Apply DA Tag
Lately there has been a lot of press about breaches and hacking of user credentials. I thought it might be a good time to pause and distinguish between authentication credentials and identity elements. Identity elements are generally those bits of meta data related to an individual. Things like: name, address, date of birth, Social Security Number, height, eye color, etc. Identity elements are typically used as one part of the authentication process to verify an individual’s identity. Credentials are typically the keys to a system that are granted after someone’s identity elements have been authenticated. Credentials then stand in place of the identity elements and are used to access systems. When credentials are compromised, there is risk of account takeover by fraudsters with mal intent. That’s why it’s a good idea to layer-in risk based authentication techniques along with credential access for all businesses. But for financial institutions, the case is clear: a multi-layered approach is a necessity. You only need to review the FFIEC Guidance of Authentication in an Internet Banking Environment to confirm this fact. Boiled down to its essence, the latest guidance issued by the FFIEC is rather simple. Essentially it’s asking U.S. financial institutions to mitigate risk using a variety of processes and technologies, employed in a layered approach. More specifically, it asks those businesses to move beyond simple device identification — such as IP address checks, static cookies and challenge questions derived from customer enrollment information — to more complex device intelligence and more complex out-of-wallet identity verification procedures. In the world of online security, experience is critical. Layered together, Experian’s authentication capabilities (including device intelligence from 41st Parameter, out-of-wallet questions and analytics) offers a more comprehensive approach to meeting and exceeding the FFIEC’s most recent guidance. More importantly, they offer the most effective and efficient means to mitigating risk in online environments, ensuring a positive customer experience and have been market-tested in the most challenging financial services applications.
For communications companies, acquiring new accounts is an ongoing challenge. However, it is critical to remember that managing new and existing accounts – and their respective risks – is of tremendous importance. A holistic view of the entire customer lifecycle is something every communications organization can benefit from. The following article was originally posted by Mike Myers on the Experian Business Credit blog. Most of us are pretty familiar with credit reports and scores, but how many of you are aware of the additional tools available to help you manage the entire credit risk lifecycle? I talk to credit managers everyday and as we’re all trying to do more with less, it’s easy to forget that opening accounts is just the first step. Managing risk on these accounts is as critical, if not more so, than opening them. While others may choose to “ship and chase”, you don’t need to. Proactive alert/monitoring services, regular portfolio scoring and segmentation are key components that a successful credit department needs to employ in the constant battle against “bad” accounts. Use these tools to proactively adjust credit terms and limits, both positively and negatively. Inevitably some accounts will go bad, but using collection research tools for skip tracing and targeting services for debt collection will put you first in line for collections. A journey of 1,000 miles begins with a single step; we have tools that can help you with that journey and all can be accessed online.
While the majority of your customers may be consumers, most telecommunications companies also work with a number of business accounts. Understanding business credit scores — and what attributes have the most impact on them — can go a long way in helping you identify good customers as well as better manage risk. The following article was originally posted by Peter Bolin on the Experian Business Credit blog. There are a number of factors that impact business credit risk scores. Keep in mind that most risk models are built using multivariate statistical methods that not only look at each attribute, but also look for the interaction between the attributes. However, there are three general factors that will impact a business score. Recency: How recently has the business been delinquent? Events that have happened recently tend to be most predictive of business behavior in the near future. For example being days beyond credit terms (DBT) in the past 30, 60, and 90 days will tend to negatively impact, on average, a business’s credit score versus those that are current. Frequency: How frequently is the business delinquent or applying for credit? If a business has multiple beyond terms events then the algorithm will reflect this behavior and will tend to impact the score to the low side. In addition, if a business is frequently applying for credit (called inquires) then this will also negatively impact the score. Monetary/Usage: How large is the debt burden? Businesses that carry large balances in relation to credit limits tend to be more risky than those that carry lower balances in relation to credit limits. This is called the utilization ratio or balance-to-limit ratio. As the debt burden increases interest payments also grow placing more stress on cash flows. This tends to negatively impact a business’ risk score. Please comment on this post to let me know of specific topics you want to hear more about.
