March 27, 2019
Lloyds Banking Group is the UK’s leading provider of current accounts, savings, personal loans, credit cards and mortgages. It has over 30 million customers, with 11 million online banking users and 6.5 million active mobile users.
The bank’s vision is to provide simpler, seamless customer interactions across online and mobile. This relies on effective recognition of returning customers and the ability to offer near-frictionless access to online accounts whether via desktop or the mobile app. It is also underpinned by the need for a robust fraud solution that could effectively detect high-risk or anomalous behavior in real time, detecting fraudulent takeovers before they happen.
With ThreatMetrix, Lloyds Banking Group could:
- Protect the customer base from fraudulent account takeover.
- Accurately detect behavior indicative of a remote access session.
- Detect malware attacks by looking at anomalies relating to devices, locations and login sessions.
- Secure consumer retail banking logins with minimal requirement for physical security tokens as a second factor of authentication. Tokens are very costly to rollout and are also associated with increased customer friction.
Financial services transactions are high value targets for cybercriminals, fueled by large-scale security breaches that have flooded the market with easily available stolen identity data. Lloyds Banking Group estimated its fraud losses could peak at around $60 million per year by 2018 if it didn’t stem the tidal wave of fraud attacks.
Fraud attacks were developing in three key ways:
- The technical battle was continuing to evolve. Fraudsters were cloaking their location using proxies or the TOR browser, and using ever more creative ways to either impersonate or directly access user devices.
- Customers were being duped into unwittingly being involved in the fraud, as social engineering attacks grew rapidly. Users were downloading malware via phishing attacks, or executing a fraudulent transaction after accepting a convincing story from the fraudster.
- Corporate- and commercial-scale attacks were rising.
The bank needed a solution that could identify anomalies relating to connecting devices, locations and customer behavior that could help it accurately combat these fast-evolving, complex fraud patterns.
Leveraging ThreatMetrix Intelligence to Accurately Distinguish Returning Users From Fraudsters
The ThreatMetrix solution is underpinned by the ThreatMetrix Digital Identity Network, which harnesses global shared intelligence from millions of daily consumer interactions, including logins, payments and new account applications. Using this information, ThreatMetrix creates a unique digital identity for each user by analyzing the myriad connections between devices, locations and anonymized personal information.
Digital Identities are created by combining the following key intelligence:
- Device profiling: Device identification, device health and application integrity, as well as detection of location cloaking or spoofing, (proxies, VPNs and the TOR browser).
- Threat intelligence: Harnessing point-in-time detection of malware, Remote Access Trojans (RATs), automated bot attacks, session hijacking and phished accounts, then combining with global threat information such as known fraudsters and botnet participation.
- Identity data: Incorporating anonymized, non-regulated personal information such as user name, email address, telephone number and more.
- Behavior analytics: Defining a pattern of trusted user behavior by combining identity and transactional metadata with device identifiers, connection and location characteristics. Every transaction can be analyzed in the context of this behavior pattern and historic context globally.
The bank could authenticate every login attempt against this trusted and unique online digital identity, checking whether the device, location and behavior of the customer correlated with anonymized information held by The Network.
Remote access attempts were detected by harvesting information from the customer’s device, the transaction itself and the transaction context. This was then correlated to historical transaction records and patterns of trusted customer behavior to detect anomalies and patterns that might indicate a remote access session.
Lloyds banking group continues to be sensitive to its customer intervention rate. ThreatMetrix supports the bank with the following key capabilities:
- The ThreatMetrix policy engine is highly customizable and allows the bank to incorporate its own tolerance for risk, fine-tuning its response to login sessions.
- ThreatMetrix Trust Tags enabled the bank to effectively differentiate between fraudsters and returning customers. Trust can be associated dynamically with any combination of online attributes, such as devices, email addresses, card numbers or any other attributes involved in accepting, rejecting or reviewing an insurance application.
- ThreatMetrix SmartID identifies returning users that wipe cookies, use private browsing and change other parameters to bypass device fingerprinting. This improves returning user detection and reduces false positives.
- ThreatMetrix deep connection analysis technologies give the bank a clearer view of suspicious events. Fraudsters often attempt to hide behind location and identity cloaking services, such as hidden proxies, VPNs and the TOR browser. ThreatMetrix accurately detects the use of these technologies and, in the case of proxies and VPNs, allows the bank to see the true IP address, geolocation and other attributes of each event.