In the Battle Against Bank Fraud, The Very First Login is Critical

With fraud becoming more prevalent and sophisticated, banks are under growing pressure to beef up their digital security. It is critical for banks to assure their customers' accounts are secure from the first login.

With fraudsters becoming ever more sophisticated — according to the Federal Trade Commission, fraud went up by 185.7% between 2020 and 2023 — banks are under growing pressure to beef up their digital security.

But while advances such as AI-assisted monitoring have enhanced early detection and prevention, they’re only one piece of the puzzle.

Just as important, banks must secure their customers’ accounts at the first login from a new device. Otherwise, they’re doing the banking equivalent of monitoring the stable without bolting the door.

Why the First Login From a New Device Matters

The first time a banking customer logs on from a new device is significant because it’s a moment banks have a lot of control over.

The customer is more vulnerable to spoofing and man-in-the-middle attacks. But, if the process is handled well, techniques like fingerprinting — recognizing the customer’s device through its unique hardware and software attributes — and device-pairing, in which the customer can only access the app from a specific device, counter these risks and lay the groundwork for strong ongoing security.

So how are American banks approaching the process? Are they setting themselves up for success, or falling at the first hurdle?

To find out, we used our digital banking research platform FinTech Insights to evaluate the device-pairing processes of 17 legacy banks and 23 challengers in the U.S. Here’s what we discovered.

The Three Approaches to Device-pairing

We grouped our sample’s device-pairing techniques into three categories, based on how common (and how innovative) they are:

  • Tier 1 includes widely-used device-pairing techniques
  • Tier 2 includes device-pairing techniques that are used by relatively few banks and challengers, but aren’t particularly innovative
  • Tier 3 device-pairing techniques are both unusual and innovative

Let’s take a deeper look at each tier.

Tier 1: Ninety-three percent of the banks and challengers in our sample require a unique username and password which the customer uses to log on to the app from their new device.

Around 70% of the banks and challengers in this tier also require the customer to take an additional step, verifying their identity with a one-time code sent via text or automated phone call. Twenty-eight percent of the banks and challengers in this tier also give customers the option of receiving the one-time code by email.

Tier 2: Two of the banks in our sample enable the customer to verify their device by clicking on a secure link.

Challenger bank Dave sends the secure link via email, while challenger bank Monzo sends it by SMS.

Tier 3: The only bank in this tier — Revolut — requires the customer to record a short video after they’ve logged on with their username and password. The customer is also sent a one-time verification code, which adds an extra layer of security.

Worldwide, only one other bank has a similar approach: EU challenger Bunq.

Is Device-pairing Functionality Up to Scratch?

Usernames, passwords, and one-time codes are popular for a reason. They’re tried and tested techniques which most customers are familiar with and comfortable using. But they’re also increasingly vulnerable to savvy fraudsters.

Generative AI in particular has made phishing and social engineering easier than ever. Infosecurity Magazine reports that, since ChatGPT’s launch in November 2022, phishing surged by a mind-boggling 4151%.

Bad habits like username and password recycling mean that, once a fraudster obtains login credentials, they may be able to take control of multiple accounts, including email and messaging apps. And, if a fraudster has access to the customer’s email or messaging accounts, one-time verification codes are essentially worthless.

Secure links also create a single point of failure. If a bad actor successfully hacks a victim’s email account or phone, they would be able to access a secure link just as easily as a one-time code.

From this perspective, Revolut’s video selfie seems like the safest approach. That said, the growing popularity of deepfakes — highly realistic, AI-generated synthetic video and audio — may soon put it at risk.

Fraudsters have already successfully used deepfakes in corporate settings. Early in 2024, for instance, a finance worker in Hong Kong was tricked into sending $25 million to fraudsters posing as colleagues on a video call. As the technology improves and becomes more accessible, it’s reasonable to think that fraudsters might start deploying deepfakes to trick individual consumers too.

Read more:

Banks Need to Start as They Mean to Go On

If fraudsters have proven anything over the years, it’s that they’re immensely adaptable and resilient. And that means banks need to respond in kind.

Unfortunately, in device-pairing, the majority of banks (and even challengers) are still behind the curve, despite having the means at their disposal to up their game. Case in point, even though 94% of the banks and challengers in our sample have biometric login capabilities, none use it for device-pairing.

At the end of the day, no device-pairing technique will ever be 100% foolproof. But it doesn’t have to be. Fraudsters tend to go for the easiest targets. So, banks and challengers who make their device-pairing process as robust as possible could gain the edge simply by being harder to crack than their competitors are.

This article was originally published on . All content © 2024 by The Financial Brand and may not be reproduced by any means without permission.