18-5005J-The Role of Applicant Behavior in Identity ...

THE ROLE OF APPLICANT BEHAVIOR IN IDENTITY PROOFING

2

javelinstrategy.com

925.225.9100

TABLE OF CONTENTS

Executive Summary .............................................................................................................................................. 4

Key Findings .............................................................................................................................................. 4

Recommendations .................................................................................................................................. 5

Introduction .............................................................................................................................................................. 6

How Do You Measure Behavior in Digital Channels? ................................................................................ 7

The Vulnerabilities of Traditional Identity Verification ............................................................................ 8

Anonymity .................................................................................................................................................. 8

Commoditization of Consumer Data ............................................................................................... 8

Speed ........................................................................................................................................................... 9

Weaknesses in Supplemental Controls .......................................................................................... 10

Examining Digital Account Opening Trends ............................................................................................... 11

Understanding How Digital Technology Influences Fraud Risk by Product ................... 12

Identity Risks Beyond Financial Services ...................................................................................... 14

The Challenges of Serving and Identifying Gen Y in Digital Channels............................... 15

The Role of Behavior in Identity Proofing ................................................................................................... 18

Implementing an Identity Proofing Strategy .............................................................................................. 19

Methodology .......................................................................................................................................................... 21

Endnotes................................................................................................................................................................... 21

TABLE OF FIGURES

Figure 1: Type of Information Stolen From Notified Breach Victims, 2017 ...................................... 9

Figure 2: Victims of Mobile Account Takeover and Mobile New Account Fraud, 2015–2017 . 10

Figure 3: Percentage of Accounts Opened in the Past 12 Months, by Channel ............................ 12

Figure 4: Victims of New Account Fraud, by Account Type ............................................................... 13

Figure 5: Channel Used for Account Opening in Past 12 Months, by Generation ........................ 15

Figure 6: Account Opening by Generation, Past 12 Months ................................................................. 16

Figure 7: Channel Used for Checking Account Opening, by Age ...................................................... 17


3

javelinstrategy.com

925.225.9100

FOREWORD This original report, sponsored by BioCatch, explores the role that applicant behavior plays in assessing digital-channel identity risk within financial services. This research report was independently produced by Javelin Strategy & Research. Javelin Strategy & Research maintains complete independence in its data collection, findings, and analysis.

OVERVIEW

As account opening continues to transition from physical to digital channels, financial institutions, issuers, lenders, and other organizations must optimize the digital experience of applicants in order to compete. At the same time, fraud is on the rise as criminals have become more successful than ever, thanks to some of the same digital channel benefits enjoyed by consumers: convenience, speed, and ease of use. To achieve the necessary balance between preventing fraud and providing a delightful experience for consumers, an approach to identity proofing that accounts for the channel, product, customer, and threat environment is absolutely critical. But regardless of the approach, inconspicuous solutions — like those based on applicant behavior — have a distinct role to play in how institutions manage the risk of application fraud.


4

javelinstrategy.com

925.225.9100

EXECUTIVE SUMMARY Key Findings Four key vulnerabilities are inherent in identity verification in digital channels. The traditional identity verification process was designed to meet regulatory requirements, not to vet applicants for fraud. Vulnerabilities have since cropped up as the result of digital account opening and are contributing to record rates of identity fraud. These vulnerabilities include the anonymity that digital channels afford fraudsters, the commoditization of consumer data, the speed with which applications can be submitted, and weaknesses that have developed in some popular controls. Because fraudsters have access to nearly any element of a consumer’s PII, verifying static identity elements is now a largely useless tactic in preventing fraud. Years of record data breaches, malware designed to glean consumer information, and social engineering have made personally identifiable information (PII) easily accessible for fraudsters. In fact, victims of data breaches in 2017 were more likely to have had a Social Security number (SSN) stolen than any other piece of PII for the first time ever. It is important to note that such identifiers might not be replaceable easily (SSN) or at all (date of birth), potentially exposing a victim for life. Difficulties in assessing identity are holding back some products from digital adoption. Aside from credit cards, account-opening rates for loans in digital channels tend to be on the low side of the spectrum. Although customers might start the account-opening process for loans in the digital channel, very few rely on these channels for end-to-end account opening: Only 22% and 30%, respectively,

