Consumers give out personal information every day, mainly because it is requested of them for almost anything they want to buy. A mother’s maiden name, the last four digits of a social security number; these are common security questions that allow financial institutions, online shopping websites and other businesses to authenticate users.
But therein lies the fundamental problem: these authentication methods are so common that the information is easily obtained and sold to criminals. And when a criminal is authenticated using stolen information, the real customer’s card number is compromised. Often, these compromised credentials are implemented in more trusted digital wallet ecosystems like Samsung Pay, Android Pay and Apple Pay—and once inside these virtual ecosystems, criminals have a much easier time using the stolen card information.
Financial institutions must understand that digital payment security has transitioned from a point of sale problem to one of customer authentication. Here are four methods financial institutions can use to halt this trend:
Prioritize Trusted Channels
EMV chips on cards and tokenization for digital wallets will make it nearly impossible for useful data to be stolen at the point of sale. Tokenization is a growing threat to fraudsters, as the technology creates unique tokens, which are useless to steal, instead of static card credentials.
To compensate, criminals are now attempting to authenticate using the static consumer card credentials they’ve illegally obtained. So, when authenticating legitimate users—especially via digital means—banks and credit unions must prioritize, or encourage the use of, trusted channels. For instance, sending a text message to a customer’s phone or using password verification via an app are the most trustworthy methods. Phishing and social engineering schemes are much less effective within these channels, and your payments processor should block these fraudsters automatically when foul play is detected. Consider incentivizing customers to use these channels by highlighting their security benefits.
Prep the Call Centers!
Despite all attempts your institution has made to secure the authentication process via text, email, app, etc., there will always be customers who want to speak directly to a representative. Call centers are the main target for modern data phishing schemes. Criminals perpetuating authentication fraud take aim at call centers because, in short, people are easier to trick than machines. Fraudsters will use social engineering tactics to trick representatives into thinking they are speaking to the real customer since they have all of the necessary information. Train your call center staff with social engineering testing to help them recognize and deal with these schemes. Also, they should be instructed to request “out of wallet” information.
Use Out of Wallet Info
The underlying problem with current verification methods is that they use static, unchanging data to authenticate users. A mother’s maiden name will never change, nor will the last four digits of a social security number. This information is easily obtainable today and is likely already in the hands of criminals looking to exploit it. Financial institutions must instead employ out of wallet questions to generate dynamic, behavior-based credentials when validating a customer over the phone. Out of wallet information is based on behavior that has no traceable profile. For example, consider replacing “mother’s maiden name” with “where was your last local transaction” and “at which branch did you last deposit money?” The answers are much harder for fraudsters to obtain, and give a more realistic insight into the legitimacy of the person on the other end of the line.
If in Doubt, Ask Them to Come in
This might sound extreme, but more often than not a customer will appreciate the added security measure your institution takes against card fraud. This is especially effective for community banks that are located only in a certain geographic area. Since the majority of authentication fraud occurs over the phone, geo location plays a huge role: if a fraudster calling from California is asked to come to a bank branch in Iowa, they will likely hang up and try to scam another institution. Rarely will phone-based authentication fraud become an in-person, physical fraud attempt, simply because this manner of fraud requires far more work.
Financial institutions must rethink payment risk. Yes, payment security is evolving, but criminals are evolving with it, and will do whatever it takes to get around any security measures put in place to thwart them. All financial institutions must remain firm in their efforts to authenticate, and ensure customers are indeed who they say they are.