The next time a consumer asks about his or her credit score, consider it an opportunity. Recent changes to the Risk-Based Pricing (RBP) rule may provide new opportunities to strengthen relationships by educating consumers about what their credit scores mean, how they’re used, and how they can be improved. For many lenders and other businesses, this could be the first time they’ve had a chance to speak directly and openly with customers about their credit scores. The RBP rule is intended to improve financial literacy As we’ve discussed, the Risk-Based Pricing Rule was instituted in response to policymaker concerns that consumers were not being sufficiently informed of the impact that credit reports can have on their annual percentage rate (APR). Now, when a lender makes a credit decision based on a consumer credit report and does not offer the best possible rate, or denies credit, the RBP Rule requires lenders to notify the customer about the decision – through either an explanation of the rate offered or disclosing a credit score. New requirements take effect on July 21 RBP compliance is changing following recent passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act. Companies will now be required to provide all customers with a credit score within a Risk Based Pricing Notice, along with educational material. The new requirement is effective July 21, 2011. This is also the date when the new Bureau of Consumer Financial Protection (CFPB) is set to be fully operational. How to prepare for consumer questions about credit scores Experian offers a number of resources to help lenders answer consumer questions. Online resources, including the Ask Experian column and our extensive Credit Education section, provide fundamental information to help consumers better understand credit scores and credit reports. The Experian Credit Score Basics booklet, plus more than 20 other educational documents, are available electronically and formatted for easy printing and distribution. All documents, PowerPoint presentations, virtual seminars and education videos are available on a free mini-disk. Customized training and education is available The Experian Public Education team can also provide customized, live Internet-based training and education for our clients’ employees to help them effectively answer customer questions about credit reports and credit scores. For a free mini-disk or more information about training events, please contact Rod Griffin, Experian’s Director of Public Education, at 1 (972) 390-3528, or email clientcorner@experian.com. Take a moment to check out our Risk-Based Pricing microsite, too. Note: While Experian is happy to provide our observations related to the new Risk-Based Pricing Rule, please work with your own legal counsel to ensure that you comply with your obligations under the rule.
Managing commercial credit in today’s economy can be a real challenge. For telecommunications companies, pulling a report can be helpful in deciding whether or not to offer service to a consumer. But pulling credit reports alone is simply not effective to perform true, proactive portfolio management. The following article was originally posted by Minnie Blanco on the Experian Business Credit blog. If you make decisions just by pulling credit reports, you may want to think about how you can manage your accounts proactively. Pulling a report is helpful in deciding whether you should offer credit to a business. But, consider these basic steps when looking for any negative trends: Develop a policy for how you’d handle accounts that are current, delinquent, bankrupt, etc. Segment your portfolio by those accounts who pay within a particular range of time or who fall within a particular category, i.e. Current 1-30 days, 31-60, 61-90, 91 plus or filed bankruptcy. Review your accounts and apply your company policy to that particular segment. By applying steps 1 -3, you’ll be able to proactively identify good candidates for increased credit limits, as well as those you’ll need to pay closer attention to because they may be headed for delinquency or collections. BusinessIQ allows you to easily pull reports, segment accounts and submit them for account review. It’s easy-to-use…plus, the Portfolio Module is free! Here’s a demo on the application. Look for future blog posts from me where I’ll write more about managing your portfolio. And, feel free to comment and let me know if there are specific topics you want to hear about.
Well, actually, it isn’t. The better question to ask is when to use knowledge based authentication (KBA). I know I have written before about using it as part of a risk based authentication approach to fraud account management, but I am often asked what I mean by that statement. So, I thought it might be a good idea to provide a few more details and give some examples. Basically, what I mean is this: risk segmentation based on binary verification is unwise. Binary verification can occur based on identity elements, or it can occur based on pass/fail performance from out of wallet questions, but the fact remains that the primary decisioning strategy is relying on a condition with two outcomes – verified or not verified, pass or fail – and that is unwise. When we recommend a risk based authentication approach, the view is more broadly based. We advocate using analytics and weighting many factors, including those identity elements and knowledge based authentication performance as part of an overall decision, rather than an as end-all decision. If you take this kind of approach, when might you want to use this kind of approach? The answer to that is just about any time a transaction contains a level of risk, understanding that each organization will have a unique definition and tolerance for “risk”. It could be an origination or account opening scenario, when you do not yet have a relationship with a consumer. It could be in an account management setting, when you have a relationship with the consumer and know their expected behavior (and therefore anything outside of expected behavior is risk). It could be in transactional settings where there is an exchange of money or information belonging to the consumer. All of these are appropriate uses for KBA as part of a risk based approach.
