Dalton keiron

A new mobile technology has been designed to halt sophisticated digital identity fraud by going beyond passwords.

The system aims to eradicate traditional verification processes on online banking and mobile apps, which are seen as cumbersome, in a bid to halt the ongoing issue of social engineering fraud.

Aspect Software, using developments to its Aspect Verify trust platform, aims to deal with security problems caused by consumers who using online systems, as they are the weak link that is most targeted by fraudsters.

According to the Crime Survey bulletin from the UK’s Office of National Statistics released in December 2016, two-thirds (66%) of ‘cyber related’ fraud were categorised as ‘bank and credit account’ fraud.

Also, a recent report from Agari claims that three in 10 businesses were victims of social engineering fraud in 2016.

Keiron Dalton, global program senior director of Aspect Verif, said: “Before any account takeover can take place, some form of social engineering needs to happen in order to obtain the right information to complete a false transaction.

“This could be any way of tricking or manipulating victims into providing personal information, including passwords, dates of birth and so on.

“While the most effective method of securing any account or technology system is to use multi-factor authentication, the human interaction element of fraud is still the weakest link in the chain.”

Passwords continue to be the most popular method of securing the first layer of authentication for online and mobile banking.

Aspect’s 2017 consumer study into online banking fraud, The banks’ balancing act: Fraud risk vs the customer experience, found that 88% of customers who experienced at least one fraudulent incident on their bank or credit card account in the past, recall needing to use a password, PIN, or some combination of characters and symbols in order to log in.

Dalton said: “Any kind of password is practically a comfort blanket. We’re so used to them, but in between social engineering and sophisticated fraudsters, they’re near enough useless at protecting our money.

“Working with some of the big banks, we’ve been seeing a rise in sophisticated mobile fraud designed to target personal bank accounts, such as SIM Swap.”

Since some banks use one-off SMS codes to verify the identity of the victim, criminals have taken advantage of a weak spot by impersonating and convincing mobile network operators in the contact centre to ‘swap’ the SIM of the victim with a new one.

After this happens, the fraudster can access these one-time codes via SMS and when combined with information they already have, such as PINs, passwords and personal details, can clean someone’s account out in minutes online.

Dalton said: “You could theoretically add more layers of security – say, to a mobile banking app – but all you’re doing is placing restrictions on users, forcing them to jump through hoops just to do something that a mobile app should let them do quickly and easily. They’ll get frustrated pretty quickly and you’re more likely to lose them as a customer down the line.”

Dalton says that developments between the mobile network operators, banks and technology providers have meant that they are well on their way to striking a balance between ease of use, convenience and appropriate levels of security that will stop social engineering at the start of a compromise.

The technology uses publicly available data to help banks to step-up authentication by determining variables such as geo-location of the user, call divert and SIM Swap detection.

Keiron added: “Currently, an automated voice call is all that’s needed to authenticate a transaction for us to know whether it’s genuine or not. Eventually, the verification will be imperceptible and won’t interrupt a genuine user experience.

“A fraudster could be making an ‘omni-channel’ attack where they have already taken over someone’s mobile device, and is being talked through a process to transfer money on a separate channel while the automated call is taking place. It has been very successful in practice.”

Aspect Verify is a trust platform and a cloud-based service for fraud prevention and detection.

It is a collection of automated engagement solutions for proactive monitoring, identification, prevention, and notification of fraudulent transactions, including SIM Swap and diverted calls and SMS.

Notification options target both the organisation and the customer, and include system-level alerts as well as phone calls (landline or mobile), SMS, and email.