remain in these channels for auto loans and mortgages. Part of this is because of a lack of availability, which is a function of the difficulty associated with verifying identity for these products. Credit cards and demand deposit accounts (DDAs) in particular are prime targets for new-account fraud (NAF) in digital channels. Credit cards are by far the most targeted financial accounts for NAF because they are one of the easiest to monetize quickly. This trend has accelerated since the introduction of EMV because criminals had to find alternative sources of cards for their fraud schemes and have since transitioned to opening new credit card accounts. And fraud involving new checking accounts is changing from simple money laundering to increasingly playing a role as intermediary accounts; this way, fraudsters can move money from one compromised account belonging to a victim to a new account that supposedly belongs to the victim.1 Organizations in many industries face distinct challenges in assessing identity. Digital channels have become increasingly important to many businesses and in some cases even spawned the venture. For them, the inability to assess identity is especially profound. The challenge has been compounded further as some of these businesses, such as e-commerce merchants, are high-profile targets that cannot afford to introduce any friction to the process. For prospective Generation Y consumers, traditional identity verification is creating costs and alienating them. Gen Y consumers who are new to lending and banking are unlikely to have robust track records with loans, and so their credit files are thin or wholly absent. This is problematic for verifying


5

javelinstrategy.com

925.225.9100

identity through digital channels because knowledge-based authentication (KBA), a stalwart of the identity verification process, can be ineffective without a sufficient base of records from which to draw. As a result, the digital-savvy generation that is most likely to open an account in the next year is being pushed to branches for account opening, thereby raising costs, or simply prevented from opening an account at an institution, thus driving them to the competition. Identity proofing is the next evolution, and monitoring consumer behavior will play a central role. Unlike identity verification, where the goal is to assess whether certain elements of personally identifiable information (PII) match a known identity for the purposes of meeting know-your-customer (KYC) requirements, identity proofing provides certainty that not only is the identity itself valid but also that it belongs to the applicant. Behavior provides significant insights in detecting fraud. Consumer behavior has a role to play in identity proofing, regardless of the financial product or customer segment being targeted. In fact, nowhere is there more of a need for inconspicuous fraud controls than in digital channels, where applications are increasingly being submitted and where the fluidity of the experience matters, especially to certain segments of consumers. Monitoring the users’ interaction with input devices, such as mice and keyboards can help validate a good customer such as by indicating use of long-term memory or flag fraudsters by identifying suspicious indicators such as a lack of familiarity with the data being entered.

Recommendations

Replace identity verification with a holistic identity proofing process. Identity proofing should consider the strengths and limitations of the channel, the expectations and challenges associated with different customer segments and financial products, and the threat environment affecting each aspect. Consider the benefits of a six-stage identity proofing process for digital account opening. By moving to a six-stage, continually scored process — inspect, prefill, verify, reconcile, enhance, and conclude — an institution can reduce the risks associated with a traditional identity verification process while also providing a streamlined customer experience. Institute the use of behavioral biometrics throughout the identity proofing process. Behavior-based solutions can deliver value at every stage of an identity-proofing scheme by helping to isolate malicious automated activity (i.e. bots) and other suspicious applicant behavior without creating the kind of friction that can turn off good prospective customers.


6

javelinstrategy.com

925.225.9100

INTRODUCTION Consumer account opening is shifting from physical to digital channels for many products, although not all consumers are embracing the digital revolution with the same degree of enthusiasm. For organizations, understanding the dynamic of the shift to digital account opening is critical, not just because of risks that are unique to digital channels, but also because of the customer-experience complications that can arise.

Financial service providers that are trying to accurately assess the identity of customers in digital channels have to consider certain aspects to minimize losses and ensure a positive customer experience. These aspects include: The risks to different financial products, such as demand deposit accounts (DDAs), personal loans, or individual retirement accounts (IRAs), which can manifest differently in digital channels than in physical ones.

Certain consumer segments have expectations that should affect the choices that an FI, issuer, or lender makes in the controls that it uses — especially controls that are customer-facing.

How an identity-proofing scheme should be tailored, using different solutions based on the channel, customer, product, and threat environment.

The different roles that behavior can play as a means of controlling identity risk, based on how it meets customer-experience needs and bolsters the fraud-mitigation aspects of an identity proofing scheme.

