Securing Logins While Reducing Member Friction

When credit unions receive knocks on their digital front doors, they must accurately identify those who are knocking while remaining welcoming to members who are simply entering to transact business. That’s the challenge the Brookfield, Wis.-based Fiserv, Inc. hoped to address by launching SecureNow: Login Defense, an extension of SecureNow from Fiserv, which facilitates accurate recognition of suspicious devices, and enables credit unions and other financial institutions to boost cyberattack detection rates while also reducing the number of steps needed to access accounts.

Recently, the $1.85 billion, North Charleston, S.C.-based South Carolina Federal Credit Union was seeking help with balancing security and member engagement. It had always strived to make online banking security so tight that no fraudulent activity could sneak by. In fact, the credit union, which operates 20 South Carolina offices in four major Palmetto State markets including Columbia and Georgetown, has never experienced any type of online banking fraud. But as a consequence, the user experience was challenging for members.

As an existing digital banking client of Fiserv’s using a variety of products including Corillian Online and Mobiliti, South Carolina Federal reached out to the company for a solution.

“Roughly about three years ago, we did an official launch of SecureNow into the marketplace. It has grown significantly over the years,” Scott Domach, vice president of product strategy for Fiserv, said. SecureNow replaces traditional security mechanisms with data-driven risk decisioning and monitoring.

In 2017, SecureNow tacked on Login Defense, a centralized, real-time cybersecurity platform that integrates multifactor and device-based authentication with behavioral analytics. The system incorporates device reputation insights from the global consortium of iovation, a TransUnion company, and location data from Neustar, a provider of real-time information services including security solutions, to analyze potential risk based on a range of device-related factors such as account access frequency, history and place. Fiserv has claimed attacker device real-time recognition rates of 90%.

SecureNow includes multiple layers of behind-the-scenes security, which makes the experience seamless for the user. This was a key benefit for South Carolina Federal.

Shaun Davis, director of IT infrastructure and telecommunications for South Carolina Federal, discussed the initiative behind the consideration of SecureNow. “We really felt like it would help us to enhance our security while also trying to remove some layers of difficulty that our membership had with logging into online banking.”

The credit union wanted to challenge members when necessary but greet them with a welcome mat the rest of time. SecureNow helped make the process more user-friendly by replacing traditional security mechanisms with real-time login defense and security monitoring. SecureNow completes all the strenuous authentication in the background, eliminating the user’s login barriers.

The credit union, which has more than 162,000 members, established two primary metrics for success: A lower challenge rate and fewer calls to its contact center regarding online banking.

Davis explained the credit union added SecureNow and its extension Login Defense at the same time. “We piloted in September 2017 and went live in late September and October 2017. It was just for online banking at first; we added the mobile app in January 2018.”

Here’s how SecureNow works, according to Davis: The first time members log in, they enter a username and password, and South Carolina Federal sends them an authentication code via text. Members then enter that code. “After that, SecureNow figures out where they usually log in from (i.e., computers, mobile devices), and only require a password and username. They no longer need that second authentication.”

When problems occur during challenge-response authentication situations, members face more stringent entry requirements or must query the contact center. Prior to the SecureNow implementation, South Carolina Federal members encountered two-factor identification every five to 10 times they logged in. South Carolina Federal leaders anticipated the move to SecureNow would help to lower member challenge issues, and they were right.

Since implementing SecureNow, the credit union realized a challenge rate decline from 28% to less than 10%; now, fewer members need to stroke one-time passcodes or unlock their accounts. This improved the member experience and helped lower call center volume.

In Net Promoter Score, which South Carolina Federal uses for instant online banking surveys, its ratings used to include comments about having to enter in passcodes so many times. “We basically don’t see those types of comments any longer. We’ve steadily improved our Net Promoter Score and reduced calls to our contact center,” Davis said.

As far as more direct member feedback, Meredith Siemens, South Carolina Federal’s vice president of public relations and community involvement, noted it is what the credit union has not heard that is also notable, especially through its social media communication. “Our contact center saw a decrease of challenge questions to 8% from January to March 2019. Although it’s less specific on the social media side, we’ve definitely seen a decrease in inquiries from the members.”

In reference to SecureNow’s layered security approach, Domach explained, “There is no single magic bullet. So, we incorporate a mix of different products.” Domach indicated Fiserv offers everything from traditional security measures to out-of-band solutions. “That is where you get a code sent to you, whether it’s your phone or your email, to validate who you are.”

Another traditional method Fiserv incorporates is a series of out-of-wallet questions, which are gathered during the member’s registration process. “Clients either buy out-of-wallet or out-of-band, very few buy both. Most of them buy the out-of-band because having a code sent to you is becoming pretty normal,” Domach said.

Fiserv also offers a second-level security product, Login Defense, which looks at both device security and IP security. Domach described how Login Defense works: When someone logs in, it takes the credential sent from the device − whether it’s a laptop, mobile phone or tablet – and sends it to a consortium, which checks it against some five billion devices. If it is fraudulent, it directs the person logging in to call the call center. A similar process occurs when a sketchy IP address is detected.

Domach emphasized the subsequent stage takes place post-login using behavior analytics. “Let’s just say that once a month, I transfer $1,000 from my checking to my savings. Analytics is going to notice and consider it is part of my normal behavior. If I tried to transfer $10,000 twice in one week, it is going to flag that.”

He also noted, “The reason behind that is to limit any suspicious activity, and the impact on the client would be relatively low because we’re letting the normal behaviors go, which is taking the friction out. We’re only creating any questions when the behavior is different.”

Davis mentioned South Carolina Federal went live with behavior analytics for online banking in mid-June. In the initial few weeks of use, it reduced in-session challenges by 85%.

Domach added, “We really focus on the client’s experience overall and we want to make sure that normal behavior is not punished. We believe intelligent security fuels intelligent experience and we’re all about creating a positive and intelligent experience for end consumers. But it has to start with intelligent security.”

Fiserv maintained SecureNow complements its other cybersecurity solutions, including CyberProtect and Cyber Secure, which are designed to mitigate risks within financial institutions as well as risks associated with consumer-facing services.