Technological changes, a product of virtuality and the need for comfort in clients when making payments, have brought new questions and threats to financial institutions. For different reasons, situations arise that require institutions to rethink their security strategies and analyze usage patterns (the last bastion of detection), as well as the solutions they have in order to respond to possible attacks or avoid false steps..
Why does this phenomenon begin to occur? Let’s start with the first, the client has practically disappeared from the bank or financial branch, while others do not know their clients personally because the opening of an account or request for a card was made remotely, therefore, they have never seen physically to the client, and that is a very strong change.
Before, the person had to go in person to have a loan approved, do paperwork, open an account, etc.Today almost all operations have moved to virtual space and that is quite a challenge. When that client of the virtual world performs regular operations such as bill payment, transfers, receipt of salary, cell phone recharge or other services (all the above in a virtual way), there is no major inconvenience because they usually have a pattern of use, the problem begins when you strongly alter your behavior patterns and that is what is happening right now.
The client begins to do new things to live new experiences such as increased expenses, excessive purchases, trips after a great confinement, etc. And that entails a greater difficulty for financial institutions in terms of security, because questions begin to appear in the face of these changes such as:
Social engineering and phishing in particular are present in all these kinds of questions and problems. that must be addressed by financial institutions, which also should not reject operations that appear to be true, even if they raise doubts, because they must take care of the user experience and trust in the system.
So what to do in those cases? Applying some additional security precautionary measures (risk-based authentication) can be one way, such as placing a second factor of authentication, which provides important information when it works and was well defined, that is, before facing the situation of mistrust.
Another change in behavior is that related to the use of certain products, different from what was originally intended, for example, with the debit cards that are used today to make shopping. Although in contrast to credit cards, purchases with debit do not obtain the benefits of fees or loyalty or loyalty plans, if they obtain tax benefits, The use of these to buy air tickets, for example, is strange.
Other challenge is “friendly” fraud or auto fraud, where the customer himself tries to avoid paying for his expenses or purchases. Currently it is giving more than before because the institution does not know the client, because as I mentioned at the beginning he never saw him personally, and then this type of behavior where, for example, excessive purchases are made that the client later cannot face, They are typical schemes of possible self-fraud when the customer rejects purchases and tries to avoid paying for them on the grounds that his cards were stolen or he was a victim of identity theft, etc.
The Central Bank of Uruguay (BCU) is requesting that security measures be implemented so that the issuer can shield itself with products and security tools that allow you to have the evidence that is required against possible customer claims such as the example mentioned, since there are no cameras in the shops or the measures such as 3DSecure (authentication protocol for online payments) they are not 100% implemented in the local financial system, Y therefore, with the regulation, precautionary measures are sought to avoid fraud.
It is very important to understand that every time new regulations, barriers and intelligence (human and artificial) are generated to try to stop fraud, fraudsters in turn apply more intelligence and strategies to break them, then by putting large barriers causes fraud to be move towards the most vulnerable.
Being more vulnerable means not implementing the adequate protection mechanisms, even beyond what is required by the regulation. The recommendation is to bet on intelligent and flexible protection that allows the institution to evolve, but without stopping to approve transactions or without generating more friction than necessary to know who the customer really is, taking the threat as an opportunity and prepare to adapt your models and your operation to the changing world of fraud, taking advantage of the new source of data and information that these services or tools offer for better decision making.
* Social engineering, is nothing more than a pretentious name for what we know as “the story of the uncle”, but In the face of financial products designed with robust security, this is the great bastion that fraudsters cling to in order to achieve their mission.