- Blog
- Fighting ATOs with next generation device recognition
Fighting ATOs with next generation device recognition
In a webinar with About Fraud, industry experts delve into the role and potential of location behavior in combating fraud, particularly in the financial sector. Keep reading to get a recap of the insights shared by the panelists.
Subscribe to the Incognia Newsletter
Account takeover (ATO) fraud is one of the most significant concerns facing financial institutions today. The financial sector is one of the biggest targets for ATO attacks, and the financial damage from each successful ATO is around $12,000 on average.
Recently, Incognia’s CRO John Lindner presented a webinar with Anand Bajoria, Product Director at Varo Bank, in which they discussed topics like the prevalence and impact of ATOs, what makes these attacks hard to prevent, and the potential of location behavior as an additional layer of security in the fight against ATOs. The session was hosted by Ronald Praetsch, co-founder of About Fraud.
Watch the full webinar below or read the summary of the main points made during the talk, along with the full transcript of the session.
The Challenge of Account Takeovers (ATOs) in Financial Services
In the first section of the webinar, John provided some background for the ATO problem and its prevalence. He presented alarming statistics that underscored the severity of ATO attacks, emphasizing that ATOs are a persistent and growing concern for financial institutions.
Here are just a few of the key points John brought up about these attacks:
1. The Prevalence of ATOs
John revealed that more than 20% of individuals in the United States have fallen victim to ATOs. ATOs are not exclusive to financial services, but these services are particularly attractive to fraudsters due to the substantial financial assets involved.
2. Targeting Bank Accounts
A remarkable 32% of all ATOs specifically target bank accounts. A significant portion of login attempts across the web, approximately 15%, are ATO attempts. These attacks can be automated or manual, making them potentially very scalable.
3. Average Loss and Implications
The financial implications of ATOs are substantial, with an average loss of $12,000 per ATO incident. When fraudsters gain access to financial accounts, they can also potentially access sensitive personal data, including identity information, email addresses, and phone numbers. This stolen data can be used for various fraudulent purposes, such as opening new accounts, adding to the challenges faced by victims.
4. Long-Term Impact
Fraudsters often play the long game, accumulating identity data over time to exploit it further. Victims of ATOs face a stressful and challenging recovery process, as they must prove their identity to the financial institution and regain control of the account, which can be a time-consuming ordeal.
5. Reputation and Churn
Financial institutions are concerned about the reputational damage caused by ATOs. Negative word-of-mouth and viral discussions can impact their image. Additionally, ATO victims may choose to switch to another financial institution due to the stressful experience, given the low barriers to changing banks in the digital age.
6. Recovery Costs
In addition to financial losses and reputational damage, there are internal costs for financial institutions to recover from ATO incidents, including time invested restoring accounts and providing customer support.
The question of why ATOs continue to rise and why no catchall solution has been found yet was posed, setting the stage for further insights from Anand.
In his response, Anand highlighted a few challenges faced by financial institutions in addressing ATOs:
1. Evolving Fraudster Tactics
Fraudsters have continually improved their tactics, including sophisticated social engineering scams that deceive customers into sharing their credentials.
2. Phishing and Promotional Scams
Fraudsters often impersonate legitimate promotional campaigns, creating phishing scams that exploit unsuspecting users during events like holidays.
3. Device Changes and Proliferation
Frequent device upgrades and an increasing number of devices per user pose challenges for ATO prevention.
Balancing Security and Customer Expectations in the Fight Against ATOs
In the next section of the webinar, Ronald and the panelists discussed the challenges of balancing security and customer expectations in the ongoing battle against account takeovers within the financial services industry.
Ronald acknowledged that there are various aspects to consider in addressing ATOs, including topics like One-Time Passwords (OTPs) and the ongoing debate about the most acceptable level of friction in authentication methods. Many companies are still using OTPs despite ongoing discussions about their effectiveness.
The financial industry also faces constraints related to internal resources, priorities, and regulations. These constraints can make it challenging for financial institutions to keep pace with the evolving tactics of fraudsters, who do not face the same limitations.
