Years ago, I had to get hold of a personal document that I needed from a government office. I had brought with me all of the documentation that I was told I needed, but there was an issue — a bureaucratic technicality that rendered one of the pieces of documentation invalid in the eyes of the clerk.
I tried to argue that if we zoomed out and looked at the big picture, it was clear that I was me and entitled to my own document. The clerk would not hear of it, though, and replied, "It should not be easy to get this document." I did not agree and quipped, "It should be easy to get this document if one is entitled to it." Unfortunately, that remark did not get me the document, and I was forced to return another day.
The reason I am sharing this story with you is because it can teach us an important lesson about balancing fraud and user experience. My example illustrates how off-base the conventional wisdom is that says making something harder for a legitimate user to get reduces risk. If a user is legitimate, and if we know they are legitimate, then why would we ever want to make their user experience more challenging?
All that does is introduce another kind of risk — the risk that the user will give up and go elsewhere to get what they need. I didn't have the option of going elsewhere when I needed my document from the government. The users of your online application, on the other hand, very much do have that option in most cases. It is worth thinking about how user experience can be balanced against the need to detect and mitigate fraud losses.
Here are five ways enterprises can improve their fraud detection capabilities in order to better balance fraud detection and user experience.
1. Device Intelligence
I am often surprised by how many fraud rules focus on IP addresses. As you know, IP addresses are trivial for a fraudster to change — the minute you block them from one IP address, they move on to another. The same goes for blocking entire countries or ranges of IP addresses — it is trivial for a fraudster to bypass that. Focusing on IP addresses creates unreliable rules that generate a huge volume of false positives.
Reliable device identification, on the other hand, is entirely different. Being able to identify and track end-user sessions via their device identifiers, rather than their IP addresses, enables fraud teams to hone in on devices that are interacting with the application. This allows for fraud teams to perform a variety of checks and analyses that leverage device identification, such as looking for known fraudster devices, looking for devices that log into a relatively high number of accounts, and other methods.
2. Behavioral Intelligence
It can be quite difficult to differentiate between legitimate users and fraudsters at layer 7 (the application layer) of the OSI model. Moving up to layer 8, or the user layer, however, makes that differentiation much more plausible.
In most cases, legitimate users and fraudsters behave differently within sessions. This is mainly because they have different objectives and levels of familiarity with the online application. Studying end-user behavior gives enterprises another tool they can use to more accurately differentiate between fraud and legitimate traffic.
3. Environmental Intelligence
In many cases, environmental clues (the environment being where the end user is coming from) exist that can help a fraud team differentiate between fraud and legitimate traffic. Having insight into and properly leveraging these environmental clues takes some investment, though it pays huge dividends when it comes to more accurately detecting fraud.
4. Known Good User Identification
As organizations get better at understanding what fraudulent traffic looks like, they also reap another benefit: They become better at identifying what good traffic and what known good users look like. In other words, if I can be reasonably confident that the session in question and the end user navigating it are both good, I can be reasonably confident that I don't need to pile on tons of friction in the form of authentication requests, multifactor authentication (MFA) challenges, or otherwise.
5. Session Focus
Some teams focus somewhat myopically on transactions. That is a bit like trying to see the beauty of the ocean through a straw. True, you can see a portion of the ocean, but you miss most of it. Similarly, looking across the entirety of the end-user session, rather than at individual transactions or groups of transactions, is a great way to more accurately separate fraudulent traffic from legitimate traffic. The techniques mentioned above, along with others, all work far better with a broader, more strategic view of what is going on.
Reduce the Friction
Enterprises do not need to choose between effective fraud detection and ease of use. It is possible to manage and mitigate risk without introducing additional friction to your end users as they journey through your online applications. The time has come to throw out the conventional wisdom that says otherwise.