March 27, 2019
Financial services transactions are high value targets for cybercriminals, fueled by large-scale security breaches that have flooded the market with easily available stolen identity data.
This large global bank profiles about 80 million login transactions a month, and was experiencing an increase in fraudulent account takeovers. Customers were becoming frustrated with step-up authentication, operational costs were rising under the weight of high manual review rates and profitability was falling.
The bank estimated its fraud losses could peak at around $60 million per year by 2018 if it didn’t stem the tidal wave of fraud attacks, and was faced with having to introduce security tokens at login to try and protect customer accounts.
The bank deployed ThreatMetrix to augment its existing system with digital intelligence from the Digital Identity Network. True fraudsters were detected with pinpoint accuracy in real time, while genuine customers experienced virtually no friction:
- The bank eliminated the need for security tokens at login by deploying the ThreatMetrix solution for identity authentication. As well as being expensive to rollout and support, security tokens place an extra burden on customers, slowing down the login process and creating additional friction.
- The bank’s fraud intervention rate has fallen to 0.08 percent of total monthly transactions. It is aiming to achieve a rate of 0.05 percent in partnership with ThreatMetrix.
- The ThreatMetrix solution succeeds in saving the bank up to $2.5 million every month.
This global bank was experiencing the full spectrum of financial fraud, particularly around account takeovers. This included:
- Fraudsters using stolen identities to log in to customer accounts. Following high-profile data breaches, personal credentials such as usernames, passwords and other identity data were easily available to fraudsters, meaning static identity assessment methods were no longer effective.
- Remote Access Trojans (RATs) hijacking legitimate login sessions.
Fraud prevention was damaging the bank’s reputation: legitimate customers were becoming frustrated with step-up authentication designed to reduce account takeovers.
Manual review rates were soaring as the bank’s existing multifactor authentication (MFA) solution failed to keep pace with the sheer volume of fraudulent transactions.
The bank needed a solution that could look beyond basic identity information, analyzing the full login context, including the health of the connecting device, behavioral characteristics as well as other high-risk anomalies, such as location cloaking or device spoofing that might indicate fraud. Crucially, it needed to ensure that any additional solution did not impact the login experience of legitimate customers.
Leveraging ThreatMetrix Digital Intelligence to Prevent Account Takeover
The bank augmented its existing systems with key ThreatMetrix capabilities that dramatically reduced fraud losses, while improving customer satisfaction and securing long-term revenue. The ThreatMetrix solution is underpinned by the ThreatMetrix Digital Identity Network, which harnesses global shared intelligence from millions of daily consumer interactions including logins, payments and new account applications. Using this information, ThreatMetrix stitches together a user’s true digital identity by analyzing the myriad connections between devices, locations and anonymized personal information. The bank could therefore:
- Verify login requests in real time against trusted patterns of behavior.
- Leverage the power of shared information about a connecting device or attribute – for example analyzing how a device has behaved across countless other websites, or understanding the length of time that a device or email address has been on the network, giving a clear indication of trust or risk.
Authenticating Customer Identity at Login Without Security Tokens
By deploying the ThreatMetrix solution at login, the bank was able to authenticate returning customers without security tokens, streamlining customer experience and reducing step-up procedures. This was achieved by leveraging the following key intelligence from the ThreatMetrix Digital Identity Network to authenticate a user’s true identity:
- Device profiling – Device identification, device health and application integrity, as well as detection of location cloaking or spoofing, (proxies, VPNs and the TOR browser).
- Threat Intelligence – Harnessing point-in-time detection of malware, Remote Access Trojans (RATs), automated bot attacks, session hijacking and phished accounts, then combining with global threat information such as known fraudsters and botnet participation.
- Identity Data – Incorporating anonymized, non-regulated personal information such as user name, email address, telephone number and more.
- Behavior analytics – Defining a pattern of trusted user behavior by combining identity and transactional metadata with device identifiers, connection and location characteristics. Every transaction can be analyzed in the context of this behavior pattern and historic context globally.
- ThreatMetrix Trust Tags
ThreatMetrix Trust Tags are digital labels that can be applied to various combinations of entities within a user’s persona to indicate their trustworthiness. These helped the bank recognize returning users over time. Trust can be associated dynamically with any combination of online attributes, such as devices, email addresses, card numbers, etc.
Accurately Detecting Behavior Indicative of Rats
The bank was also experiencing a new wave of aggressive remote account takeover attacks, primarily from RATs, but also from customers unwittingly downloading remote access software or malware, which allowed fraudulent access to a banking session.
- These attacks were particularly difficult to detect: RATs can hijack a device in real time, gaining access to an open banking session or creating a new session with stolen, but legitimate, credentials. This circumvents standard security solutions that focus on identifying automated scripts or BOTs.
- ThreatMetrix took a holistic approach to solving this hard-to-detect fraud, harvesting information from the customer’s device, the transaction itself and the transaction context. This was then correlated to historical transaction records and patterns of trusted customer behavior, underpinned by intelligence from the ThreatMetrix Digital Identity Network.
- The bank could then accurately detect patterns indicative of RAT fraud, reducing the number of false positives and streamlining user experience.