Fraudsters also don’t have a customer base to please, unlike banks and other financial institutions. The discussion emphasized that customer expectations for a seamless experience continue to rise, and the ease of switching between financial providers has created a dynamic where even one poor customer experience can result in customers jumping ship to another provider.
Anand shared further insights into the evolving expectations of customers, emphasizing the importance of finding a balance between perceived security and frictionless customer experience. Passive signals that can operate “behind the scenes,” of what the customer sees, such as location data and biometrics, are crucial in achieving this balance.
Another aspect of avoiding customer frustration and potential loss is minimizing false positives and allowing customers to access their accounts with minimal friction, especially when dealing with the digital natives of Gen Z, who are much more willing to give permissions for locations and biometrics but who also expect greater convenience and ease-of-use in return.
In the tightrope walk between strict security and easy customer experience, John pointed out the pitfalls of overengineering security measures, resulting in high abandonment rates and false positives. Striking the right balance is a continuous challenge, and no single solution can fully address ATOs. John also mentioned the importance of MFA and its relevance in the current landscape. He emphasized that there is no silver bullet to combat ATOs, and that it requires a combination of solutions and a continuous effort to stay ahead of fraudsters.
Enhancing Device Recognition with Location Behavior
On the topic of multi-layered security and its importance in safeguarding against account takeover attempts, location behavior came up as one powerful signal to help companies assess risk and make decisions. Here are a few of the talking points panelists outlined when it comes to location technology for ATO prevention:
-
Challenges of Legacy Solutions: John explained that changes in privacy policies, operating systems, and browsers by companies like Apple and Google have deprecated the effectiveness of legacy solutions like device fingerprinting. Fraudsters can circumvent these defenses by wiping or factory resetting devices to make them appear like new, unique users.
-
The Role of Location: Location behavior has emerged as a valuable factor in device recognition. The uniqueness of how individuals move and interact with different places creates a pattern that is difficult for fraudsters to replicate. Combining device fingerprinting with location data can lead to more robust identity-to-device binding.
-
Pseudo-Anonymity: Incognia's approach emphasizes pseudo-anonymity, ensuring privacy and compliance with regulations like GDPR and CCPA. The technology captures location data from user devices without knowing the exact identity of the user.
-
Location as a Watchlist: Location behavior can be used to create a location watchlist, identifying fraudulent activities originating from specific locations. This is particularly valuable when fraudsters operate from a common location, such as with organized fraud rings.
-
Combating Spoofing: Location data like the kind collected by Incognia is challenging for fraudsters to spoof, as it requires replicating a complex signal environment associated with a specific location, making it a secure authentication factor.
-
User Opt-In: Location data is opt-in, and users typically trust their financial institutions to enhance security. If a user disables location sharing for their device or app, the system can still use the last known information for some level of risk assessment.
-
Buy vs. Build: The decision to build location-based solutions in-house or opt for third-party services depends on factors such as flexibility, costs, and technical expertise. Anand mentioned that earlier in his career, building in-house was more common due to the limited availability of third-party options.
-
Ecosystem and Complex Systems: Ronald highlighted the relevance of location behavior in various sectors, not just finance, and pointed out that a complex ecosystem, such as food delivery, faces similar fraud challenges to those in the financial sector.
-
Risks of Disabling Location Sharing: The discussion addressed scenarios in which users disable location sharing. John and Anand emphasized that while disabling location sharing could be interpreted as a red flag, the response depends on the financial institution's risk tolerance. It could result in reduced functionality, transaction restrictions, or additional authentication challenges, rather than outright blocking access to affected users.
In summary, this section focused on the importance of location behavior as an additional layer for enhancing device recognition in the fight against ATOs. The discussion highlighted how it complements traditional device fingerprinting, provides an extra security layer, and addresses the challenge of fraudster tactics in a dynamic landscape.
The panelists emphasized that location behavior is opt-in, respects user privacy, and can significantly improve risk management in the financial industry. The decision to buy or build such solutions depends on the organization's specific needs, risk appetite, and resources.