“Right now we are pretty rudimentary, including what we collect and use to verify you. We still have customers who fail certain qualifications and have to mail in information, which is very 1980. At the same time we have minimum requirements of information to (collect to) be compliant.”

Risk Executive, Regional Financial Institution


7

javelinstrategy.com

925.225.9100

HOW DO YOU MEASURE BEHAVIOR IN DIGITAL CHANNELS? Gauging the way that customers behave is a security tool business have used ever since the first one opened their doors. Whether that is a branch manager watching for nervous customers in the teller line or a retailer carefully observing customers that linger too

long in front of merchandise, monitoring customer behavior can be a powerful way to identify potential criminal activity. Although customers in the digital channel cannot be observed the same way that they are in the branch or store, how these customers interact in the session with their digital devices can provide powerful insights.

Aspects of customers’ behavior that can be examined using behavioral biometrics include:

How well they know the data can become apparent by where they slow down, and use of shortcuts such as pasting text that should be known to the legitimate applicant (e.g. address or Social Security number) into a field could indicate that they are using information that is not their own, or might even be a synthetic identity

The speed at which they work their way through an application, including the types of shortcuts they use to move from field to field and from page to page. If they move too quickly, that could indicate that they are too experienced in completing the application or might actually be a “bot.”

Source: Javelin Strategy & Research, 2018


8

javelinstrategy.com

925.225.9100

THE VULNERABILITIES OF TRADITIONAL IDENTITY VERIFICATION Digital account opening is changing the way that consumers do business with financial service providers, broadening their geographic reach and lowering the barriers to entry. At the same time, the digital channel has exposed the vulnerabilities of the traditional identity verification process, which for many institutions was designed to meet regulatory requirements, rather than to appraise applicants for fraud. These vulnerabilities have contributed to record rates of identity fraud and now demand that the financial services industry adopt a new approach for assessing identity.2 These vulnerabilities include the anonymity that digital channels afford fraudsters, the commoditization of consumer data, the speed with which applications can be submitted, and weaknesses that have developed in some popular controls.

Anonymity A lack of face-to-face interaction prevents institutions from examining documentation and the physical appearance of an applicant. This has subsequently given rise to the use of:

Synthetic identities (identities that are fictitiously created by a fraudster using a combination of authentic stolen personal information and invented information), which effectively manipulate and undermine the value of traditional identity verification approaches.

The adoption of tools designed to circumvent device fingerprinting, including the use of virtual machines, emulators that

allow fraudsters to appear to be using a device of a specific configuration of their choosing, and remote-access Trojans that appear to be submitting information from a device belonging to a victim.

Commoditization of Consumer Data Years of record data breaches, malware designed to glean consumer information, and social engineering have made personally identifiable information (PII) easily accessible for fraudsters. Because fraudsters have access to nearly any element of a consumer’s PII, identity verification is now largely useless to prevent fraud.

In 2017, for the first time ever, victims of data breaches were more likely to have had a Social Security number (SSN) stolen than any other piece of PII (Figure 1). It is important to note that such identifiers might not be replaceable easily (SSN) or at all (date of birth), potentially exposing a victim for life.

Mobile malware is evolving to solicit and capture more personal information. This includes not only elements of PII but also actual images of victims’ identity documents.3

“Now we did detect remote access…in real time and contact the customer to check if they are working remote. The customer is surprised we knew that. That is important to us because we want to protect against remote access Trojans.”

Authentication Executive, Regional Financial Institution


9

javelinstrategy.com

925.225.9100

Social-engineering schemes continue to evolve, taking advantage of consumers’ fears, to elicit sensitive data, whether following on the heels of a major data breach to offer services to help or by threatening to imprison a consumer for allegedly evading taxes.

Speed

Fraudsters can apply for financial products in the digital world at a rate of speed that is orders of magnitude faster than they ever could in the analog world. This is amplified further by automated attempts that use armies

of infected devices, or botnets, to run scripts that fill the appropriate application fields with variations of easily sourced bulk PII. These attacks can easily overwhelm manual identity verification processes.

Social Security Numbers Now Top the List of Victims’ Compromised Information

Figure 1: Type of Information Stolen From Notified Breach Victims, 2017

“One month we went from 4,000 to 12,000 (applications) and only 2,000 were good. The delta were bad and there were only 6 or 7 people responsible.”

