Digital identity fraud is a major challenge for internet users all over the world. Rates of fraud have shot up in recent years, with 46% of financial customers in the US reporting they have been the victim of online fraud, and 1 in 5 reporting that they have experienced an account takeover scam.
With consumer concerns at an all-time high, banks and financial services are under pressure to take all steps possible to improve the security of their users. NuData Security, a Mastercard company, is on the forefront of helping banks and other financial services to protect their clients, with a suite of fraud-detection and account takeover protection features.
We spoke to Justine Fox, Principal Product Manager at NuData Security to find out more about why identity fraud has become so prevalent, and the challenge of solving the digital fraud problem.
What are the main challenges that consumers are facing when it comes to digital identity fraud and account takeover online?
Pretty much every day we see a lot of negative press around data breaches. Now the unfortunate reality of the online ecosystem is that, as consumers and as people, we often reuse account information between different service providers.
That means that if the account information is breached on one service provider, it can be collected by attackers and then re-leveraged elsewhere. And that can be in the form of an account takeover attack, or it can just be in the form of synthetic identity fraud, or even just fully being able to replicate your identity with other services online that you might not have even signed up for.
Back in January reports suggested that banks were not doing enough to prevent fraudulent activity, such as allowing users to have insecure passwords, or being overly reliant on SMS 2FA. Do you agree these practices are too prevalent, and should banks be doing more to improve security practices?
There’s always more that can be done, both on the part of the service provider, and on the part of regular individuals that are interacting online. Banks are generally quite heavily regulated and are forced to have some of the best-in-class security hygiene.
When it comes to fraud and other activities, it’s always possible to be more secure, it’s always recommended to go beyond just passwords to ensure that folks are using two factor authentication. It’s very difficult to force people to have strong passwords. Even if you have the best password complexity requirements that doesn’t stop somebody from using a password like ‘password123!’, because that’s still going to pass the regex unless you have a word block list for your password solution.
So, it’s very hard to prevent account takeover attacks just based on usernames and passwords. So, as you add a device as a layer––whether that’s just an SMS token or an app or something else entirely, like our behavioral biometrics’ solution––every security layer they add, the more protected the user experience, the harder it is for fraudsters to log into the account and wreak havoc.
When you consider how prevalent these poor security practices are, do you think there is a lack of awareness from many people about how serious these security risks can be, and should people be doing more to limit their own risk of identity fraud?
Once you’ve experienced identity fraud online, your trust of online services goes down. As individuals, there’s a lot of self-awareness and mindfulness of our interactions online that we do need to be better at. We need to be better at using different passwords for every service that we interact with online, so that when there is a data breach, we can control the blast radius, the scope of what’s going to be affected by that problem.
We should think about it as: “When that company gets breached, this is the impact to my identity. This is what information I have put there that is at risk.” And that just makes you be a lot more mindful of how you’re interacting with the service, and as you’re thinking through that, you can focus on much stronger passwords, as well as additional authentication layers.
And one of the things that I know for myself is I often won’t use services that don’t support two factor authentication. Because as a consumer of a service online, I want to make sure that my identity and my data is as protected as possible. One of the things I know from friends and family that they struggle with is creating unique passwords for every account. And that’s where technology like password managers can step in and really help.
How does NuData Security help banks and financial services to protect users against account takeover and digital identity fraud?
NuData Security has four different layers of security: behavioral biometrics, device intelligence which is metadata about the device so we can see how it’s operating on the network, behavioral analytics, and our consortium of data from our network of intelligence.
Generally, a lot of these attacks rely on knowing enough about you in order to take over your account. Now that can be your email address and brute forcing your password, or that can be you reusing the same username and password on multiple services. What I really like about our service is that even in a situation where there is a compromised username and password, we can tell the difference between the regular user of the account and an anomalous user.
That allows us to do some really interesting things, like say “We’re 90% confident that this is you that is logging in.” But, if all of a sudden you’re requesting an e-transfer for a large amount, we might only be 60% confident that it’s really you. Based on that, the company may want to automatically trigger a second factor of authentication.
At every step, throughout every interaction, we’re validating that you are who you say you are. And that’s without knowing who the end user is, as we just have the behavioral biometrics and device data. The goal from a user experience perspective is that you just log in seamlessly, you make that purchase seamlessly, there’s no burden or barrier for you to perform the action that you are looking to do, because your identity is verified and validated.
Most of our customers have noticed a very quick drop-off in attacks and fraudulent behaviors. It goes from raining cats and dogs to a very fine, misty day every now and then.
Do you think that these new technologies will eventually help to take some of the responsibility of creating strong passwords and using multi-factor authentication off users, and we can move to a more secure future?
I sincerely hope so. I know throughout Mastercard, there is a lot of technology that we’re using to create full digital identities for folks. We’re partnering with folks in the ecosystem to really make that the best-in-class user experience possible for everyone around the globe.
That way, even when you’re using a password like ‘password123’––please don’t do that! ––you’re still secure. We want to make sure that you’re secure regardless of what authentication you might be using, and to ensure that your device, your interactions, everything that you’re doing online, helps to be part of your digital identity.
And that digital identity just opens the door for you rather than creates barriers for you.
What final advice would you give people to ensure they are doing all they can to protect against account takeover and financial scams?
When it comes to account takeover, use a unique password per service, and sign up for two factor authentication. If you don’t practice your own personal security hygiene, then you’re at a high risk to experience identity theft, to experience fraud of some kind. Often scams can involve account takeover, but they can also just be social engineering attacks for other purposes. And my number one thing is trust very little when it comes from the internet.
My favorite example of this occurring recently is that service providers have started to add in their 2FA SMS tokens, phrases like “We will never ask you for this token, do not share this token.” Very explicitly explaining that this is private information, do not share it. And that’s very telling, because folks are posing as customer support, they’re calling consumers and if they’re lucky enough sometimes they can get the information they need to take over the account.
Practicing good cybersecurity is not sharing and trusting folks, whether it’s on the internet or a phone call, or wherever it came from.
Learn more about NuData Security, a Mastercard company, here: https://nudatasecurity.com