Future of Location Behavior and Concluding Remarks
In this final section of the webinar, the panelists discussed the future of location behavior and provided concluding remarks.
John Lindner shared insights into the future development of location behavior technology. Incognia recently introduced a web solution, expanding beyond native mobile apps. The company roadmap includes exploring new channels and devices. For example, Incognia is considering location-based solutions for living room devices, like smart TVs. The Internet of Things (IoT) movement is another area where location behavior and device intelligence can play a crucial role.
Expanding the use of location data beyond fraud prevention, Ronald mentioned the potential to leverage this data for other services and revenue streams. For example, location-based offers or promotions can be triggered to enhance user experience and generate additional revenue.
Anand emphasized the significance of location behavior in the financial industry and its role in enhancing security while delivering a safer customer experience. John highlighted the uniqueness and strength of location behavior as a signal and its individualistic nature, which makes it particularly effective for trust and risk use cases.
Location behavior is not just an emerging trend but a potent tool in the arsenal against fraud, especially in the financial industry. Its application extends beyond identifying fraudulent activities to enhancing customer experience, generating additional revenue, and building trust. As our panelists emphasized, the future holds much promise for location behavior technology as it expands into new channels and devices.
This discussion highlighted the need for industries to consider this technology as part of their security and risk management strategies. As we navigate an increasingly digital world, the importance of maintaining security while respecting user privacy cannot be overstated. Location behavior contributes significantly to this balance, marking an exciting frontier in fraud prevention and beyond.
Readers interested in the full webinar can watch it here or read the full transcript below:
Ronald Praetsch: Hi everybody. My name is Ronald. I'm the co-founder of About Fraud. And I'm the host of this webinar today. Before we go into all the details about what we are talking about today and who’s actually joining this panel, I would like to address one housekeeping rule. The only housekeeping rule which we have is please be active.
So on the right hand side, you can see a chat box and we already can see two comments. Please use this chat box for any kind of questions which you have, or comments, or any other thoughts which you might have around this topic. Again, the idea is we want to keep this as lively and entertaining as possible.
So what are we talking about today? Today, we talk about ATOs, especially in the financial services space. We know that a lot of customers from financial services are under attack and the number of attacks are growing every day. And on the other side, we know that many companies have the goal of being frictionless.
They want to provide a good customer experience. They really have the kind of balancing act between having a good experience but also being secure. And that's going to be the topic of today and how we're going to help financial services with better device recognition, device fingerprint, location data.
We're going to find an interesting mix today of how we can help companies to really protect and fight against ATOs. But again, we need to have good people and today we have John and Anand joining us, who actually have been around for a long time in the industry and have a great background to really give insights, give stories challenging this topic and hopefully provide a good perspective for the audience.
So, Anand, the stage is yours to give an update or insight or perspective. Who are you? What have you done so far? And yeah, again, thanks for joining.
Anand Bajoria: Thank you so much, Ronald. Hi, everyone. This is Anand here. I have been in the fintech space for a long, long time. Currently, I work at Varo Bank and I had the opportunity to develop world class fraud platforms and solutions that actually enabled trust and health of our customers.
Prior to that, I played. I was with Western Union and I played various different leadership roles. I worked very, very closely with the identity and fraud prevention space across the globe in Europe, North America, South America and Asia. Really, really a global and a unique opportunity just to add a small disclaimer here just to ensure I have a job after this call.
I'm here to present my own thoughts that I've learned over the years gathered along with my body fat over the years, and I'm not in any official capacity from my Varo Bank.
Ronald Praetsch: Thank you for being here, John, your turn.
John Lindner: Hi everybody. My name's John Lindner and I'm the chief revenue officer at a company called Incognia headquartered in San Jose, California.
I've been with incognia now for over three years. But I've been in the digital identity and fraud risk management industry for over 10 years. Prior to Incognia, I was with an email authentication company where we help customers protect their users from email impersonation scams and before that, I led North American sales at a company called ThreatMetrix for over 5 years.
