You just finished a digital transaction. How secure do you think it was?
A new cross industry study conducted by experts at digital identity firm Prove highlights how FinTech transactions are twice as vulnerable to identity takeover risks compared to the cross-industry average. Although the magnitude of risk is a tad lower in traditional banking, investment or healthcare transactions, the increasing volume of overall online fraud worldwide exposes the gaps that exist in traditional multi-factor authentication models. The study highlights the imperative need to protect high risk transactions with sophisticated identity verification and authentication capabilities that are more effective than the legacy methods used today.
Fortifying Security with Stepped-up Identity Verification and Authentication
Multi-factor authentication (MFA) follows the principle of using multiple user inputs to approve sensitive transactions. These factors are:
Knowledge: Something that a user knows, e.g., PINs and passwords
Possession: Something that a user has, e.g., a device, a token (could be hardware or software)
Inherence: Something that the user is, e.g., biometrics, behavioral characteristics
Most industry-wide strong authentication guidelines follow the above principle, e.g. NIST guidelines in the US. The PSD2 SCA (strong customer authentication) rules in the EU mandate at least two of the above three factors to be satisfied prior to approving transactions above certain thresholds.
Pitfalls of Traditional Multi-Factor Authentication
Currently, the use of MFA in online banking, payments, and other FinTech transactions place a heavy dependency on SMS or voice one-time passwords (OTPs). As has been proven in the past, OTPs can be subject to man-in-the-middle attacks and social engineering, and can be easily compromised through SIM swap fraud. In these cases, not only is the integrity of the financial transaction under threat, but the identity also gets taken over. This study on the top five US prepaid carriers conducted early this year highlights how 80% of SIM swap attacks were successful because of inferior authentication methods. The increasing volume of OTP- and SIM swap-related fraud on UPI transactions in India is a testimony to this systemic shortcoming.
The Prove study, which analyzed over 385,000 SMS and Voice OTP based transactions across industries, found that 5% of them had low SIM tenure indicating a high possibility of a SIM swap or an account takeover. Assigning a trust indicator based on several signals to each transaction, the study concludes that the number of low trust MFA transactions was 2X higher in FinTech and 18X higher in E-commerce transactions compared to the overall cross-industry average. The Prove report provides detailed industry-wise statistics based on the industry study.
The Case for Strengthening MFA in Financial Transactions
There is a compelling need to reinforce existing multi-factor authentication methods utilizing the possession and inherence factors. There is a need for securing not only payments, but also non-financial events such as digital onboarding, account servicing, and customer service on assisted channels. Currently in most cases, the possession factor is linked to just a phone number and hence could be circumvented with ease. Such a simplistic approval decision needs to be strengthened using additional signals such as phone type, device activity, SIM tenure and other line attributes. This can further be augmented with biometric attributes – both active and passive. In our research, we found that Prove converts the analysis of these signals and attributes into a Trust ScoreTM, which is then used in the approval or rejection of transactions. The Trust ScoreTM has a scale of 0 to 1000, with a score of less than 300 classified as low trust, high risk.
It is in this context that we gather from this report that the number of low trust, high risk transactions in FinTech was twice the cross-industry average.
According to Geoff Miller, SVP & General Manager at Prove,
“What the study shows is that there are additional risk factors in MFA that organizations do not always take into consideration. By leveraging a simple tool like Trust ScoreTM, they will be able to identify risks and security threats that are otherwise not in plain sight. Trust ScoreTM is designed to provide appropriate insight and intelligence to not only flag low trust transactions but also help trigger contextual workflows that are operationally efficient and consumer experience friendly.”
With an alarming increase in synthetic identity and social engineering fraud, FinTech enterprises need to look at digital identity holistically and leverage advanced solutions in identity proofing and authentication. The benefits of adopting this approach are multifold. Apart from the obvious advantages in significantly reducing identity theft, there are several revenue and operational upsides at stake. Here are some of the key outcomes from adopting an advanced identity proofing strategy.
Better customer experience – It does not need to be a trade-off between strong security and customer experience anymore. A silent authentication approach based on stronger trust can be a credible alternative to or an augmentation of OTPs and passwords whilst retaining fortified security and delivering better customer experience.
Better exception management – With higher confidence in risk assessment and a better understanding of the nature of threats, financial services enterprises can develop intelligent and efficient exception management processes that are also optimized for a good customer experience.
Lower cost of fraud management – Strong authentication cuts down the need to invest in and operate downstream fraud management systems resulting in substantial cost reduction.
Fighting financial crime requires cross-industry collaboration and sustained investment in innovation. Financial services companies, mobile carriers, identity solution providers, data aggregators, and industry bodies all have an equally important role in driving the desired outcome. The recent announcement by the top four mobile carriers in the UK is a step forward in this direction. However, tangible outcomes can be achieved only if the FinTech industry integrates with this new paradigm and embraces a strategic outlook towards digital identity.
Download your FREE copy of the Prove report here