The High-Wire Act of Balancing Security, Experience & Regulation: ThreatMetrix

Financial services organizations continue to walk a tightrope between maintaining low-friction but robust security with a streamlined consumer experience, while simultaneously managing the often-challenging demands of privacy and regulatory reform.

That is a key conclusion in the “ThreatMetrix Cybercrime Report: H2 2018,” from San Jose, Calif.-based ThreatMetrix, a LexisNexis Risk Solutions Company. The study is based on actual cybercrime attacks from July-December 2018 detected by the ThreatMetrix Digital Identity Network during real-time analysis and interdiction of fraudulent online payments, logins and new account applications.

ThreatMetrix, which processed 17 billion transactions during the second half of 2018 (with 61% originating from a mobile device), now sees a strong networked pattern of fraud, with the same cybercriminals working across different organizations in the same industry, as well as across different industries. This illustrates the global and ever-more connected nature of online fraud. This cross organizational fraud is particularly strong within banking, gaming and gambling, lending and retail.

Other key discoveries include mobile transaction volume and penetration continues to grow, with users favoring mobile for most use cases and in most global geographies. The key exception is for e-commerce logins, where the attraction of a larger screen seems to account for the 69% in desktop transactions, despite new account creations and payments predominantly mobile.

Though sophisticated attacks in e-commerce dropped during this period, the malicious and extensive effect of high-volume automated bot traffic continues to disrupt the industry. The ThreatMetrix Network blocked 2.1 billion bot attacks on e-commerce merchants, a 142% growth compared to the same period in 2017. “These identity testing bot attacks can often make up considerably more of an e-commerce merchant’s daily transaction volume than good traffic, making a low-friction online experience for trusted customers all the more challenging for merchants to provide,” the report revealed.

In finserv transactions customers are increasingly opting to bank online, with a preference for full service mobile banking apps over desktop sessions in many regions. However, the burden is on financial institutions to ensure integrated and fluid digital authentication capabilities form a typical customer experience element in order to align security with the online experience.

While payments still experience the highest attack rate, the risk to payments transactions is actually decreasing 17% year-on-year, while the risk to new account creations appears to be growing; 35% in the last six months overall and 29% for mobile transactions. The ThreatMetrix report stated, “This potentially indicates the fact that cybercriminals see more opportunity in fraudulent new bank accounts that can be used to launder money or take out multiple loans / other products that can be used for financial gain. “

Sixty-seven percent of financial services transactions now come from a mobile device, a growth of 13% year-on-year, indicating a growing preference for mobile transacting over desktop.

While mobile attacks still make up less than half the attack volume seen in the ThreatMetrix Network, financial services is experiencing a growth in attacks, particularly in the U.S., Canada, Brazil, and Italy. The most noticeable growth in mobile attacks is on account logins (107% growth over the first half of 2018), as fraudsters attempt to infiltrate user accounts by brute force (using mobile bots) or stealth (using mobile remote access attacks). Account takeovers offer immediate access to customer balances and personal credentials. In line with this, identity spoofing grew 20% compared to 2018’s first six months.

Fintech providers in the financial services industry remain susceptible to account takeovers and payments fraud, particularly digital wallet and remittance companies. ThreatMetrix suggested fintechs traditionally tailor their goods and services to an online only, sometimes mobile-only, consumer base. In addition, they often targeted the unbanked and underbanked population, in geographies where identity verification services are less prevalent.

ThreatMetrix identified tethering a device to the internet via a mobile hotspot is a key fraud indicator in financial services: Desktop transactions carried out with a mobile tether are 2.4 times more likely to be fraud than a transaction with a device connected via Wi-Fi/fixed-line broadband.

There are additional reasons for organizations to worry, according to Alisdair Faulkner, chief identity officer at ThreatMetrix, as described in the report’s foreword. “The swirling storm of privacy and security continues to loom heavy on the horizon for every digital business, with the first test cases from GDPR starting to make headlines and the California Privacy Act likely not far behind.” He added, consumers should expect the businesses they transact with to protect their online accounts and personal information, but the line between security and data privacy continues to be tested in the process.