By: Kristan Frend Imagine you’re on the #1 ranked relay swim team at the World Championships and you’re leading off. You finish your leg of the race with the team in first place. As your third teammate approaches the wall, your team is in first by a full body length. You’re on pace to set a new world record. Yet the anchor of your team is nowhere to be found, ultimately resulting in your team being disqualified. If only your fourth teammate would have made it to the blocks in time…. When you take a step back and look at your fraud risk management solutions, do you ever feel like you have all of the tools and processes available yet feel like the anchor is missing? Perhaps it’s time to reexamine your internal resources. You may have an assembly of sophisticated and robust online fraud detection tools from vendors, but you may be missing a critical piece if you’re not also effectively leveraging internal data. Through our work with clients, we’re found that it is not uncommon for organizations to manage the customer relationship through different departments or silos within the organization. All too often there is less than optimal coordination between these functional areas in taking advantage of their own internal negative data to combat application fraud. Additionally some organizations may have negative internal data but do not incorporate the check within their verification or risk based authentication tool, creating multiple steps and operational inefficiencies. One of the ways to overcome some of these issues is by incorporating internal negative data within an automated front-end check. Once loss data is loaded into a historical database, the next time that name, phone, address, driver’s license or SSN reappears on a new application, the data element is immediately identified as one associated with a previous loss. The negative data is securely stored for only your organization’s use and is not shared with users outside of your organization.
Let’s face it – not all knowledge based authentication (KBA) is created equal. I, too, have read horror stories of consumers forced to answer questions about a deceased relative or ex-spouse, or KBA sessions that went on far too long for anyone’s benefit. I have to attribute this to vendor inexperience and a lack of consulting with clients. An experienced vendor will use a fraud best practice such as a fraud analytics model to determine that some consumers do not even need questions and then a “Progressive Question” feature, which uses consumer performance on an initial question set to determine if it is necessary for the consumer to answer additional questions. This way, the true consumer completes the process quickly, improving the customer experience. The product of choice should also use a question mix that balances three factors: · how easily the true consumer can answer the question; · the fraud separation of the question (effectively the measured delta over time between how well true consumers answer the question vs. how well fraudsters do); · how many consumers overall the question can be generated. A list of hundreds of possible questions doesn’t mean much if the questions can only be generated for one quarter of one percent of the population, as is the case for something like airplane ownership or pilot’s license. Ultimately, out of wallet questions should be generated for a large part of the population, easily answered by the true consumer but difficult for a fraudster; and not offensive or what a consumer would consider “creepy” (such as their child’s birthday or name). Well designed questions will be personal but not intrusive and mindful of personal relationships that may have changed. The purpose of a knowledge based authentication session is risk management and/or consumer authentication for fraud prevention and compliance purposes – not to cause the loss of business because the fraud tool crossed the line in the mind of your customer.
Experian Decision Analytics has recorded increased demand from the marketplace for service integrations with interactive voice response (IVR), a phone technology that allows for automated detection of both voice and touch–tones. In the past quarter, there has been a more than 70 percent increase in IVR interest and it continues to grow. Why is there a demand for knowledge based authentication through IVR? Besides consumer acceptance of out of wallet questions, there is a dramatic increase in the need for remote authentication and fraud analytics that are accurate, not a burden to the consumer, cost–effective for organizations and part of an overall risk based authentication approach. Consumers stay connected in a number of ways — phone, online, mobile and short message service (SMS) — and are demanding the means to remain safe without compromising convenience. Knowledge based authentication through IVR provides this safety. Organizations must consider all the tools at their disposal to keep consumer data protected while preserving and promoting a positive customer experience. Given the interactive nature of knowledge based authentication, it is quite adaptable to various customer access channels, such as IVR, and it enables full automation of both inbound and outbound authentication calls. We know from both our own experience and from working with clients that consumers are more connected, more mobile and more networked than ever before - and fraud trends demonstrate this increases risk. As consumers continue to expand online profiles and fraud artists continue to seek out victims, successful fraud prevention will become paramount to financial survival. Leveraging products already in use by combining the technology capitalizes on an existing investment and is good business.
