitimate customers without causing user friction.

Mike Yeardley

Mike Yeardley

Senior Director of Product Strategy, ThreatMetrix

close btn