Through the acquisition of a company called LexisNexis Risk Solutions. I'm a serial entrepreneur. I've done about at least 10 startups. So, excited to have this conversation with you all today.
Ronald Praetsch: Thanks, John, for being here today. Perfect. So now everybody knows who's the panel for today, and you can see we have some great experts, who hopefully can share a lot of good insights and perspectives with all the experience which they have.
We have here a short outline about what we are going to talk about. Again, we talk about ATO. We talk about what customers expect nowadays, as already mentioned in the beginning. But also trying to understand again, a lot of companies know device fingerprint is important, device recognition.
There are some good and bad points, some challenges. And actually, what's the next level? And so that's the agenda for today. And again, if you have questions, let us know. We're trying to incorporate your questions straight away. But otherwise, let's kick it off to really understand what is ATO and how big is the problem.
Maybe that's a good point for John to kick this off, like to build a foundation. Is this really a big issue for financial services or what's all about ATOs?
John Lindner: Yeah, I'm sharing in this slide some statistics that are pretty revealing. Account takeovers are still very significant problem for financial services companies.
More than 20 percent of us in the U. S. have been victims of account takeovers, which is when somebody is able to get your credentials and log in, if you will, to your account. It doesn't just happen in financial services, although because financial services where most of the money is, it's still a very big target.
So 30, over 32% of account takeovers target your bank account to this day. And about 15 percent of login attempts based on statistics gathered across the web are ATO attempts. Some of these are automated, some of these are manual. But as you can see here, it's a very big vector as—someone just commented on the webinar that it's their biggest loss vector.
So it's an area where banks and other FIs are constantly looking to shore up their defenses. But to your point earlier, Ronald, not introduce so much friction. That it’s a pleasant experience.
To give you a little bit more background on the landscape of ATOs. The average loss from an account takeover of a financial account is twelve thousand dollars, so it's very material as you can imagine once a fraudster gets into your financial services account. They have access to very sensitive data like identity data you may have stored, email address, their phone numbers, other information. So that creates a whole nother suite of problems. Fraudsters are very patient people.
They play the long game sometimes. They might use that identity data down the line to build up a portfolio on your profile and use it for other purposes like opening new accounts at a bank as an example. It's a very stressful process for anyone that's been through an account takeover. They can tell you that it's very unpleasant and very difficult to recover from.
You have to prove to the institution that you, in fact, are the account holder, because now someone else technically owns that, so it can be a very difficult period of time. And it can also take some time to get through it. As we talk to our customers, our financial institution customers, they're obviously concerned about reputational damage.
People talk and if these ATOs are happening at any kind of scale, it can go viral even, in some cases. I can give you an example where at one point there was a ride sharing company that had a huge account takeover issue. But people were talking online, they thought it was a breach because so many of their accounts had been taken over now.
It was probably the result of a breach, but a breach somewhere else, because there's no shortage of those. And typically that's what feeds these account takeovers, right? The fraudsters get these credentials, people reuse passwords, and they come and they'll test those passwords and come back and do their damage.
The other concern financial customers have is churn. Unlike, let's say, porting your health care records from one provider to another, which, by the way, is extremely painful, changing your bank isn't. Changing your bank is really easy. It's a click of a button. The barrier to entry is very low. So, if you're a victim or one of your customers is a victim of account takeover, there's a very high likelihood that that could create enough stress for them that they might want to move their money somewhere else.
And then there's also just the cost for the bank or the credit union or the fintech of recovering. You have to restore the account. There's a lot of customer support, I'm sure Anand can speak with a lot more authority about what is entailed in that process, but there's real internal costs in addition to some of these other damages that I've mentioned.
Ronald Praetsch: I think the important point is, John, the 12k, which we talk about on top, most likely doesn't include all the points which we have below. So at the end, the full impact of the ATO is potentially much more than 12, 000.
John Lindner: That's a good point.
Ronald Praetsch: I think we have one more slide. Isn't it around this topic? Okay, and that's a direction for Anand. Anand, we talk about ATOs for years already and it looks like no one has the magic bullet to solve ATOs from your side.
