Never a dull moment at the authentication waterhole

Just another wild day at the authentication waterhole: Deduce was busy sniffing out fraudsters masquerading as consumers.

Lucky for us, our cameras were rolling!

Want to take a bite out of identity fraud and streamline your user experience? Contact Deduce today.

Good news: Increased security and a seamless UX aren’t mutually exclusive

A recent payment intelligence report from Fraugster unearthed plenty of unsettling stats from the past year: online fraud accounted for about $80 billion in losses; false positives negated $14 billion worth of legitimate transactions; and gaming fraud increased by an all-time high of 32%.

However, the most sobering takeaway from the report might be the ongoing surge of identity fraud and its various forms. A nefarious hydra of account takeover (ATO), credential stuffing, and synthetic identity fraud—which saw a 109% increase—is outwitting cybersecurity defenses left and right.

This is a head-scratcher for B2C companies, specifically CXOs, CMOs, CISOs and their security teams. Users are more wary of fraud than ever, yet 85 percent of them dislike companies with identity verification issues. How do you bolster fraud prevention efforts without compromising the user experience (UX)?

Rest assured, we are doom-slayers, not doomsayers. Below, we’ll dive a bit deeper into ATO, credential stuffing, and synthetic identity fraud, then show you how top-notch fraud prevention and seamless UX can indeed play on the same team.

Synthetic identity fraud (+109%)

Considering synthetic identity fraud is firmly on the Federal Reserve’s radar, its 109% YoY increase makes sense. Only two years ago, in 2020, synthetic identity fraud cost financial institutions $20 billion.

Synthetic identity fraud occurs when bad actors combine legitimate emails, phone numbers, and other personal info from disparate identities to create a bogus “Frankenstein identity” capable of circumventing customer verification. Parents of newborns with recently minted social security numbers should be extra vigilant because those fresh SSNs are a gold mine for fraudsters. 

The most frustrating aspect of synthetic identity fraud is its elusiveness: identifying the Dr. Frankenstein behind a Frankenstein identity is incredibly difficult. Synthetic fraudsters are also more patient, often taking out smaller loans and paying bills on time to remain incognito.

Account takeover (+52%)

Account takeover, when fraudsters use stolen customer credentials to hijack an account and purchase goods, jumped 52% from last year. This is due in part to an uptick in card-not-present (CNP) transactions, e.g., transactions made online or over the phone that don’t make use of the EMV chip present in debit and credit cards.

Once an account is taken over, the possibilities are endlessly disastrous. In 2021, the three most likely post-ATO activities were making fraudulent purchases; extracting money from person-to-person apps, such as PayPal or Venmo; and editing account info in case a future transaction prompted a verification request. Another unhappy result of ATO, loyalty point theft, is on the rise, mainly due to the downturn in travel and leisure during COVID-19. 

It goes without saying that account takeover victims—and customer support teams—don’t look back on the experience with glee. According to Javelin Research, ATO attacks can cost customers more than $290. Customers also spend 15+ hours undoing the wreckage.

Credential stuffing (+45%)

Credential stuffing, an identity fraud tactic that’s essentially a malicious game of trial-and-error, grew 45% from the previous year. With the final quarter of 2022 closing in fast, B2C businesses and their users must be on guard as credential stuffing attacks rise 10x amid the holiday shopping fracas.

Similar to account takeover and synthetic identity fraud, the credentials that aid these attacks often derive from security breaches. Leaked usernames, passwords, social security numbers and the like get peddled on the dark web for as much as $15K and as little as a few dollars. Per IBM, around 30,000 account credentials were sold on the dark web in 2021—in some cases, sellers even offer 1-2 week refunds if buyers can’t access the promised account.

Have your cake, eat your cake

For those keeping score at home, synthetic identity fraud, account takeover, and credential stuffing attacks: not fun. But they aren’t invulnerable either, and, even better, you can wipe them out while still maintaining a frictionless UX.

The trick to stopping this troika of identity fraud is neutralizing the perps before they can strike. This, of course, requires a hefty chunk of real-time identity intelligence, which in turn unlocks a Trusted User Experience—the perfect balance of airtight security and a seamless customer journey. The Trusted User Experience also encompasses continuous authentication. Akin to shopping on Amazon, continuously verified users aren’t bombarded with authentication challenges that lead to abandoned shopping carts and potentially churn. If a user’s identity operates within its usual parameters, they won’t need to log in upon revisiting a site or app.

On the security side, real-time identity intelligence preempts identity fraudsters who have access to behemoth data sets. The average fraud prevention solution—tools that depend on static, historical data alone (names, emails, physical addresses, SSNs)—can’t compete with these bad actors, as most of this data is already up for grabs on the dark web. If businesses want to protect their finances and reputations, a massive stockpile of real-time, dynamic data (user activity, IP address, device, geography, etc.) and the resulting risk and trust signals is the way.

Thanks to the Deduce Identity Network and its MAMAA-like hoard of dynamic, real-time identity intelligence, creating a secure yet seamless UX is easier done than said.