Many compliance regulations such the Red Flags Rule, USA Patriot Act, and ESIGN require specific identity elements to be verified and specific high risk conditions to be detected. However, there is still much variance in how individual institutions reconcile referrals generated from the detection of high risk conditions and/or the absence of identity element verification. With this in mind, risk-based authentication, (defined in this context as the “holistic assessment of a consumer and transaction with the end goal of applying the right authentication and decisioning treatment at the right time") offers institutions a viable strategy for balancing the following competing forces and pressures: Compliance – the need to ensure each transaction is approved only when compliance requirements are met; Approval rates – the need to meet business goals in the booking of new accounts and the facilitation of existing account transactions; Risk mitigation – the need to minimize fraud exposure at the account and transaction level. A flexibly-designed risk-based authentication strategy incorporates a robust breadth of data assets, detailed results, granular information, targeted analytics and automated decisioning. This allows an institution to strike a harmonious balance (or at least something close to that) between the needs to remain compliant, while approving the vast majority of applications or customer transactions and, oh yeah, minimizing fraud and credit risk exposure and credit risk modeling. Sole reliance on binary assessment of the presence or absence of high risk conditions and identity element verifications will, more often than not, create an operational process that is overburdened by manual referral queues. There is also an unnecessary proportion of viable consumers unable to be serviced by your business. Use of analytically sound risk assessments and objective and consistent decisioning strategies will provide opportunities to calibrate your process to meet today’s pressures and adjust to tomorrow’s as well.
Many compliance regulations such the Red Flags Rule, USA Patriot Act, and ESIGN require specific identity elements to be verified and specific high risk conditions to be detected. However, there is still much variance in how individual institutions reconcile referrals generated from the detection of high risk conditions and/or the absence of identity element verification. With this in mind, risk-based authentication, (defined in this context as the “holistic assessment of a consumer and transaction with the end goal of applying the right authentication and decisioning treatment at the right time") offers institutions a viable strategy for balancing the following competing forces and pressures: Compliance – the need to ensure each transaction is approved only when compliance requirements are met; Approval rates – the need to meet business goals in the booking of new accounts and the facilitation of existing account transactions; Risk mitigation – the need to minimize fraud exposure at the account and transaction level. A flexibly-designed risk-based authentication strategy incorporates a robust breadth of data assets, detailed results, granular information, targeted analytics and automated decisioning. This allows an institution to strike a harmonious balance (or at least something close to that) between the needs to remain compliant, while approving the vast majority of applications or customer transactions and, oh yeah, minimizing fraud and credit risk exposure and credit risk modeling. Sole reliance on binary assessment of the presence or absence of high risk conditions and identity element verifications will, more often than not, create an operational process that is overburdened by manual referral queues. There is also an unnecessary proportion of viable consumers unable to be serviced by your business. Use of analytically sound risk assessments and objective and consistent decisioning strategies will provide opportunities to calibrate your process to meet today’s pressures and adjust to tomorrow’s as well.