Anand, what do you think are the main challenges for financial institutions to really stop ATOs or what actually is really hard? I mean, why is no one stopping it, or why is the number of attacks growing? I think maybe it's a good point from your side to give a bit of perspective, how you see the world.
Anand Bajoria: Yeah, I think over the years what we have learned or what you've seen is some of the fraudsters have really, really upped their game. For example, social engineering scams are at another level today, right? Then they were four or five years ago. The fraudsters reach out to the customers pretending to be an FI and they do it in such a way that customers actually trust them.
We find all the time customers actually giving away their credentials, their SMS, OTP, and things like that to the fraudsters, right? So that's a big challenge. Then phishing and promotional scams. I can give an example some time ago, very long back.
I cannot disclose more details, but way long back, especially during the holiday seasons when companies run promotions on certain social channels, that is when these fraudsters actually just mimic the legitimate promotional campaigns that are going on and they pretend, “Hey, you've won a lottery or you've won this campaign,” and they try to steal the credentials.
We also see a lot of frequent change in devices. So about every 2, 2. 5 years, almost 50 percent of the population will actually change or upgrade their devices. We also see an increase in the number of devices, like almost three devices per user. Some cohorts have even seven plus. So any fraud solution or ATO solution that you want to bring has to ensure that the actual customer itself has a very, very little participation, so they don't give away any credentials.
They don't give away any OTP or any kind of other verification methods. So we have to exclude the customer itself, right? So the customer has very, very minimal participation and some of the things that we see fraudsters actually do after they're successfully taken over an account. First thing they do is they try to drain their account.
This is about 70, 80% of the cases, right? We also see a lot of money laundering, muling, that they have. And once they get over and they've drained the account, they try to further fraud by reaching out to your recipients and your network in the customer's account. Right? And they also try to monetize by selling the accounts and PII over the Darknet.
Ronald Praetsch: It's like a number of areas that are growing. And you also mentioned a few. Other let's say topics like OTP. I think that's a whole nother discussion about OTPs or not. I think that another big topic about friction, no friction, is OTP the right thing. A lot of people discuss, “We should go away from OTP,” but still a lot of companies are using it.
So there's a whole ecosystem of topics which makes it challenging for any financial institution to run as fast as the fraudsters do this. I think that's an important point. We are having a lot of constraints internally with resources, priorities, and regulations, but the fraudsters don't have this.
That's why it's always, or in many areas, always a step ahead. Maybe a question to John, if anything to add from your side, regarding the challenges for the FIs from your experience.
John Lindner: Yeah, very, very consistent with what Anand shared. I'd say we're seeing identical patterns for sure.
Ronald Praetsch: Perfect. And you already mentioned before that a lot of banks, FIs have the challenge of being secure and being ahead of the fraudster, but on the other side, the expectation of customers is increasing all the time. And John made a statement before that changing your bank, your bank account, your trading account, your saving accounts or whatnot, it's not difficult.
So if a customer has a bad experience or something doesn't go as expected, they might just jump to another provider, and there are many providers on the market today. Anand from your side, how are you prioritizing this in your fraud strategy? Because that's also often a challenge.
You have a fraud team or a risk team with certain goals. But then you have another team who's in charge of onboarding many customers, having many transactions, and really looking more on the business side. So, how are you going to combine this internally?
Anand Bajoria: Yeah, some of the customer expectations that are evolving is—one is perceived security, right?
Now, SMS, OTP may not be—it's obsolete, in terms of ATO checks and things like that. But whenever there is a change in a behavior from the customer, like a device or a different country, and you kind of notify and you kind of interject them, that actually enables trust for the FI with the customer, so perceived security is something, which is critical and it has to be done with very, very minimal friction as well.
Second thing we notice is that most of our customers are on mobile apps, right? Less use of the desktop and other platforms. And that also leads to a very, very low attention span time. And that means your solution to interject a customer has to be very, very seamless.
