January 10, 2019
The digital world is metamorphosing faster than many businesses can adapt. Change is being inherently driven by technologically savvy consumers who are demanding slick, frictionless online experiences that seamlessly integrate with their busy lives. Brick-and-mortar commerce is making a perceptible shift to digital, with large holiday peaks now occurring predominantly online rather than in-store. ThreatMetrix sees approximately 10 times the normal daily volume of online traffic on key pre-Christmas shopping days with more than 45 percent of transactions coming from mobile devices.
Businesses have little room for error. A poor user experience can have a potentially devastating chain reaction, not only risking the desertion to a competitor, but also having a knock-on impact on brand reputation, referral rates and lifetime value.
In tandem, smart, agile FinTech start-ups are finding their market niche and adapting seamlessly, operating in the cloud and without the cumbersome hindrances of legacy systems and on premises solutions. Established players, such as large global banks, are having to watch their backs.
For consumers, online digital experiences are becoming an intricate part of their daily lives, shaping relationships, day-to-day activities, and work and leisure pursuits. Digital footprints are complex and multifaceted, meandering across locations, devices and time zones as a user transacts throughout their day. Mobile transactions, for example, are growing approximately 200 percent year-on-year and will continue to grow. Consumers are changing the way they interact with brands and businesses must adapt accordingly.
It is a business imperative to embrace digital transformation wholeheartedly and across the entire consumer lifecycle, ensuring that the consumer experience is the vision that that drives change.
As businesses undergo digital transformation however, the risk of cyber fraud looms ever-large on the horizon. Criminals are cashing in on the fact that online anonymity can fuel the fire of cybercrime. With digital transformation comes the necessary drive to ensure that fraud and security defenses harness the same single view of the consumer. The brand experience that draws consumers in must be reflected in the way they are authenticated as they interact online, ensuring that online security does not create a barrier to long-term revenue and business growth.
At the same time, businesses are under more pressure to ensure that consumer data is safe from the prying eyes of cybercriminals. This has become harder than ever in our post-breach world where stolen identities float around the dark web for mere dollars, fraudsters behave like legitimate users and crime rings bombard companies with mass botnet attacks to penetrate security defenses.
The businesses that thrive will be those that center their digital transformation around a single, consolidated view of their user across all touchpoints.
Embracing the Pace of Change
Staying relevant in this increasingly global and connected digital economy is becoming the key strategic imperative for institutions globally. Business processes must reflect the immediacy of transacting online, with real-time, automated authentication replacing manual reviews and batch processing, which tend to be slow and cumbersome.
Businesses must walk a tightrope between consumer experience and security. There is a moment of truth every time that a consumer interacts. The consumer expects to be recognized, known and allowed access to online products and services easily. Step-up authentication, intervention or denial of access can cause frustration, or in extreme cases defection to a competitor.
If businesses can really connect all the data they have on a consumer, tailored user authentication could become the norm. A trusted, consistent, regular user would be authenticated very differently than a sporadic user with an inconsistent pattern of interaction.
One of the key challenges for many established businesses, however, is that the pace of consumer-driven digital adoption is ahead of feasible deployment and they are scrambling to keep up, providing online services that are either too rigid or open to security breaches.
The “Digital Laggards” versus the “New Nimbles”
Many businesses are still driven by processes that are not suited to the digital age. Encumbered by legacy databases giving incomplete views of a consumer’s lifecycle, integration with new systems is often complex and long-winded. This makes digital authentication challenging and, at times, ineffective.
Yet this digital climate is providing a launch platform for niche API-driven businesses that previously struggled to keep up with the established players. Internet-only banks, small lenders and niche insurance brokers can respond with more agility to meet the evolving needs of digital consumers, including the unbanked and under-banked population.
According to McKinsey, banks that fail to embrace the opportunities of digital technology, such as automation, new product development and superior user experience, could see an erosion of net profits in the region of 35 percent.
Meanwhile, crowdfunding platforms are transforming money lending into a democratic and dispersed phenomenon, no longer the sole domain of the traditional bank. API-driven authentication solutions can slot seamlessly into this business model.
Digital Transformation and the Cybercrime Challenge
As digital commerce continues to grow apace, so does the volume of cybercrime. ThreatMetrix saw an approximately 80-percent increase in fraud attacks from 2014-2015. Consumers expect the businesses they transact to keep their personal credentials safe, even though their online behavior is diverse, complex and often hard to predict.
For digital businesses, the consequences of fraud extend far beyond direct losses. A recent study by First Annapolis shows that of banking customers who experienced fraud, around 10 percent chose to defect to a competitor, taking all potential cross-sell and upsell opportunities with them, as well as lost referral possibilities. The loss extends even further than these defections however. Of those that remained, the bank had to issue new cards to 71 percent, and bear the associated costs. Thirty-four percent reported changing their behavior and making fewer purchases, a further blow to the bank’s long-term revenue.
At the same time, fraud is becoming more complex and hard to detect. Fraudsters are constantly looking for new and convincing ways to either behave like legitimate user or convince consumers themselves to become unknowingly involved in the fraud through advanced social engineering attacks.
Many existing forms of user authentication are no longer effective or relevant in the age of digital transformation. This is for a variety of reasons:
- With the relentless and large-scale data breaches of recent years, sensitive personal information can be bought or sold at the touch of a button. As a result, many static identity assessment methods are no longer effective in bridging the gap between online identities and physical identities. Fraudsters are actually more adept at correctly answering step-up authentication questions than legitimate users.
- Virtually complete identities can now be bought or stitched together from information bought on the dark web. With botnet attacks on the increase – ThreatMetrix detected about 311 millions such attacks in Q1 2016 – these stolen credentials are being mass tested to open new accounts or infiltrate existing ones. Financial institutions are high-value targets for cybercriminals and are therefore particularly susceptible; ThreatMetrix has seen new account fraud in financial services rise steadily in recent months.
