A fraudster's easiest path through a financial institution's defenses often starts in the gray area between security and a seamless experience for consumers.
Balancing those two priorities has been a traditional quandary in the financial services market, said John Horn, director in Digital Banking at Fiserv.
"Banks and credit unions want experiences to be as seamless as possible," he said. "But there have been so many data breaches in the market, and brand risk is high."
Historically, the market has presented two options to CIOs and digital banking executives: Emphasize security at the expense of experience or weaken defenses for the sake of speed and convenience.
But what if there was a third option? Device recognition, also known as device analytics, holds the potential to do away with that either-or scenario, Horn said, by going straight to a device to answer two crucial questions: Is the person logging in really a customer? Or is it someone who bought the credentials off the dark web?
"Device recognition can allow you to have both," he said. "You get an 'and' instead of an 'or.'"
Online banking and mobile apps are a security challenge for financial institutions. That's because it's often difficult to make sure people are who they say they are without subjecting them to multiple authentication steps, said Jay Johns, global partner manager for iovation, a global leader in device fraud analytics and log-in authentication as well as a Fiserv partner.
"The traditional solution is to request personally identifiable information such as Social Security numbers and financial records," he said. "But that can be unreliable because data breaches have made that information readily available to fraudsters. They often can answer all of the challenge questions better than legitimate users."
Device recognition, Johns said, sidesteps that problem by automatically investigating several elements of the device a person is using to access financial services, asking:
Is this a device that has been encountered before and has it been involved in a large number of transactions? If the device has accessed and authenticated to a specific account in the past, it should be let in with little challenge, Johns said. If not, then recognition efforts should continue.
Is the device physically where it shouldn't be? It could look like the device is in Chicago, but analytics might show it's across the world in Southeast Asia.
Does the physical location change more quickly than a person could travel? There could be evidence someone is altering the IP address if the location changes with every transaction.
Does the device have a history of fraudulent behavior? And, if so, what type of fraud? Where? When? Which company was defrauded?
Are there anomalies in the device configuration? For instance, the device might have one language in the operating system but another language in the browser. That would be an indicator of risk.
"It's all transparent," Johns said. "We're trying to help good consumers have a better experience and, at the same time, nail the fraudsters."
Recognizing legitimate devices quickly and efficiently is crucial for many reasons, including a reduction in challenge questions and new credentials sent to consumers. That saves money and improves the experience.
"You don't have to throw those roadblocks out there as much because you recognize the good users," Horn said. "The brand comes across better because you're not challenging people as often."
Adding device recognition to a financial institution's arsenal of defenses doesn't have to be a burden. It can really shine with the right partner handling the complexities of monitoring, operations and continuous improvement, he said.
"You don't need your hands on the dials," Horn said. "The key is having an efficient way to manage and fine-tune it."
Simply put, he said, if cyber security is a poker game, device recognition gives financial institutions a clearer view of the cards fraudsters are holding.
"The device," Horn said, "is the new tell for cyber fraud."