Last updated: 23 October 2019
Strong Customer Authentication (SCA) is paramount for banks to succeed with their digital strategies. It is crucial for banks to make sure their customers are properly authenticated with minimum risk of fraud to allow them access to online banking and payment or sensitive transaction validations. Legislations such as PSD2 in Europe underlined the need for SCA and documented its possible implementations in their Regulatory Technical Standards (RTS), as covered in a previous blog post. Developments in technologies such as biometrics have proven to support SCA goals while preserving a simple and enjoyable customer experience.
In addition to security measures that translate into new and ’visible’ user experiences (UX), there is a silent software layer at work to perform real-time contextual analysis for any given authentication attempt. A risk score aggregating several sources of data which are compiled via a policy manager can help the bank to scale up security measures when needed.
Data intelligence is performed to detect possible risks based on five main families of context-types. Their common goal is to track all ‘fishy’ contexts surrounding the user action while performing an authentication.
- IP Intelligence: Parameters such as geo-localization, device trustworthiness, IP addresses, VPN usage, the use of a TOR browser (The Onion Router) and multiple device attributes can be analyzed and result in a risk score. This score is then fed back to the bank’s policy manager, which sets thresholds for security measures to scale up if necessary.
- Device Profiling: Looks for jail-broken Operating Systems, screen size and resolution, applications version and OS version. These parameters contribute to score one aspect of device trustworthiness inherent to the device settings, and not to usage settings like the previous family. The resulting score also feeds back to the global policy manager.
- CyberCrime Threat Detection: Tracks malware trojans, RAT (Remote Access Trojan), overlay and bots access. Zero-day attacks can also be isolated by machine learning analysis on applications’ typical execution paths. The presence of such threats can be compiled into a risk score, contributing to a more granular policy manager decision.
- Digital Identity profiling: Analyses millions of transactions in real time across billions of devices to create a likely digital profile for a given user. The user’s current authentication attempt can then be compared to the digital profile to determine the likelihood of an authentic user.
- Behavioral biometrics: Scrutinizes user/device interactions such as typing pace, coordination, pressure (on keys) and typical user interface sequences. These behaviors reveal biometric characteristics and leverage in-device resources such as the gyroscope, the accelerometer and haptic sensors on smartphones displays.
In addition to all these vendors’ algorithms, banks also have a range of in-house developed risk management software that feeds and powers the policy manager. This contributes to an extremely precise granularity for scaling up security, in line with the risk level.
The market for such risk management software analytics is very rich and is evolving quickly. Banks need to assess what type of fraud they face and the (low) fraud level they are willing to bear. The combination of one or many of these fraud detection analytics will vary from bank to bank. We constantly monitor software innovations and bring them to banks through a holistic, use case minded offering.
An example of a recent addition to our portfolio of analytic solutions is US based Zimperium, focusing on malware detection, anti-phishing counter-measures and zero-day attack detection through machine learning on expected applications’ execution paths.
Banks focus on delivering a smooth user experience. We help them with the right technology behind the scenes to reduce global fraud. If you would like to know more about how we’re working with banks to help in the fight against authentication fraud, you can read more here.