Our Identity Network is the largest real-time identity graph for fraud in the US. It gathers more than 500 million unique user profiles and over 1.4 billion daily activities from 150,000+ websites and apps. This data continues to grow by the minute, delivering a Trusted User Experience that preemptively recognizes legitimate users and bad actors in equal measure.

Want to have your Trusted User Experience cake and eat it, too? Contact us today and get started in just a few hours.

Humans can be pretty bad, too

It’s a bot-eat-bot world out there. 77% of cybersecurity incidents are bot-based, and bot management companies, such as Human Technologies and PerimeterX, are merging to outgun malicious robo-fraudsters.

This begs a crucial question: What about humans? Don’t get us wrong—we’re all for short-circuiting those bad bots—but there are still those pesky bad actors you have to worry about, too. (Those bots don’t create themselves, you know.)

Below, we look closer at the bot craze in the current fraud landscape, the downside of solely doubling down on bots, and why differentiating between legitimate and illegitimate humans is just as important.

Bot-y slammed

Human Technologies and PerimeterX joining forces, as well as Thoma Bravo’s acquisition of Ping Identity, underlies a consolidation trend that’s emerged over the past few months. Irrespective of industry, some of these mergers are due to plummeting valuations; but, in the case of cybersecurity companies—who enjoyed a record year of funding in 2021—many are partnering because the growing threat of data breaches, exacerbated by the normalization of remote work, is simply too much to handle.

Like Human and PerimeterX, we may see other bot vendors merge before year’s end. It’s understandable given how sophisticated bots have become in a short amount of time. They’ve grown to be disturbingly human-like, adaptable, and subsequently much more difficult to spot, swiping personally identifiable information (PII) off websites, engaging in click fraud to boost ad revenue, and otherwise profiting from other shady tactics.

Bots are scary, indeed. So are their seedy human counterparts. Companies enlisting a fraud prevention solution need to understand that stopping bots is only half the battle; neutralizing living, breathing fraudsters—without hindering the user experience (UX)—is the final piece.

Identity intelligence, anyone?

So, you’re on board with putting the clamps on bad bots AND bad humans? Awesome. The next step is to ensure your fraud prevention solution of choice is leveraging the right kind of data, i.e., identity intelligence.

Most anti-fraud tools rely on behavioral biometrics. While it’s effective against bots, it can also cause serious UX issues in the form of false positives. Behavioral biometrics—which monitors behavior such as keystrokes, mouse movement, finger tapping, etc.—will easily trigger a multi-factor authentication (MFA) request if a user deviates from their typical pattern. A drunk or sick user may type or speak unusually (gait analysis); a user with different keyboards at work and at home might be flagged incorrectly (keystroke analysis).

Another flaw of behavioral biometrics is that stockpiling enough personal data to successfully analyze a user’s behavior takes time. A solution centered around identity intelligence, on the other hand, has all of the data it needs in real-time.

It’s time for real-time

If companies want to stop bots and humans alike, real-time identity intelligence is the ticket. Deduce packs more of this data than any other solution, making it a thoroughly accurate standalone or complementary defense system that won’t muck up UX.

Deduce is home to the largest real-time identity graph for online fraud in the US. Its Identity Network leverages more than 500 million unique user profiles and over 1.4 billion daily activities to recognize legitimate users and prevent account takeover—including synthetic identity fraud.

Want to see how Deduce can spot bad bots and humans and help create a Trusted User Experience? Contact us today.

Sunny, with a chance of ATO

New year, new resolutions. For some, that means a Planet Fitness membership or Dry January; for us, it means continuing to neutralize bad actors and innovate for a fraud prevention industry saddled by hindered data access and outmoded tactics.

What changes does the Deduce team want to see happen in 2022? Here are a few predictions from our resident soothsayers.

Ari Jacoby, Founder/CEO

Ari believes “coopetition” among cybersecurity firms will help close the data poverty gap in 2022.

From 2019 to 2020, we saw a 300 percent jump in (ATO) account takeover fraud alone. This year, unfortunately, that figure is likely to get worse. Most will attribute this to the uptick in online usage amid the pandemic, which is certainly valid, but data poverty plays a role as well.

Data is the new currency. Most of the valuable data — specifically real-time behavioral data — is confined within the walled gardens of the MANGA Gang. This makes ‘coopetition’ between cybersecurity firms imperative.

Competing companies in the financial, adtech, and healthcare industries often exchange actionable data without any problems. Until fraud prevention companies follow suit, predictive algorithms won’t reach their full potential and ATO will continue to keep execs up at night. I’d love to see the data poverty gap close in 2022, but I’m afraid the worst possible outcome from this issue — another massive data breach — could happen again this year if cybersecurity leaders don’t put their heads together.

Robert Panasiuk, CTO

Robert anticipates a growing, albeit insufficient, number of legacy software solutions changing the way in which they deploy their apps.

This year, we’ll see more companies shift to a devops deployment model that gets new customers up and running in hours instead of months. However, even with the devops model’s ability to fasttrack go-to-market and deployment — an absolute must in today’s landscape — some enterprise businesses will stick to their legacy guns.