Authentication Executive, Regional Financial Institution

0%

1%

2%

3%

3%

5%

6%

7%

8%

16%

30%

35%

0% 10% 20% 30% 40%

Military ID

School records

Child's SSN

Credit card ATM PIN

Debit card PIN

Medical records or health insurance info

Driver's license number

Checking account number

Online banking credentials

Debit card number

Credit card number

SSN

Percentage of Data Breach VictimsSource: Javelin Strategy & Research, 2018


10

javelinstrategy.com

925.225.9100

Weaknesses in Supplemental Controls

Besides circumventing PII verification, fraudsters are targeting and overcoming conspicuous solutions.

Knowledge-based authentication (KBA) has long since been undermined by some of the same forces as the verification of PII and even passwords, such as the theft or interception of static data, making it a vulnerable solution that demands customer participation.

SMS one-time passwords can be intercepted and misused by fraudsters through phone porting, malware, and other means. Their value as authenticators has spurred fraudsters to target them as mobile phone account takeover and new mobile account fraud have been on the rise for the past three years (Figure 2).

Digital account opening is inherently different and in many ways more risky than account opening at a branch. While traditional verification processes using PII will still be used to meet KYC requirements, FIs and other organizations that do business in digital channels must go further to properly address the added fraud risks inherent in account opening in digital channels.

Fraudsters Increasingly Target Mobile Accounts to Circumvent Identity Controls

Figure 2: Victims of Mobile Account Takeover and Mobile New Account Fraud, 2015–2017

“The low hanging fruit is just on getting the matching right. Making sure the KYC in lock step. That needs to be the first step. Then you model with the data you have to determine the likelihood of fraud.”

Fraud Executive, Large Financial Institution

107

210

344

84

161

380

0

50

100

150

200

250

300

350

400

2015 2016 2017

Th

ou

san

ds

of

vict

ims

Mobile ATO

Mobile NAF



11

javelinstrategy.com

925.225.9100

EXAMINING DIGITAL ACCOUNT OPENING TRENDS Pressured to compete with emerging fintech companies, banks and other financial service providers continue to enter the digital account opening space. In the past, customer account opening was largely kept to branches. It was touted as an opportunity to cross-sell loyalty-building products to both new and existing customers. As banks evolved through the years and digital channels became an integral component for keeping up with the times, account opening remained rooted at the brick-and-mortar locations. That was then, and this is now. Digital account opening has since emerged as a crucial component for innovative banks and lenders. Lured by the convenience of digital technology and influenced by the expectations that other digital interactions have set, there is a clear trend in the channels consumers are choosing

for doing business with financial service providers. Unfortunately, the allure of these same channels is just as great for fraudsters as for consumers. Understanding how digital channels affect the risk of new account fraud for different products and consumer segments can help institutions ascertain the most appropriate approach for identifying prospective customers, along with the right tools for delivering the type of experiences that consumers expect.

“There isn’t a lot of appetite to add friction to the process. Most of the business is focused on how to take friction out. That is the benefit of tools that are behind the scenes and passive, unless something is flagged.”

Fraud Executive, Large Financial Institution


12

javelinstrategy.com

925.225.9100

Understanding How Digital Technology Influences Fraud Risk by Product

Digital account opening has grown in the past few years, but it has not grown evenly across all product types. That fact has had implications for fraud risk. As with any significant change, FIs have been very selective with which accounts they wanted to roll out. The highest adoption has been in bread-and-butter financial products — checking, savings, and credit cards —because these were the first products to be given the digital account opening treatment (Figure 3). This is logical because FIs would start making simple and efficient digital applications available for their lower margin, less

complicated, and most popular financial products. Aside from credit cards, account-opening rates for loan products in digital channels tend to be on the low side of the spectrum. Although customers might start the account opening process for loans in the digital channel, very few rely on these channels for end-to-end account opening: Only 22% and 30%, respectively, remain in these channels for auto loans and mortgages (Figure 3). Part of this is due to a lack of availability, which is a function of the difficulty associated with verifying identity for these products.

Credit Cards Are the Most Popular Financial Product to Apply for Through Digital Channels

Figure 3: Percentage of Accounts Opened in the Past 12 Months, by Channel

22%30%

37% 40% 43% 44% 45%

58%8%

13%10%

17%20% 14% 14%

10%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Auto loan Mortgage Certificate ofdeposit (CD)

Savingsaccount (either

joint orpersonal)

Brokerageaccounts suchas stocks orinvestments

Checkingaccount (either

joint orpersonal)

Retirementaccount (suchas a 401(k) or

IRA)

Major creditcard usableanywhere

Pe

rce

nta

ge

of

con

sum

ers

Digital channels only Digital and offline channels



13

javelinstrategy.com

925.225.9100

The issues with identity verification during digital account opening for loan products are threefold:

1. These accounts are more complicated to open. The open-to-close process for mortgages and auto loans traditionally takes longer than a day to complete. Customers might be required to provide such items as pay stubs and proof of employment, among other documentation. Verifying all of this, in addition to establishing the identity of the borrower, requires more information than is required for checking or credit card accounts.

2. The stakes are higher with loan accounts. Once the loan is funded, a bank could expect to lose up to the full amount of the loan, depending on the type of loan product. Writing off these amounts due to fraud would be crippling to any community

bank — not to mention the degree of complexity involved with resolving these cases and the resulting costs that are far greater than that of standard fraud cases with checking accounts. Note that personal loans were the fifth-most popular targets by number of new account fraud victims in 2017, behind checking and savings accounts and credit cards (Figure 4).

3. Competition in this space has increased as alternative, digital-only providers have entered the market. Their entry has raised consumer expectations for speed and convenience in the application and approval process. In an attempt to insulate them from further loss of market share, FIs are taking steps to make digital account opening more convenient. Inconspicuous identity proofing controls are therefore more of a competitive differentiator.

Accounts That Are Most Likely to be Opened Digitally Make the Top Targets

Figure 4: Victims of New Account Fraud, by Account Type

77,000

133,000

134,000

186,000

344,000

518,000

649,000

649,000

713,000

723,000

1,296,000

0 500,000 1,000,000 1,500,000

Home equity loan or line of credit

Student loan

First mortgage - Did the person use your informationto open any of the following new accounts in your…

Car loan

Mobile phone accounts

Internet accounts such as eBay, Amazon

Checking or savings accounts

Personal loan or line of credit

Email payments accounts, such as PayPal

Store-branded credit card accounts

Credit card accounts valid everywhere

Number of victimsSource: Javelin Strategy & Research, 2018


14

javelinstrategy.com

925.225.9100

It is also important to consider that when fraudsters are committing a specific type of fraud, they will target the product type that best fits their needs. As a result, some products are more susceptible to a specific type of fraud. Credit cards and DDA accounts in particular are prime targets for NAF in digital channels. Credit cards are by far the most targeted financial accounts for NAF because they are one of the easiest to monetize quickly, among all financial products. Fraudsters can remotely open an account that is in essence immediately funded and can therefore be almost instantly drained. This trend has accelerated since the introduction of EMV. Criminals who once

counterfeited credit and debit cards had to find alternative sources of cards for their fraud schemes and have since transitioned to opening new credit card accounts. Checking accounts have traditionally been attractive targets for money laundering. This has since changed, and they are increasingly playing a role as intermediary accounts: a way for fraudsters to move money from one compromised account belonging to a victim to a new account that supposedly belongs to the victim.4 The advantage of this technique for the fraudster is that it circumvents account ownership verification solutions that would normally prevent them from removing funds from a compromised account.

Identity Risks Beyond Financial Services Organizations in other industries face the same challenges that FIs do in assessing identity in digital channels, and in some ways, their challenge is more considerable. In financial services, the types of information collected from applicants are mandated and closely monitored for illegal activity, whereas in some industries with limited or no regulatory oversight, there has historically been less incentive to develop a formal customer identification program. And as digital channels have become increasingly important to these businesses, and in some cases even spawned them, the need and subsequent inability to effectively assess identity has become paramount. The challenge has been compounded further because some of these businesses cannot afford to introduce any friction to the process. This has created an opportunity to leverage behavior to manage risk. For example, e-commerce merchants and mobile network operators are high-profile targets for fraudsters. Criminals target these businesses for the products they sell and the services they offer, but with competitors no more than a few clicks away, the businesses must streamline the process of identifying new customers or risk abandonment. Worse still, being overzealous can result in false positive declines that will discourage prospective customers from returning. Considering that both of these industries hundreds of thousands of new fraudulent accounts in 2017, there is a clear need for an improved capability that reduces friction and fraud without alienating good customers (Figure 4).


15

javelinstrategy.com

925.225.9100

The Challenges of Serving and Identifying Gen Y in Digital Channels The path toward digital account opening is especially well-trod by certain consumer segments. Digitally inclined Gen Y has been the leading adopter of digital account opening: More than 1 out of 4 have used their financial institution’s online channel as part of opening an account in the past 12 months, and nearly 1

in 5 used the mobile channel. That compares to just 11% and 2%, respectively, for Baby Boomers (Figure 5). Generally speaking, Gen Y consumers are the most likely to have opened most new types of accounts in the last 12 months. New to the banking world, Gen Y consumers are much more likely to open core banking accounts:

Gen Y Takes the Lead in Digital Account Opening

Figure 5: Channel Used for Account Opening in Past 12 Months, by Generation

18%

27%

18%

11%

9%

19%

8%

2%

0%

5%

10%

15%

20%

25%

30%

Overall Gen Y Gen X Baby Boomers

Pe

rce

nta

ge

of

co

nsu

me

rs b

y c

han

ne

l

Online Mobile



16

javelinstrategy.com

925.225.9100

29% opened a new checking account, and 21% opened a new savings account in the past year (Figure 6). Obviously, when thinking about whether or not there should be new identity-related investments, a relative value consideration that needs to be made for accounts opened by different generations. Because younger consumers will generally be at an earlier stage in their financial lives, they will have lower incomes and fewer assets than older consumers. This will manifest in lower account balances and credit limits, although young consumers will become increasingly valuable over time. Unfortunately for financial service providers, new-to-lending and -banking Gen Y consumers are unlikely to have developed robust track records with loans, making their credit files thin or wholly absent. This is problematic for

verifying identity through digital channels as knowledge-based authentication (KBA). This stalwart of the identity verification process can be ineffective without a sufficient base of records from which to draw. As a result, the digital-savvy generation that is most likely to open an account in the next year is being pushed to branches for account opening, thereby raising costs, or is prevented from opening an account at an institution because

Gen Y Consumers are Maturing Financially, Opening the Most New Accounts

Figure 6: Account Opening by Generation, Past 12 Months

“In our messaging, we are thinking about how we pace expectations around fraud. But really we focus on good customer experience more than anything else. It is important to have controls that are nice and reasonable.”

Fraud Executive, Credit Card Issuer

29%

21%

17%

6%

15%

11%

14%

6%7%

6%

11%

5%

0%

5%

10%

15%

20%

25%

30%

35%

Checking Savings Credit Card Auto loan

Per

cen

tag

e o

f c

on

sum

ers

Gen Y

Gen X

Baby Boomers



17

javelinstrategy.com

925.225.9100

of a false positive, thus driving them to the competition. This is especially true for the youngest segment of consumers, where 41% of individuals opening an account within the past 12 months only used offline channels – a surprisingly high rate given this generation’s digital tendencies. Even among slightly older consumers, ages 25 to 34 20% of individuals who opened an account in the past year used both online and offline channels to open their account, demonstrating that at many financial institutions, digital account opening fails to offer a consistent single-channel experience.

Despite this, Gen Y consumers still prefer digital channels more than other demographic segments do, meaning that many of the digital channel applications at any particular institution are likely to be from young consumers (Figure 7). This same group typically represents first-adopters of technology who first experience new, disruptive services, such as those from alternative financial service providers and others that are “lowering the friction bar” for digital interactions. For FIs, this means that any identity-assessment tool that replaces KBA cannot introduce greater friction.

Consumers Younger Than 45 Make Up the Bulk of Digital Account Openings

Figure 7: Channel Used for Checking Account Opening, by Age


42%50% 50%

36% 40%

24%

17%

20% 15%

8%5%

3%

41%30% 35%

57% 54%

73%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

18-24 25-34 35-44 45-54 55-64 65+

Pe

rce

nta

ge

of

ind

ivid

ua

lso

pe

nin

ga

che

cki

ng

ac

co

un

tin

the

pa

st1

2m

on

ths

Online channels only (desktop or mobile) Mix of online and offline channels Offline channels only


18

javelinstrategy.com

925.225.9100

THE ROLE OF BEHAVIOR IN IDENTITY PROOFING Unlike identity verification, where the goal is to assess whether certain elements of PII match a known identity, identity proofing provides certainty that not only is the identity itself valid but that it also belongs to the applicant. Behavior can play an important role in identity proofing, regardless of the financial product or customer segment being targeted. In fact, nowhere is the need for inconspicuous fraud controls more significant than in digital channels, where applications are increasingly being submitted and where the fluidity of the experience matters, especially to key segments of consumers. Consumer devices offer a wide array of data points that can provide insight into the type of user that is completing an account application. Keyboard and mouse movement for PC users, accelerometers and touch events on smartphones can help flag risky users or provide indications that the user is genuine. These cues go beyond traditional authentication methods and make it more difficult even for fraudsters to successfully impersonate their victims. There are While a legitimate user will open a handful of accounts in any given year, fraudsters are regularly completing the application process as

they take a compromised identity to an array of financial institutions or target a single institution with a set of stolen identities. This builds a fluency with the account opening process among repeat offenders that is rarely present for legitimate consumers. To maximize the number of applications they can complete, fraudsters will quickly move between fields, often skipping optional fields, and demonstrate a level of “preparedness” not often seen among genuine users. This also manifests in a degree of “tech savviness” among fraudsters who will frequently use advanced shortcuts to accelerate their navigation through forms. For instance, fraudsters may use Shift-Tab to move backward through the form in the event that they notice entry errors, while this is rarely used by legitimate users. Additionally, consumers obviously are familiar with the core elements of their identity – name, address, Social Security number, etc. Except in cases of familiar fraud, fraudsters lack this familiarity, which leads to unique behavior patterns. For instance, fraudsters will often have to pause midway through entering data elements like the SSN to look up the remainder of the field, or copy and paste the information into the application.

19

javelinstrategy.com

925.225.9100


20

javelinstrategy.com

925.225.9100



21

javelinstrategy.com

925.225.9100

METHODOLOGY Consumer data in this survey is based on information collected in two surveys:

A November 2017 survey of 5000 consumers. The maximum margin of sampling error is +/- 1.39 percentage points at the 95% confidence level for questions answered by all respondents. Margin of error is higher for questions answered by smaller segments of respondents.

A July 2017 survey of 10,768 consumers. The maximum margin of sampling error is +/- 0.94% at the 95% confidence level for questions answered by all respondents. Margin of error is higher for questions answered by smaller segments of respondents.

ENDNOTES 1. 2018 Identity Fraud Report, Javelin Strategy & Research, February 2018.

2. Ibid.

3. https://securingtomorrow.mcafee.com/mcafee-labs/android-banking-trojan-asks-for-selfie-with-your-id/, accessed March 16, 2018.

4. 2018 Identity Fraud Report, Javelin Strategy & Research, February 2018.


22

javelinstrategy.com

925.225.9100

ABOUT JAVELIN STRATEGY & RESEARCH Javelin Strategy & Research, a Greenwich Associates LLC company, is a research-based consulting firm that advises its clients to make smarter business decisions in a digital financial world. Our analysts offer unbiased, actionable insights and unearth opportunities that help financial institutions, government entities, payment companies, merchants, and other technology providers. Authors: Al Pascual, Senior Vice President, Research Director James Wilson, Analyst, Digital Lending Contributors: Kyle Marchini, Senior Analyst, Fraud Management Publication Date: March 2018

ABOUT BIOCATCH BioCatch is a cybersecurity company that delivers behavioral biometrics, analyzing human-device interactions to protect users and precious data. Founded in 2011 by experts in neural science research, machine learning and cybersecurity, BioCatch is used by banks and other enterprises to reduce online fraud and protect against cyber threats, without compromising user experience. With an unparalleled patent portfolio and deployments at major companies worldwide that cover tens of millions of users to date, BioCatch has established itself as the industry leader for behavioral biometrics.

© 2018 GA Javelin LLC (dba as “Javelin Strategy & Research”) is a Greenwich Associates LLC company. All rights reserved. No portion of these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the written permission of Javelin Strategy & Research. GA Javelin may also have rights in certain other marks used in these materials.

18-5005J-The Role of Applicant Behavior in Identity ...

Documents

Transcript of 18-5005J-The Role of Applicant Behavior in Identity ...