The Convergence of Identity Proofing, Access Management, and Fraud Detection

Customer and employee preferences shifted during the pandemic. Remote work, online shopping, banking, and other activities are here to stay. Bad actors view the increased online activity as a huge opportunity because they are no longer stopped by on-premises boundaries. Organizations’ attack surfaces have grown with an increase in apps, APIs, and SaaS services, so there’s a need to defend resources from attacks on multiple fronts. 

Enterprises need to adapt to allow legitimate users secure access to the resources they need from any location at any time on any device without causing them to jump through too many hoops. A modern fraud mitigation strategy looks at user behavior and device signals throughout the user journey in real time, with minimal disruption to legitimate users. Fraudulent transactions can be stopped before they cost your company money and brand damage. LexisNexis found that in 2021, every $1 of fraud cost U.S. retail and eCommerce merchants $3.60 and in Canada the cost was $3.02.

Online fraud takes many forms, including account takeover (ATO) fraud, new account fraud, checkout fraud and business email compromise (BEC), which was the costliest form of fraud in 2020, accounting for $1.8 billion in losses. Identity proofing, access management, and fraud detection work hand-in-hand to provide users with a seamless experience while defending against multiple attack vectors. Let’s look at each component individually and how they work together as a holistic solution.

Identity proofing, also known as identity verification and ID proofing, helps ensure users are who they claim to be from the start by tying their digital identity to their real-life identity. Because stolen identities, credentials, and personally identifiable information (PII) can be used to set up fraudulent new accounts, identity verification is typically implemented during the registration process and can be integrated into mobile apps.

When implemented during onboarding, identity proofing gives organizations greater confidence by requiring a user to provide a selfie and a government issued ID to ensure the user is who they say they are.

Lack of ID proofing can lead to financial and reputational damage. As we saw at the start of the pandemic, U.S. states that didn’t have identity verification in place paid millions in fraudulent unemployment benefits to organized crime rings using stolen identities. Once identity proofing was added to the process, fraudsters were stopped from receiving additional fraudulent benefits because they couldn’t provide the requisite selfies.  

Watch this short video to see the customer verification process in action.

Combining identity verification with customer access management gives your business the ability to further enhance security when customers interact with your apps and websites without adding unnecessary friction to the experience. Single sign-on (SSO) allows customers to login with a single set of credentials to access every app and website. This gives your customers a convenient and consistent way to sign-on and lets you reduce the likelihood of a password-related hack. Seamlessly integrating multi-factor authentication (MFA) alongside SSO gives you further confidence in the identity of your customers by continuing evaluating risk and context and prompting for additional authentication if needed. 

Once users have been verified and authenticated, you want to make sure they only have access to the resources they actually need. Dynamic authorization, also known as attribute-based access control (ABAC) and policy based access control (PBAC), gives you control over who has access to what data and actions in your SaaS, mobile, web, and enterprise applications. Centralized authorization control and administration makes it easier to create and enforce policies that enhance security, protect resources, and meet regulatory requirements with speed and efficiency.

While traditional role-based access control (RBAC) had been the norm, its limitations in addressing current use cases and threats makes it less desirable. Policy-based dynamic authorization is more flexible and analyzes contextual attributes in real-time to approve, deny, or step-up authentication requirements prior to a user being able to access resources or make transactions. 

The policies an enterprise develops dictate which risk signals should be used during different scenarios, with information being pulled from independent risk providers to determine the next step. A low risk scenario, such as accessing an app, can remain frictionless while a high-value financial transaction can require stepped up authentication before the transaction is allowed to proceed. For example, a customer who hasn’t used online banking for six months can be required to take an additional authentication step before being allowed to transfer $5,000 to a suspicious account to ensure the person trying to make the transfer is the legitimate account owner and not a fraudster.

Detecting fraudulent behavior before an action or transaction occurs also limits financial and reputational damage. Online fraud detection tools use artificial intelligence (AI) and machine learning (ML) to recognize suspicious behavior and prevent fraudsters from creating accounts, logging in, and/or completing transactions. 

The behavior of customers, employees, and partners follows predictable patterns that aren’t replicated by bots and hackers, such as typing at a normal speed rather than copying and pasting data at fast rates. Speed is usually a high priority for bad actors when they attempt to access as many accounts as possible in a short period of time using brute force attacks or credential stuffing with compromised credentials.

Collecting and analyzing multiple data points about behavior on an ongoing basis helps identify new threats as they develop. Fraud detection and monitoring tools can be customized for your organization, with risk assessments looking at data points such as: 

• Device type, operating system, and version

• Browser type and version

• Date, time, and location of access

Because bad actors are constantly looking for new ways to enter and exploit your system, you need a flexible, comprehensive solution. Successfully combating online fraud requires an understanding of how and where fraud occurs while mitigating its effects in real time and improving your overall security posture. Trying to integrate solutions from multiple vendors can be costly, time consuming, and lead to vulnerabilities, fraud, data breaches, and ransomware.

Having business, risk, security, compliance, and IT teams whiteboard processes to identify potential vulnerabilities helps with the big picture. Because no one wants to overburden developers with coding nightmares that might be unnecessary, a roadmap that leads to a low or no-code solution saves time, money and frustration.

PingOne DaVinci is an orchestration platform that allows you to whiteboard your situation, pick and choose the best options to address your challenges, then design a low or no-code solution. Learn more about our comprehensive solution that incorporates identity proofing, access management and online fraud detection to Mitigate Fraud Risk.