By: Andrew Gulledge Bridgekeeper: “What is the air-speed velocity of an unladen swallow?” King Arthur: “What do you mean? An African or European swallow?” Here are some additional reasons why the concept of an “average fraud rate” is too complex to be meaningful. Different levels of authentication strength Even if you have two companies from the same industry, with the same customer base, the same fraudsters, the same natural fraud rate, counting fraud the same way, using the same basic authentication strategies, they still might have vastly different fraud rates. Let’s say Company A has a knowledge-based authentication strategy configured to give them a 95% pass rate, while Company B is set up to get a 70% pass rate. All else being equal, we would expect Company A to have a higher fraud rate, by virtue of having a less stringent fraud prevention strategy. If you lower the bar you’ll definitely have fewer false positives, but you’ll also have more frauds getting through. An “average fraud rate” is therefore highly dependent on the specific configuration of your fraud prevention tools. Natural instability of fraud behavior Fraud behavior can be volatile. For openers, one fraudster seldom equals one fraud attempt. Fraudsters often use the same techniques to defraud multiple consumers and companies, sometimes generating multiple transactions for each. You might have, for example, a hundred fraud attempts from the same computer-tanned jackass. Whatever the true ratio of fraud attempts to fraudsters is, you can be confident that your total number of frauds is unlikely to be representative of an equal number of unique fraudsters. What this means is that the fraud behavior is even more volatile than your general consumer behavior, including general fraud trends such as seasonality. This volatility, in and of itself, correlates to a greater degree of variance in fraud rates, further depleting the value of an “average fraud rate” metric. Limited fraud data It’s also worth noting that we only know which of our authentication transactions end up being frauds when our clients tell us after the fact. While plenty of folks do send us known fraud data (thus opening up the possibility of invaluable analysis and consulting), many of our clients do not. Therefore even if all of the aforementioned complexity were not the case, we would still be limited in our ability to provide global benchmarks such as an “average fraud rate.” Therefore, what? This is not to say that there is no such thing as a true average fraud rate, particularly at the industry level. But you should take any claims of an authoritative average with a grain of salt. At the very least, fraud rates are a volatile thing with a great deal of variance from one case to the next. It is much more important to know YOUR average fraud rate, than THE average fraud rate. You can estimate your natural fraud rate through a champion/challenger process, or even by letting the floodgates open for a few days (or however long it takes to gather a meaningful sample of known frauds), then letting the frauds bake out over time. You can compare the strategy fraud rates and false positive ratios of two (or more) competing fraud prevention strategies. You can track your own fraud rates and fraud trends over time. There are plenty of things you can do to create standardize metrics of fraud incidence, but good heavens for the next person to ask me what our average fraud rate is, the answer is “No.”
By: Andrew Gulledge I hate this question. There are several reasons why the concept of an “average fraud rate” is elusive at best, and meaningless or misleading at worst. Natural fraud rate versus strategy fraud rate The natural fraud rate is the number of fraudulent attempts divided by overall attempts in a given period. Many companies don’t know their natural fraud rate, simply because in order to measure it accurately, you need to let every single customer pass authentication regardless of fraud risk. And most folks aren’t willing to take that kind of fraud exposure for the sake of empirical purity. What most people do see, however, is their strategy fraud rate—that is, the fraud rate of approved customers after using some fraud prevention strategy. Obviously, if your fraud model offers any fraud detection at all, then your strategy fraud rate will be somewhat lower than your natural fraud rate. And since there are as many fraud prevention strategies as the day is long, the concept of an “average fraud rate” breaks down somewhat. How do you count frauds? You can count frauds in terms of dollar loss or raw units. A dollar-based approach might be more appropriate when estimating the ROI of your overall authentication strategy. A unit-based approach might be more appropriate when considering the impact on victimized consumers, and the subsequent impact on your brand. If using the unit-based approach, you can count frauds in terms of raw transactions or unique consumers. If one fraudster is able to get through your risk management strategy by coming through the system five times, then the consumer-based fraud rate might be more appropriate. In this example a transaction-based fraud rate would overrepresent this fraudster by a factor of five. Any fraud models based on solely transactional fraud tags would thus be biased towards the fraudsters that game the system through repeat usage. Clearly, however, different folks count frauds differently. Therefore, the concept of an “average fraud rate” breaks down further, simply based on what makes up the numerator and the denominator. Different industries. Different populations. Different uses. Our authentication tools are used by companies from various industries. Would you expect the fraud rate of a utility company to be comparable to that of a money transfer business? What about online lending versus DDA account opening? Furthermore, different companies use different fraud prevention strategies with different risk buckets within their own portfolios. One company might put every customer at account opening through a knowledge based authentication session, while another might only bother asking the riskier customers a set of out of wallet questions. Some companies use authentication tools in the middle of the customer lifecycle, while others employ fraud detection strategies at account opening only. All of these permutations further complicate the notion of an “average fraud rate.” Different decisioning strategies Companies use an array of basic strategies governing their overall approach to fraud prevention. Some people hard decline while others refer to a manual review queue. Some people use a behind-the-scenes fraud risk score; others use knowledge based authentication questions; plenty of people use both. Some people use decision overrides that will auto-fail a transaction when certain conditions are met. Some people use question weighting, use limits, and session timeout thresholds. Some people use all of the out of wallet questions; others use only a handful. There is a near infinite possibility of configuration settings even for the same authentication tools from the same vendors, which further muddies the waters in regards to an “average fraud rate.” My next post will beat this thing to death a bit more.
