AI and ML: keeping banks and customers safe from fraud

The digital age has brought convenience and enjoyment to virtually every aspect of our lives, from online shopping for items as varied as motor vehicles, insurance, shares, shoes, and takeaways. However, this convenience comes with a downside: the ever-present spectre of fraud.

It’s a global scourge. According to the study State of Internet Scams 2023 by online investigation service Social Catfish, nearly 80,000 incidents across 88 countries indicate that stolen credentials were used in 61% of all attacks in 2021.

Phishing remains a primary tool for fraudsters. In Singapore, the total number of scam cases rose from 13,576 in the first half of 2022 to 22,339 during the same period in 2023. Young adults were the most likely victims of scams, comprising over half of the total number of victims. They primarily fell prey to e-commerce scams, job scams, and phishing scams.

As crime evolves, so must our weapons and strategies to combat it. Strong customer authentication (SCA), based on secure mobile push notifications protected by biometrics, could have prevented many of these fraudulent transactions. But banks that are serious about mitigating risks from phishing and identity theft can go further by preventing attacks before they occur.

Harnessing AI to protect customer assets

Banks need an in-depth strategy and view authentication as part of a comprehensive risk management ecosystem. This ecosystem should take advantage of AI and behavioural intelligence to identify threats and minimise exposure, continuously and proactively defending customer assets and online identities.

How can this be achieved?

The principle is straightforward: identify threats early, know your users, and stop fraudulent payments before they occur.

This approach should be coupled with user-friendly yet secure authentication. If only legitimate users can access their accounts, imposters cannot inflict damage. This requires meeting SCA regulatory requirements, which demand that customers confirm their identities through multi-factor authentication (MFA) using something they know or have (like a fingerprint), while continuously managing their risk during digital banking services.

This seems straightforward enough, yet many financial institutions worldwide still rely on less secure authentication methods.

According to a study conducted by FStech and HID Global, the leading authentication method used by financial institutions is SMS sent to customers’ phones — in spite of the security risks that SMS authentication entails. More traditional authentication methods such as secret questions and answers, and email password resets are also still widely in use today.

A more secure and user-friendly way to protect logins and transactions is push authentication, a delivery channel that enables MFA via a mobile phone.

Push authentication uses cryptographic techniques to link a device to its owner’s identity, thwarting attackers from impersonating someone without physical access to the device.

The push user experience is seamless and straightforward. When notifications appear on users’ phones, they must simply swipe to validate the request, choosing “Approve” or “Decline” rather than referencing and retyping an OTP received via SMS.

In fact, the most flexible push authentication solutions enable banks to adopt a completely passwordless approach by enabling device biometric capabilities and eliminating the threat of compromised credentials.

Using AI to study behavioural patterns

Data from customer devices, behaviour, and payment history, combined with known behavioural patterns (both benign and malicious), are crucial in building a bank’s behavioural intelligence database. This database, utilised by machine learning and AI, helps in identifying fraud.

Each person’s interaction with frequently visited websites or favourite mobile apps is unique. This includes specific behavioural patterns, such as how a user types, swipes, and interacts with their devices.

The benefit of using behavioural intelligence in real time is crucial for determining the user’s intent to identify fraud. Effective risk management during the user’s digital journey — and leveraging such insights — equips banks with enhanced capabilities to prevent, predict, and proactively address cyberthreats.

Simple authentication won’t protect against fraud and scams

Relying solely on simple authentication solutions is no longer enough to protect against evolving scams. The best approach to prevent fraud today combines early threat detection, understanding your users, transaction analysis over time, and push-based authentication.

Terry Pratchett, the beloved satirist, noted that many criminals would be wealthy if they applied their lawbreaking skills to legitimate pursuits. Unfortunately, cybercriminals will always be part of the digital banking landscape, but the damage they cause does not have to be.

Effective fraud prevention technologies that optimise user experience are essential. They enable organisations to be proactive about risk, protecting not just their customers but also the financial and reputational integrity of their business.