Most of the time it has to be behind the scenes, right? We also see Gen Z actually are more open to sharing their PII information than the earlier generations, right? Such as giving permissions to locations, biometrics, and things like that. So what this also means is that this is also available for fraudsters now.
Some of this location data, some of this biometrics data is also open to fraudsters. So any solution that is coming together has to take that into account. And as I was saying earlier at any challenge you put in the face of the customer, you immediately see like a 10, 15% drop offs and, eventually, not being able to access your account at what time you want leads to a lot of customer loss.
Ronald Praetsch: Anand is really presenting this from an FI point of view, which is fantastic, but also, John, you talked to a lot of companies and you have been in this area for a while. So do you see it's similar to that?
Potentially, if eyes are more looking into how to really create this kind of frictionless experience and maybe even lowering some barriers to have this good experience, or do you think it's the other way around right now to really try to protect themselves?
John Lindner: Yeah, it's a great question. I'll kind of focus on the 2nd point 1st, and that is most users want the same kind of frictionless experience that they have in other industries like social media, or, you know, logging into their email.
They assume security, they assume banks and FIs are doing everything within their power to protect them and protect their accounts. They want their cake and they want to eat it too.
I also wanted to share this data insight survey result they did last year where the most important consumer criteria for online banking was ease of use and behind the scenes fraud prevention and security. That is exactly what we're hearing from these banks there. They're looking for almost, let's call them passive signals, that are behind the scenes that consumers don't have to interact with.
I've actually heard a statistic quite a bit higher than Anand's where almost a third of login attempts were abandoned when faced with the challenge by consumers. Now, some of those were probably fraudsters as well, but a large percentage of those are just good customers and that's an extremely high insult rate when you think about it.
Again, you know, as Anand said on his last slide, the Gen Z's are more than happy to pivot and move their money with a couple of clicks if they don't like the way they're being treated.
We had a customer that shared with us that they were using over a dozen different risk tools and had essentially overengineered their authentication process and they were seeing extremely high abandonment rates due to this friction. They're in the process of whittling that down to a handful of core signals.
But that's just another example where every day we're talking to FIs that are facing this challenge and it's a puzzle. It's not an easy one for sure.
Ronald Praetsch: Maybe that's the friction in the fraud team having so much data. I mean, we talk about the frictional consumer side. But, you know, a lot of providers, a lot of solutions provide a ton of data and combining this data and making sense out of the data is not always easy.
And especially if you need to adjust certain thresholds or pivoting your machine learning model to use the data in the right way. So that's maybe an internal friction for the fraud teams dealing with all this. The data that's coming in, but that's maybe a good point for Anand to get your perspective for this and also trying to be very operational.
So Anand from your side, when looking about ATOs today, how would you give advice to someone looking into this webinar right now? How could someone understand how big the issue is, for, say, a company? Is there any kind of KPI or any kind of advice which you could give to measure, or to somehow classify how big the topic is? At the end, you need to have a budget, you might need to go to a boss or someone who's holding the budget to get approval for any kind of resources or technology, but often they won't understand. How big is the problem?
Anand Bajoria: Sure. A couple of things to consider. One is, companies need to find the right balance between perceived security and frictionless customer experience and mostly behind the scenes kind of passive signals to do your ATO.
That is very, very important to find the right balance, else you may overengineer and you may lose your customers, or you may actually loosen up and have a lot of fraud. Second thing is, I think in terms of, how in the past, we have actually kind of managed these challenges, just having one method or one solution is not really enough, right?
Popular [method] being device fingerprinting. It has its own challenges, right? Apple and Google are tightening up. They're sharing less and less device data. Device ID is not universal as well. So a successful ATO strategy has to actually include other methods, such as biometrics and location and be passive as much as possible.
And very, very critical because, as John pointed out, right, Gen Z will switch the moment you put friction in the path that they don't like, so minimizing your false positives in this area and them being able to access their account is very, very critical as you will see a much, much higher customer loss.