Risk-based authentication will play a prominent roll in citizen access to government services
Apply DA TagAs E-Government customer demand and opportunity increases, so too will regulatory requirements and associated guidance become more standardized and uniformly adopted. Regardless of credentialing techniques and ongoing access management, all enrollment processes must continue to be founded in accurate and, most importantly, predictive risk-based authentication. Such authentication tools must be able to evolve as new technologies and data assets become available, as compliance requirements and guidance become more defined, and as specific fraud threats align with various access channels and unique customer segments. A risk-based fraud detection system allows institutions to make customer relationship and transactional decisions based not on a handful of rules or conditions in isolation, but on a holistic view of a customer’s identity and predicted likelihood of associated identity theft. To implement efficient and appropriate risk-based authentication procedures, the incorporation of comprehensive and broadly categorized data assets must be combined with targeted analytics and consistent decisioning policies to achieve a measurably effective balance between fraud detection and positive identity proofing results. The inherent value of a risk-based approach to authentication lies in the ability to strike such a balance not only in a current environment, but as that environment shifts as do its underlying forces. The National Institute of Standards and Technology, in special publication 800-63, defines electronic authentication (E-authentication) as “the process of establishing confidence in user identities electronically presented to an information system”. Since, as stated in publication 800-63, “individuals are enrolled and undergo an identity proofing process in which their identity is bound to an authentication secret, called a token”, it is imperative that identity proofing is founded in an approach that generates confidence in the authentication process. Experian believes that a risk-based approach that can separate valid from invalid identities using a combination of data and proven quantitative techniques is best. As “individuals are remotely authenticated to systems and applications over an open network, using a token in an authentication protocol”, enrollment processes that drive ultimate provision of tokens must be implemented with an eye towards identity risk, and not simply a series of checks against one or more third party data assets. If the “keys to the kingdom” are housed in the ongoing use of tokens provided by Credentials Service Providers (CRA) and binding credentials to that token, trusted Registration Authorities (RA) must employ highly predictive identity proofing techniques designed to segment true, low-risk identities from identities that may have been manipulated, fabricated, or in true-form are subject to fraudulent use, abuse or victimization. Many compliance-oriented authentication requirements (ex. USA PATRIOT Act, FACTA Red Flags Rule) and resultant processes hinge upon identity element (ex. name, address, Social Security number, phone number) validation and verification checks. Without minimizing the importance of performing such checks, the purpose of a more risk-based approach to authentication is to leverage other data sources and quantitative techniques to further assess the probability of fraudulent behavior.
-- by, Andrew Gulledge One of the quickest and easiest ways to reduce fraud in your portfolio is to incorporate question weighting into your out of wallet question strategy. To continue the use of knowledge based authentication without question weighting is to assign a point value of 100 points to each question. This is somewhat arbitrary (and a bit sloppy) when we know that certain questions consistently perform better than others. So if a fraudster gets 3 easier questions right, and 1 harder question wrong they will have an easier time passing your authentication process without question weighting. If, on the other hand, you adopt question weighting as part of your overall risk based authentication approach, that same fraudster would score much worse on the same KBA session. The 1 question that they got wrong would have cost them a lot of points, and the 3 easier questions they got right wouldn’t have given them as many points. Question weighting based on known fraud trends is more punitive for the fraudsters. Let’s say the easier questions were worth 50 points each, and the harder question was worth 150 points. Without question weighting, the fraudster would have scored 75% (300 out of 400 points). With question weighting, the fraudster would have scored 50% (150 out of 300 points correct). Your decisioning strategy might well have failed him with a score of 50, but passed him with a score of 75. Question weighting will often kick the fraudsters into the fail regions of your decisioning strategy, which is exactly what risk based authentication is all about. Consult with your fraud account management representative to see if you are making the most out of your KBA experience with the intelligent use of question weighting. It is a no-brainer way to improve your overall fraud prevention, even if you keep your overall pass rate the same. Question weighting is an easy way to squeeze more value of your knowledge based authentication tool.