- Businesses are no longer location-centric: they operate globally, across borders to a diverse consumer base. However, some consumer authentication methods, such as FICO scores or credit scores, are either not accepted as forms of authentication on the internet, are unable to scale to internet volumes, are significantly impaired due to local privacy regulations, or have very poor global coverage.
Many established businesses that perhaps began as database companies or application-driven companies, require a new approach to authenticating user identity. They need a single view of a user’s digital identity across fraud, security, compliance and risk departments, and for many businesses, lack of integration across legacy databases makes this extremely challenging. Businesses are lagging behind cybercriminals, encumbered by big data platforms, a lack of integrated solutions and the sheer volume and persistence of fraud attacks.
Another challenge for digital businesses is ensuring their fraud and security defenses protect against the full spectrum of attacks. Many companies are investing heavily in network security, ignoring the huge volume of attacks directly on user accounts, which are far from safe with basic authentication procedures. Even within the authentication channel, businesses must layer in a patchwork quilt of point solutions for identifying user devices, determining their true location and device health, and detecting and classifying any discovered malware or automated bot attacks.
Global digital economies require global digital identification. Legacy authentication systems were designed to support local economies and cannot be effectively adapted to a global digital world. Furthermore, in our post-breach world, authenticating true identity is harder than ever. Businesses are being forced to look beyond traditional authentication methods to find a more holistic, layered approach to establishing true identity. The challenge, however, is how to detect cybercriminals without increasing friction for legitimate users.
Returning to the example of banking, First Annapolis observes that “Unfortunately for banks, a positive perception of step-up challenges appears to do little to influence consumer behavior in ways that are positive for the bank: it is unlikely to increase consumer engagement, drive incremental transaction volume, or improve consumer retention. The best case scenario, in most cases, is that it results in no change in behavior.”
The ThreatMetrix Digital Identity Network is the foundation of the solution and harnesses global shared intelligence from millions of daily consumer interactions including logins, payments and new account applications.
Authentication Solutions that Support Consumer-Centric Digital Transformation
The ThreatMetrix solution is a cloud-based API that works in harmony with digital-first, consumer-centric businesses, allowing them to passively authenticate users in real-time, with virtually no friction.
The ThreatMetrix Digital Identity Network is the foundation of the solution and harnesses global shared intelligence from millions of daily consumer interactions including logins, payments and new account applications. Using this information, ThreatMetrix creates a unique digital identity for each user by analyzing the myriad connections between devices, locations and anonymized personal information.
Digital Identities are created by combining the following key intelligence:
- Device profiling – Device identification, device health and application integrity, as well as detection of location cloaking or spoofing, (proxies, VPNs and the TOR browser)
- Threat intelligence – Harnessing point-in-time detection of malware, Remote Access Trojans (RATs), automated bot attacks, session hijacking and phished accounts, then combining with global threat information such as known fraudsters and botnet participation.
- Identity data – Incorporating anonymized, non-regulated personal information such as user name, email address, telephone number and more.
- Behavior analytics – Defining a pattern of trusted user behavior by combining identity and transactional metadata with device identifiers, connection and location characteristics. Every transaction can be analyzed in the context of this behavior pattern and historic context globally.
This allows businesses to validate every online interaction against this trusted and unique online digital identity, checking whether the device, location and behavior of the consumer correlates with anonymized information held by the Network.
As the global digital economy continues to grow, businesses also need need a smarter approach to understand patterns of legitimate user behavior, refining what is normal or acceptable for their business and adjusting their risk models accordingly. Behavioral analytics must be based on more than transaction velocity or location patterns given that consumers now behave in diverse and often unpredictable ways. After all, it’s no good constantly rejecting transactions from users simply because they are traveling to a different location, or buying from a new website.
ThreatMetrix Smart Analytics have been developed to provide businesses with the best possible insight into their user’s behavior patterns, using this intelligence to better predict and detect future fraud.
Smart Analytics combines:
- Smart Rules behavioral analytics to accurately detect and analyze changes in user behavior. This approach identifies complex fraud patterns with high accuracy based on dynamic user behavior modeling.
- Smart Learning is a cognitive system that gives businesses an effective, predictive model based on past behavior and transaction data. This clear-box approach to machine learning combines global intelligence from the ThreatMetrix Digital Identity Network with truth data from individual businesses to produce a more accurate model.
Businesses are able to incorporate their own tolerance for risk and operational metrics based on what the user is attempting to do in a way that is consistent across all digital devices and channels. This promotes intelligent and adaptable authentication tailored to the consumer and complementing the needs of the business as it evolves in the digital marketplace.
As businesses make the one-way shift from analog to digital, on premises to cloud, database-driven to API-driven models, consumers must remain at the very heart of their digital transformation. However, as consumers increasingly interact solely behind the screen of their devices, the onus is on the business to really know who they are and how they behave.
Yet fraudsters will continue their tidal wave of attacks, attempting to cash in on the inherent anonymity of digital commerce. Business must ensure they have robust fraud and security defenses in place that are fit for purpose and complementary to their digital transformation trajectory. Consumers not only assume that their personal information is safe with the businesses they interact with, they are also increasingly demanding streamlined, frictionless online experiences. The businesses that thrive will be those that have a single view of the consumer not only across the channels they interact with, but also across their fraud and security systems too.
 ThreatMetrix Cybercrime Report, Q4 2015
 ThreatMetrix Cybercrime Report, Q1 2016
 Strategic Choices for Banks in the Digital Age. McKinsey, January 2015
 The Path to Digital Transformation: Controlling Friction While Tackling Cybercrime in Financial Services. First Annapolis, May 2016