Other legacy holdouts will struggle to pass up the efficiency of the devops model, particularly those needing a fraud prevention solution that outraces fleet-footed fraudsters. Rapid deployment, unshackled by the months of development and testing required by legacy systems, delivers a first-class customer experience. The devops approach also enables best-of-breed solutions to be easily integrated. Case in point: the Deduce MFA Intelligence solution will be available in the Auth0 marketplace, which will reduce false positive MFA challenges by more than 50%.

A mass migration to the devops model? Probably not in 2022. But I’m guessing more execs at the C-suite level will finally part ways with unmaintained, outdated legacy technology and prioritize devops-style fraud tools that update seamlessly and can keep up with fraudsters and user demands. Similar to last year’s Okta-Auth0 acquisition, we may see another major legacy company buy a devops-based solution outright.

Adish Kasi — VP Sales

Adish expects to see a significant jump in passwordless adoption this year.

Passwordless login solutions are already on the rise. In 2022, I believe we’ll see a significant jump in passwordless adoption and user buy-in.

Modern app users are growing more and more tired of keying in username/password combos upon each visit, and companies loathe the friction — and subsequent churn — this causes. In 2021, Experian’s Global Identity & Fraud Report polled more than 2,700 businesses and 9,000 consumers about their preferred login approach. Passwords landed outside the top three, beat out by physical and behavioral biometrics and SMS pin codes.

This year, I see a larger contingent of users (and companies) prioritizing a seamless customer journey accompanied by a transition to passwordless solutions. However, the barrier to entry, and the achilles heel, for mass adoption in this space entails designing an intelligent solution for device enrollment and account recovery. What happens if your primary device is lost or stolen? How does an organization curtail risk at the moment of device enrollment?

Identity intelligence, as a new categorical solution, will emerge as a vehicle for helping organizations through the transition to passwordless solutions.

That concludes our resolutions. If your resolutions have fallen by the wayside, here’s a free one from Deduce: leverage real-time insights to protect your users (and user experience) from identity fraud.

The Deduce Identity Network is just the ticket. Learn how our coalition of 150,000 websites and apps and over 450 million anonymized profiles can mitigate account takeover, account creation fraud, and other cyberthreats.

If a fintech startup isn’t fortified, investors will be mortified

Money 2020 in Las Vegas is officially in the books. Cybersecurity has been a hot topic at the conference over the past few years, and this year was no different.

One key takeaway from the event was that customers aren’t the only consideration for employing an optimal cybersecurity solution — today’s fintech companies, from payments and banking to lending and insurance, also have their valuations at stake.

To say fintech valuations are looking healthy would be an understatement. The recent IPOs of Toast and Remitly suggest that fintech and SaaS valuations may even be neck and neck (at least for the time being). However, with online fraud up 23 percent from April to July 2021, you can bet that investors are taking a long look at cybersecurity readiness before they break out their calculators (and checkbooks). They know that fintech and other types of enterprise companies are more susceptible to breaches in the modern cloud environment, and, due to the pandemic, the amount of online transactions has never been higher.

Quantitative data — revenue, profitability, growth, customer lifetime value, etc. — may be in short supply when investors dig into a nascent, or relatively nascent, fintech startup. In these cases, qualitative factors come into play, such as founder/team experience and market fit. Given the current online landscape wherein fraudsters are striking and varying their attacks faster than ever before, fraud prevention capability is also at the top of the list when investors are assessing valuations. They’re all about measuring risk, and what’s riskier than a company — particularly a financial enterprise — that can’t protect itself or its customers?

To maximize valuations in this climate, every fintech company must inherently be focused on cybersecurity, risk, and fraud at its core. Founders need to consider the relevance of their solution’s value proposition and the effectiveness of their company’s security measures. The fraud prevention technology of yore won’t cut it; investors want to see a data-driven, real-time solution that’s adaptive, preemptive, conducive to a positive customer experience, and fully compliant with data privacy regulations.

There’s another benefit to getting this right that goes beyond cybersecurity risk: implementing a powerful identity fraud prevention solution can provide a new account creation advantage. For example, one of Deduce’s customers, a personal finance and investing platform catering to young adults, wanted to provide the fast, seamless signup experience expected by their young customer base. However, the platform’s original new account authentication process took up to 48 hours. That’s a very long time for eager new investors to wait for approval — and plenty of time for them to find an alternative app.

In the early stages of implementing Deduce Identity Insights, this platform can now assess and approve qualified customers in near real-time, so they can start saving and investing right away. Deduce achieves this by scoring applications as part of the signup flow and alerting the platform’s manual review team to any that might be fraudulent, saving the team from having to manually review every new account.

An anti-fraud solution that neutralizes bad actors at the account creation stage and across all stages of the customer journey is an all-around great look. Great for customer experience and retention, great for brand reputation, and great for valuations.

Looking to swat away fraudsters before they attack? Try a free trial of Deduce today.