Perfecting Risk-Based Authentication: Deciphering Multi-Layered Identity Proofing Strategies


Posted on by Gasan Awad

Fraudsters are a smart group. With each fraud prevention method that’s introduced, they figure out ways to work around it. Organizations must be careful when using technologies that fraudsters may have compromised, but that doesn’t mean throwing everything out and starting from scratch.

identity managementAs with many things, in security and fraud prevention one tool is never enough. An alarm system makes your home safer, but your house isn’t protected from burglars unless you pair it with a deadbolt. The same principle applies to your company’s fraud detection and prevention methods. A risk-based authentication strategy layers several techniques together to offer the appropriate methods for each given situation. This approach fills in the gaps created by standalone tools and provides the most effective solution.

Tools like two factor authentication (TFA) and knowledge-based authentication (KBA) have been around for a while, but still play important roles in fraud prevention programs in a risk-based model with newer techniques like advanced data modeling, device recognition, and biometrics.

Data Development

Fraud departments are relying more heavily on data to combat financial losses and not infringe on the customer experience. In addition to pulling data from a person’s credit information, they need to gather more material from non-credit sources. The ability to leverage elements from multiple data sources and link them appropriately to distill insights to optimize decisions is key to effective fraud defenses.

Fraud consortiums collect information about attempted fraud from various companies, pool it together, and make it available to all repository subscribers. This decreases the likelihood a criminal will commit fraud at one company, and then succeed again at the next.

Social media also provides rich data for fraud prevention, as users cannot edit their account histories. So, if the person has recently created accounts and has posted from inconsistent locations, it may mean the organization needs to add another identity proofing layer before granting account access. 

Advancing Analytics

We’re seeing an increase in the use of complex analytics that combine various data sources to provide a more comprehensive view of an identity. Fraud systems can do a deep dive into the factors surrounding previous successful fraud attempts—like access from an atypical location or accelerated spending. Further, they need to consider what other questions they could have asked or methods they could have employed to catch the fraudulent attempt. 

This helps companies get ahead of fraudsters, adopting a more proactive than reactive approach. As analytics systems continue to capture patterns in customer behavior, it’ll become more apparent what activity is “normal” and what needs further review. 

Serious Selfies

Several new technologies have become available to supplement companies’ existing fraud prevention methods. For example, device recognition tracks the history of activities associated with a particular phone, tablet or computer.

If a laptop known to have attempted fraud in the past applies for a new account, it will signal that more strenuous proofing methods are required. Conversely, if someone applies for a new account using a tablet that’s known to provide legitimate identity information, this person will more easily slide through the process.

Further, “selfies” aren’t just for Instagram anymore. Companies use facial recognition technology to strengthen the identity proofing process. When combined with more traditional methods, this and other biometrics complete the profile of an identity.

In today’s fraud environment, companies wanting to effectively cut down on fraud must proactively manage risk-based authentication systems. Fraudsters are constantly learning and evolving, which means organizations must make every effort to use technology as a way to stay ahead of the increasingly knowledgeable criminal minds. 


Contributors
Gasan Awad

Vice President, Identity and Fraud Product Management, Equifax

Identity

fraud identity management & governance

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs