Why Post-Login Security is Key to Preventing Financial Fraud

As more and more financial transactions take place online, fintech platforms have become an increasingly popular target for cybercrime. Fraudulent transactions within fake or compromised accounts can cause significant financial losses, damage brand reputation, and harm consumer trust. 

Types of financial fraud

As a fintech platform, there are two primary types of fraud to watch out for: 

  • Fraudulent account openings - Fraudsters might open a new credit card or online bank account using stolen or synthetic identities. Getting a line of credit under fraudulent pretenses is like stealing money: you get a card with a credit limit and can spend it on the financial institution’s dime.
  • Transaction Fraud - Cybercriminals can transfer value from compromised accounts,  flying under the radar of traditional transaction fraud solutions. Examples include bill pay, peer-to-peer payments, cryptocurrency, wire transfers, and stock trading.

What are organizations doing now?

Many organizations have implemented solutions that attempt to tackle this problem. These typically work at the point of transaction to determine whether it is legitimate or fraudulent, and then issue an ‘allow/decline’ decision. 

For organizations that regularly process large volumes of transactions and move money regularly, this type of solution is an important last line of defense. But it is just that: a last line of defense. Transaction solutions usually don’t assess pre-transaction signals of account takeover and thus can’t intervene proactively. If a bad actor even gets to the point of attempting card fraud, that means the account has already been compromised.

Other types of solutions focus on the point of login or account creation, such as usernames/passwords, CAPTCHA challenges, multi-factor authentication (MFA), and anti-money laundering (AML) and know-your-customer (KYC) controls. Sadly, determined attackers have many tools in their belts to bypass these types of defenses. Valid PII and credentials can be stolen from data breaches, social engineering that tricks users into handing over their own details, malware, and session hijacking techniques that can bypass MFA.

A further downside to both login and transaction solutions is that once an attacker is in an account, they effectively have free rein to transfer value and take other actions within the account. At-login and at-transaction defenses are focused on their specific wheelhouses. They can’t evaluate user activity post-login to assess if an account has been compromised.

The cost of catching fraud

Even if login, account signup and transaction solutions catch fraudulent activity, there is a cost to stopping fraud late in the funnel. By the time you get to a wire transfer, for instance, you might be obligated with an SLA for clearing it. This makes the cost of a false positive much higher. Likewise, making late-stage allow/decline decisions might require human resources to review alerts. In a similar vein, it is expensive to run KYC and/or credit scoring on someone when they open a new account. Even if credit/AML/KYC controls stop the account creation, they do it in a very expensive manner. 

Stopping potential fraud early in the process allows you to do "self service" exoneration and lower operational costs. By the time you are seeing actual dangerous activity or money movement transactions, your options have often withered to nothing.

Why post-login visibility is key

With post-login visibility, organizations can continuously assess and identify risk throughout the life cycles of their accounts, not just at a single point in time. Account solutions also give organizations the ability to deploy interventions that aren't possible later on in the process.

Take these examples of suspicious activity that can occur in organizations’ post-login blindspots:

  • Is a user that is normally based in the US suddenly logging in from France? 
  • Are they using a completely different device? 
  • Is that device also logged into 10 other accounts on your app? 
  • Is a newly seen user deactivating MFA and changing shipping details?
  • Are they attempting a large transaction when they haven’t done so before?

By continuously assessing user behaviors such as those listed above and assigning a unique risk score, financial organizations can take automatic mitigating action as soon as a specific risk threshold is passed. These actions—such as introducing a CAPTCHA challenge, forcing a password reset or locking the account—enable companies to intervene in real time, reducing the risk of future payment fraud. 

Reduce the risk of account fraud with HUMAN

HUMAN Account Fraud Defense safeguards online accounts by detecting and neutralizing compromised and fake accounts on apps and websites. The solution uses behavioral analysis to continuously monitor accounts post-login for suspicious behavior. It generates an evolving risk score based on all activity in an account rather than relying on a single point-in-time check, such as only at login or point of transaction.

When a risk threshold is met, automated responses are triggered. It’s easy to understand key details of an incident with the intuitive management console. In this way, Account Fraud Defense stops fraud and abuse, reduces customer risk and cuts your fraud team’s workload.