Perfecting Risk-Based Authentication: Applying the Right Tools to Lessen Risk

Posted on by Gasan Awad

information securityEighty percent of respondents to Kroll’s Global Fraud Report 2015/2016 said their organizations became more vulnerable to fraud in the past year. 

This means organizations need to be more aggressive in their collective approach to keeping fraud under control, including using a combination of fraud mitigation, identity proofing and account validation.  

In today’s competitive market, organizations also must approach fraud from a customer-centric lens, or manage to keep fraudsters at bay while not diminishing the customer experience. A multi-layered approach can help accomplish this seemingly conflicting goal—but balance is key.

More Risk, More Tools 

You must clearly define fraud to have a complete understanding of your risks. Organizations and the people within them have different definitions, so it’s imperative everyone has the same understanding of it.

The amount of risk associated with various transactions should determine the level of anti-fraud tools employed. A strategic anti-fraud program will assess individual transactions and give way to intelligent decisions about the severity with which to proceed. 

Using every available anti-fraud tool for all transactions is unnecessary and would be extremely frustrating for legitimate customers. At the same time, this approach would be far too costly. Using a strategic, situational approach is more customer-centric and cost effective. 

Don’t Fall for Fraud

A waterfall approach to detecting fraud allows the security program to analyze individual levels of information, and make an informed decision after each one.

It validates information like Social Security number, address and date of birth, then goes further by examining the device being used, the person’s history of online activity, and data from fraud consortiums.

If a person’s data checks out early on—for example, their personally identifiable information all aligns and the device they’re using has a history of initiating valid transactions—then the identity proofing process will end early. If some areas are questionable, the program will continue to add layers until it can either confirm the identity or flag it as potential fraud. 

The (Legitimate) Customer Is Always Right 

It’s important to differentiate between the two types of tools—passive and interactive. Their balance determines the customer experience during their transactions with your company, and also dictates the level of security for transactions.  

Passive tools:

  • Data analytics pull from both credit and non-credit sources to provide the full picture of an identity.
  • Models draw upon numerous data sources to verify personal information and ensure it matches a real identity.
  • Device recognition analyzes previous transactions on the device used to apply to determine the likelihood of a fraud attempt.
  • Biometrics match the claimed identity against a physical characteristic associated with that identity. Some biometrics tools, like voice recognition, go on in the background without the person’s knowledge. 

Interactive tools:

  • Passwords require the user to enter a reusable combination of characters associated with their account.
  • Knowledge-based authentication (KBA) asks for information known by only the account applicant or user.
  • Two-factor authentication (TFA) delivers one-time passcodes to a user’s device
  • Biometrics that require interaction from the user include fingerprint and retina scans.

Ideally, the process for legitimate customers will be as passive as possible. This decreases the likelihood they’ll become frustrated and abandon their accounts. However, more active tools often are necessary to provide an accurate reading on an identity.

Use New Tools, but Keep the Old

As tools become available, they don’t need to replace older, more established ones. Instead, they can provide existing anti-fraud programs with additional layers of security, making them more flexible and robust.

The best approach to fraud incorporates many layers, but not at all at once. And risk-based authentication isn’t so risky after all. 

Gasan Awad

Vice President, Identity and Fraud Product Management, Equifax


Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs