It is not surprising that bad actors are moving to card-not-present fraud; it is the easiest way to access money, products and services. The key to cutting down on fraud is authentication and differentiating a real customer from an impostor.
Multifactor authentication is the best defense against CNP. By combining four factors — “what you know,” “what you have,” “what you are” and “what you do” — banks and merchants create an almost impermeable barrier. So what does that look like?
“What you know” is the username and password. “What you have” is typically the user’s device or a two-step login using a token that is sent by email or SMS. “What you are” refers to physical biometrics, such as facial recognition or fingerprint scans. The first two are very easily obtained information and, and even physical biometrics can be hacked and reused. Earlier this year, a BBC reporter spoofed a voiceprint at his local bank by having his twin brother speak the key phrase.
That brings us to the fourth layer: “what you do.” Passive biometrics and behavioral analytics gives banks and retailers context to the digital transaction and allows them to distinguish between a real customer and a cybercriminal. Users benefit from a seamless experience while organizations are given the additional assurance of authentication.
Behavioral biometrics passively understands users, whether they are on laptops or mobile devices. It identifies good customers, stops automation and prevents account takeover. It also understands a blend of devices. So if a user has an Apple watch, MacBook Pro and an iPhone, the system learns to identify these and sync them to the user profile.
The solution looks for how users interact in a session. Things like input speed, keystroke deviation and how a device is held all give indicators of a human versus nonhuman interaction. As it builds a larger user profile, the system compares this against a database of login events to identify and authenticate user behavior. In 2016, for example, NuData Trust Consortium analyzed 80 billion behavior events. As it’s analyzed passively and in real time, users experienced no friction unless the login was suspect. Having a full multilayered solution to identify the user in both a passive and active state creates a nearly unspoofable way to authenticate a valued customer.
Just as markets shift, so do fraud targets. With more vendors issuing EMV cards, cybercriminals are turning to card-not-present fraud as a way to defraud your customers. So much so that Juniper Research is forecasting CNP fraud to hit $71 billion over the next five years.
No company is immune. One example is an American-based parent company to global online travel brands in 60 countries. It reported close to 5,000 fraudulent login attempts per day, using stolen customer lists and passwords, or brute-force password guessing. The risk was massive. The company was desperate for a solution to reduce that risk.
The online travel company implemented passive behavioral biometrics, now preventing upward of 5,000 account hijacking attempts each day and reports 97% accuracy in recognizing users’ identities. The company was also able to prevent a mass login attack from fraudsters attempting to gain access to its accounts by using stolen usernames, emails and passwords from previous breaches. That data is now valueless as the behaviors can’t be replicated.