We can’t but agree that technological world is constantly evolving. Relatively recent widespread use of two-factor authentication (2FA) or multi-factor authentication (MFA), which became widely used about 10 years ago, has become commonplace. The widespread use of 2FA-based solutions has resulted in a significant reduction in fraud risks and a more effective response to fraud attacks in the digital environment. If you are reading this article and planning to implement 2FA-based solutions in your online business, we can definitely say that this step will bring significant benefits to you and your customers.
Online scammers are constantly developing new methods to get their hands on customers' personal information. For this very reason it is becoming glaringly obvious for many online businesses that implementing two-factor authentication solutions is becoming an integral part of improving the security of systems and user accounts. Two-factor authentication provides an additional layer of security for gaining access to a website, application or resource by ensuring the user's identity is verified through two different factors, such as a password and a one-time code received via SMS or application. This helps to prevent unauthorized access to accounts and protects customers' valuable personal information from online scammers.
The article will be extremely useful for those who have long mastered 2FA/MFA-based solutions. Unfortunately, online scammers are constantly developing new methods to bypass security systems, and 2FA/MFA systems are no exception. Over the past few years, we have been actively studying emerging risks both related to application fraud and problems of personal accounts protection. We have been facing the rise of a large number of new threats and attacks that have begun to emerge with the proliferation of 2FA-based security systems. What are these risks? We can divide them in a few groups:
- Technical fraud - synthetic accounts, social engineering, remote access, total account takeover and a number of other cases of fraud attacks;
- Social fraud - family fraud (for example, when a person applies for a loan on behalf of his or her relative), multiple accounts (multi-accounting), credit shopping and some other cases.
What are the most effective approaches to counteract these risk groups? Here are the most common and most effective methods:
- Analysis of risk signals related to login or account use;
- Build a system for monitoring and reducing the number of duplicate or additional user accounts (if this is unnecessary to provide services to the client);
- Additional checks whether login/account usage details match with the previous user session, including device details and Internet connection;
- Apply rare events risk scoring of events and/or signals to identify the most risky sessions. This method is applicable in such cases, where the risk of material losses is involved (for example, credit card application online process or loan applications);
- Apply 3FA+ solutions as an additional verification tool in cases of above-average risk. Possible solutions: additional questions to the user on the information that should only be known to the account owner and preferably should not be associated with personal account details (for example, how many bank accounts this person has).
Also it is sufficient to observe that JuicyScore high-risk variables and markers allow you to identify additional fraud segments in conjunction with 2FA tools.
- IDX1 Stop Markers - Combination of 50+ rare events with high risk of tech fraud;
- IDX2 User Behaviour Markers - Combination of behaviour markers, including application frequency, user behaviour parameters, etc.;
- IDX3 Device Markers - A combination of secondary device risk markers, including various device parameters and device anomalies;
- IDX4 Connection Markers - Combination of secondary risk factors, consists of various device markers and anomalies;
- Duplicating device - Repeated application from the same device within the minimum loan term according to the lender's account settings;
- Same device - Device matching with previous and current applications for associated devices and users;
- Total num of applications with browser hash in 1 hour (/ 1 / 7/ 30 days) - The total additional number of applications (for the current service subscriber or user) to a given user with the specified browser hash over the last 1 hour;
- Less tenor days - An indication of whether this application is repeated for a period shorter than the number of days specified in the previous application;
- Time on page - Duration of filling out a page , application form, etc.
What results can be achieved after implementing additional protection as part of 2FA?
Implementation of solutions based on JuicyID to enhance the protection of personal accounts not only reduces the risk of fraud, but also increases the economic efficiency of online businesses by reducing operational and credit losses.
JuicyID is a lightweight version of JuicyScore. The product is designed to protect accounts in online services. It's main feature is a high response speed.
The Device ID, which returns in the response, is one of the most stable and sustainable digital fingerprints on the market, it also has a data vector of 100 attributes, which allow you to build various rules for preventing the risk of fraud and spot shady behaviour of a virtual user, maintaining the balance of payback for investments at the same time.
Stop markers allow you to identify segments of high risk applications at early stages of applications filtering: JuicyID vector variables reduce the level of social fraud risk in the flow, while IDX1 - IDX4 indexes can be used to build credit scoring models for applications that have successfully passed all pre-filtration stages. These models help to identify segments with both - high risk of default for automatic filtering as well as low-risk segments in order to increase approval rates.
JuicyID is the optimal solution for protecting user personal accounts, especially if a physical user is not tied to one virtual personal account. JuicyID also can be of great use spotting cases of multi-accounting, as well as any cases of using multiple sets of personal data for shady purposes.
This is just the first introductory article devoted to our research in the field of 2FA Solutions use for risk management purposes in general and account protection in particular. We will shred some light on other aspects of 2FA Solutions use in the future.