The Role of Dynamic Authorization in Fraud Prevention

The pandemic left many businesses unprepared for the sudden shift from face-to-face interactions to mostly digital operations. From banks to retailers to grocery stores to healthcare providers, organizations without systems in place to support secure user access from devices 24/7 put their businesses, employees, partners, and customers at risk. In Ponemon’s 2021 study The Real Cost of Online Fraud, 61% of respondents said their organizations did not have the right technologies to mitigate online financial fraud. 

Enterprises in the early stages of their digital transformation struggled to keep up with new market entrants with better  customer experience, and they started losing market share. They also opened themselves up to attacks by bad actors. Organizations using role-based access control (RBAC), a coarse-grained approach that was  effective when users and systems were on-premises, found that they needed a more flexible approach and migrated to an identity-defined security solution, attribute-based access control (ABAC) with dynamic authorization. This new approach combines centralized control with user-level context to make real-time decisions.

Attribute-based access control (ABAC) improves security by evaluating more than just a user’s role for authorization decisions. The context of an access request provides a more detailed view of the situation. For example, with more employees working from home, enterprises have to be on the lookout for fraudsters attempting to enter their system using an employee’s stolen credentials. By adding attributes when making an authorization decision, if that login attempt is from another country, the activity will be flagged.  

Attributes can include:

• User (e.g., security clearance or age)  

• Resource (e.g., resource type or creation date) 

• Context (e.g., location or time of day)

Dynamic authorization is real-time enforcement of the fine-grained business logic around what users can see and do, in what context, and for what purpose.

Dynamic authorization starts with an application, like a mobile app, providing data to the central authorization system that identifies the nature of the request. Examples include a customer who wants to access their ecommerce account or an HR employee who wants to access confidential employee files. The central authorization system then takes responsibility for collecting the additional data required to make the appropriate authorization decision. This could include:

• Retrieving additional context, such as organizational roles and user attributes, from a directory service

• Checking cloud-based device risk services

• Evaluating fraud and risk systems to get an update on the user's current risk status

   

Dynamic authorization relies on policies that look beyond a single attribute, like a role (e.g., customer or HR employee), and add context by assessing multiple attributes (e.g., time of day, IP address, or type of resource) for decision making. The policies an organization puts in place direct the authorization decision tree for each access request. High-value actions, including accessing sensitive data or making a significant purchase, are subject to different policies than simply viewing a retail website. The user experience can remain frictionless for low-risk situations, but levels of friction can be added when necessary. For example, if a customer who rarely uses a retail site suddenly tries to make a $10,000 purchase, stepped-up authentication using multi-factor authentication (MFA) can be required to make sure their account hasn’t been taken over by a fraudster.

Risk Signals and Risk Providers

Organizations are always under pressure to balance security against friction in the customer experience.  An increasingly attractive approach is to adapt the user experience based on the level of trust in the user.

How do you know if you can trust a user? Organizations typically use numerous data sources and risk signals to determine whether access should be granted. Over time, a trust relationship is developed using signals from external fraud and risk providers, along with information about the user, their devices, and the actions they want to perform. Data enrichment from risk providers can:

• Lower fraud rates

• Reduce the number of false positives

• Avoid manual reviews and chargebacks

• Remove friction and increase revenue

A centralized approach moves authorization policies away from application-level decisions to allow fraud teams to respond consistently and more quickly to issues in the organization as a whole. Tools to detect fraud are constantly evolving, and fraud teams can review and add best-in-class risk signals to policies as they are identified.

A multi-layer approach to fraud prevention is always your best option, since bad actors are coming up with new ways to commit fraud every day.  

Fraud can happen at any stage of the user journey. Developing strong policies and identifying risk signals to curtail fraudulent activity is part of this multi-layered approach. By proactively flagging suspicious activity during account creation, account login, profile changes, attempted transactions, attempts to access sensitive data, and other steps in the user journey, fraud can be prevented.

As part of a multi-layered approach, some countries have taken additional steps to prevent fraud. In the UK, the nationwide Take Five Stop-Challenge-Protect campaign helps people protect themselves from preventable financial fraud by teaching them about email deception, phone-based scams, and online fraud and alerting them to tactics used by criminals who pretend to be trusted organizations. One campaign focus is authorized push payment (APP) scams, where a criminal tricks an individual or business into sending an irreversible payment to a bank account the criminal controls. If a bank that has formed a trusting relationship with a vulnerable person can find a way to alter the user experience–such as by asking whether the person has received a phone call or email telling them to make the transaction–the person is nudged to  stop before sending their money to the fraudster. 

The benefits of centralized authorization policies that are used to control access by evaluating identity attributes, entitlements, consents, and additional contextual information go beyond fraud prevention.

Regulatory and Privacy Compliance

Dynamic authorization allows organizations to comply with regulations through attribute filters and privacy consent enforcement mechanisms. Compliance with GDPR, CCPA, CDR, and other regulations means that customers must have control over and insight into their data. Without a central authorization system providing a single view of users, siloed user data makes it hard to manage consents.

Personalization

Understanding your users allows you to personalize your interactions with them. Beyond the personalization of greetings and offers, personal preferences can also be used to prevent fraud. For example, a banking customer who never banks by phone can turn off that option in their account profile, preventing a bad actor from making a fraudulent phone transaction. 

The landscape of solution providers is constantly evolving and shifting. Layering controls and best-of-breed risk models is the right approach. Organizations should seek agility in their fraud prevention solutions.  

PingOne Authorize and PingAuthorize offer companies the agility to react instantly without sacrificing security or regulatory compliance. These tools provide centralized authorization policies that evaluate the context of a request to make intelligent decisions — all while protecting your data, services, applications, and APIs and providing your users with seamless experiences.