Continuous authentication for securing online accounts
This is a guest post by Ryan Wilk, vice president of customer success at NuData Security, a MasterCard company.
Summer is like a holiday all to itself; a season where people go on vacation and leave their cares behind. Long absences also mean a higher risk of a break-in and this is why people protect their houses accordingly. However, not many people think of the risk of someone breaking into their online accounts while they are away. Bank accounts, eCommerce accounts, etc. all provide access to digital property. Account takeover can be just as damaging and – sometimes even more – than burglars breaking into your house.
According to NuData analysts, account takeover has increased tenfold in the last year, and this trend is expected to grow. Account takeover starts when bad actors buy exposed or breached user credentials and cycle them through a company’s login interface, looking for working username and password combinations.
When they find the correct combinations, they take over the account to make a profit or resell those credentials back to the dark web to make more money, as those credentials have been verified and are now more valuable. This is why it can take days, weeks or months before a company sees any fraud loss. Bad actors slip in unnoticed until users are locked out or a bill shows up for things the user did not buy.
Many companies are not aware they have an account takeover or mass-scale attack problem, but they are experiencing the fraud losses. It is only when online organizations do a deep dive into their traffic that they realize they are being victims of mass-scale automated attacks at the login, account origination, or password reset placements. In fact, 99% of all attacks start with automation unfolding at your environment doorstep. So, it is critical to monitor those placements and have tools that can accurately identify humans from automated machines.
Continuous authentication across channels
With the endless breaches, it’s evident that static data points such as security questions, and others are no longer reliable for verification. Online companies need to implement intelligent multi-layer solutions that monitor at-risk placements such as login. However, depending on your risk tolerance and your false decline rate goal, a small amount of fraud may still enter the session.
Continuous verification allows companies to surveil the traffic inside the environment and flag any anomalous behavior. This catches any fraud that may have come through before it gets to the checkout or transaction. Passive biometrics and behavioral analytics are technologies that can provide this level of monitoring without adding friction to good users.
When the user reaches a transaction or purchase placement, fraud managers can compare to the user’s previous behavior and decide if it’s the legitimate user or not. This cross-session and cross-channel monitoring enables risk managers to detect and respond to risk sooner, blocking fraud before it happens.
Multi-layered technologies analyze hundreds of data points throughout a session, to create an evolving profile of a user across the sessions. The moment a behavior is anomalous compared to that user’s historical data, the system alerts the merchant and can automate interdictions to verify that specific user.
As mentioned earlier, most fraud begins upstream, at the account creation or login, and is driven by automation. By monitoring these placements with behavioral analytics, businesses can mitigate most threats. For example, unsuccessful login information can reveal that a script has opened an account after 250 attempts from different IPs the same day, which is a clear sign of fraud.
Today, more companies are implementing multi-layered solutions to be able to monitor activity across the different channels and sessions and prevent fraud before any losses occur. This approach helps block fraud while providing a smooth experience for the customer.
About the author
Ryan Wilk is VP Customer Success for NuData Security, now a MasterCard company. NuData Security analyzes and scores billions of users per year and services some of the largest eCommerce and Web properties around the globe.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.