The ATO threat: how strong is your line of defense?

January 6, 2022

ATO TipsThe accelerating shift to digital creates an immense challenge for financial services organizations. As access to digitally enabled services continues to explode, so do the opportunities for fraud which can erode trust and cause significant financial harm.

While the 2020 pandemic accelerated all types of fraud across digital channels, account takeover (ATO) fraud has skyrocketed. Between the second quarter of 2019 to the second quarter of 2020, ATO fraud grew by 282%. As long as criminals can cleverly exploit weaknesses in an institution’s ability to distinguish a legitimate customer from an imposter, this threat will continue to grow.

Re-thinking the balance between friction and trust

ATO attacks succeed when digital identity verification techniques fail. Criminals are developing increasingly sophisticated techniques for successfully impersonating legitimate customers or their passwords to gain access to accounts and wreak havoc.

Today, too many companies focus their energies on establishing proof of identity at the outset of a digital customer journey. A new customer, the thinking goes, is more likely to tolerate the “friction” associated with identity authentication, such a providing a digital capture of a government-issued ID and a live selfie that can be accurately matched against the document photo.

Establishing trust in a person’s digital identity is an ongoing process throughout the customer journey. Document-centric identity verification solutions, combined with biometrics, can help financial services firms establish a foundation of trust with new customers – and protect trust at every touchpoint. Not only will it help reduce the threat of ATO attacks, but it’s also likely to increase customer confidence – over three quarters (76%) of breach-weary consumers are in favor of advanced security protocols over passwords, even if it meant compromising on the convenience of the checkout experience.

Protecting trust throughout the digital customer lifecycle

As you look to strengthen of your line of defense against ATO attacks, consider an adaptive approach that incorporates multi-factor authentication techniques that can strike the right balance between trust and convenience at scale throughout the customer lifecycle.

                               Read the new infographic: BEST PRACTICES FOR THE DIGITAL IDENTITY LIFECYCLE

Digital identity lifecycle Q&A

When and why do identity processes typically fail?

Proofing, verification, and authentication processes can fail when criminals can too easily gain access to passwords or other personal identifiers, or the burden of proof on good customers is so onerous it leads to abandonment, or when the evidence captured lacks the required quality (blurry, glare, liveness) to ensure confidence in it as proof of identity.

How to strengthen these processes?

Start with a high quality, spoof-proof capture of evidence – ID documents, selfies, or other biometrics. This improves the efficacy of verification algorithms and processes. A reliable proof of identity at Day Zero ensures the customer journey is off to a good start, while establishing a baseline of trust for subsequent digital touch points.

How to build the right toolset?

The right solution to digital identity verification and authentication is adaptable and configurable. Depending upon requirements and risk profiles, businesses can opt to layer in agent assistance, biometrics, and NFC as needed – all centered on a reliably proven and maintained customer identity, and ideally with a consistent user experience from end to end.

What role should biometrics play?

Biometrics can play a significant role throughout the digital identity lifecycle. During initial identity proofing, biometrics can help ensure that the person presenting the document is its rightful owner. During identity authentication, biometrics can make the customer experience faster and easier by eliminating the need to remember passwords or check a second device for one-time codes.

Are device-enabled biometrics sufficient?

It’s true that modern smartphones leverage biometrics (selfies, fingerprints) to verify the user’s identity. But these solutions lack enterprise-grade features such as liveness detection and granular control over how well the user experience maps to the business’ risk tolerances and other thresholds. Device-enabled biometrics are still largely used as a single-factor authentication, one that can be breached simply by knowing the user’s device PIN. Multi-factor approaches create additional protections.

Are multi-modal biometrics the way forward?

Advances in fraud have made knowledge-based authentication data such as device PINs vulnerable to attack, plus passwords and OTP are too time-intensive for customers. Multi-modal biometrics are simpler for customers, and the best defense against account takeover (ATO) attacks.

Are NFC capabilities essential today?

Yes, if your identity proofing process relies on near-field communication (NFC)-enabled IDs and ePassports. NFC will play a more important role over time, as we expect to see an increasing number of ID documents embedding NFC chips.