I think finding the balance and all your checks are almost passive behind the scenes without even the customer knowing you're doing a check on the screen is super critical for a successful ATO strategy.
Ronald Praetsch: Again, back to John, trying to understand, do you know any kind of pitfalls that a company may be stepping in or maybe again, swinging too wide left or right on a specific topic? But also I would like to maybe add a second point, John, I mean, you have been in this topic for a long time and we have on the right hand side, an interesting comment or question from Ben.
He makes a statement that we mentioned before, OTPs. We know it's a big topic and maybe not a golden bullet, but you also mentioned the MFA, so the multi-factor authentication. Maybe once we're done with this part, maybe you can also give one or two comments from your perspective to this question, so that would be good.
John Lindner: Yeah, first of all, your first question about the pitfalls, I think I talked a little bit about that earlier and sharing an anecdote from one customer where they were way too far on the strict side, they were too tight and their false positives went through the roof, their abandonment went through the roof.
Conversely, if you're too lenient and you just want to be the best experience without having the right safeguards in place, you're going to see account takeovers and other related fraud spikes. It's a perpetual balancing act.
As the landscape evolves, banks will set thresholds. The fraudsters will test for those thresholds and they'll stay under the radar. They're using automation, you know, we've heard a lot about generative AI and some of the challenges that are facing or creating for things like biometrics.
To your point, there's really no silver bullet. You have to use a combination or layers in order to stay one step ahead of these guys. And, you know, there's a lot of job security in Anand’s space because of it. But going to the question, yeah, I think there’ll always be a human element to it.
We have our own opinion. I'll talk in a moment about how we see the landscape and how our customers are addressing it, but with things like social engineering scams, it's a tricky one, right? Because, you know, Anand talked about it earlier where the fraudster is now directing me on my device to do something that I shouldn't be doing.
There're different types of behavioral signals that you can use, the bank can use to understand, like, “Gosh, John's never really made that many transactions in that period of time, or moved that large sum of money into a new account, et cetera,” But short of that, it's a little bit tricky because it is the good user, and it they're using a trusted device from their location.
It's an ongoing battle and we have to just continue to evolve and innovate and deliver new solutions.
Ronald Praetsch: But I think now we built a good foundation about what ATO is about, what are the challenges, but then looking back at our title, we actually talk about device recognition and the next level.
But before we come to the next stage or what we could add, I think it's also important to reflect that a lot of companies today will use one way or different ways of recognizing a device. Many companies will use any kind of device fingerprint technology, or maybe even using IP data. I would like to ask John before you go into what is next, what is really the next level?
Maybe giving a bit more perspective from your side, how this industry moved. I mean, you have a great background. You are part of the story at the end before our company. But also understanding why a new generation is needed? So what is the challenge today? Why do you actually with Incognia build another layer to make device recognition even better?
John Lindner: Yeah, that's a great question. I think what's happened and Anand actually sort of mentioned this a moment ago that, you know, Apple and Google, they're making updates to their privacy policies, operating systems and browsers, and that's deprecated the effectiveness of what I'll call legacy solutions like device fingerprinting.
There's a strong need in the market, based on the conversations we have every day, for stronger device fingerprinting, for example. Fraudsters are defeating these defenses by wiping a device, or even factory resetting a device so they appear as a new device. So if you're using things like negative device watch lists, they're ineffective because that's a new device.
It's not on your watch list. So by combining what we call location fingerprinting with device fingerprinting, FIs can get a much stronger and more resilient binding of identities to devices. Turns out that the places that we visit have unique signal environments associated with them, and they identify us, and we do this, by the way, pseudo-anonymously, we anonymize all this location data, so we don't actually know where you are, we just know that that is either a trusted location or a location that you frequent based on the signals that we use. I'll give you an example.
When Incognia detects fraudulent behavior from a location, we can block all subsequent activity from that one location. So, if a fraudster, like, let's say they've set up some fraud farm, and they've got 50 devices running in a single location, we can detect all the transactions that are originating from that 1 known bad location without having to wait for each individual device to exhibit bad behavior.
So essentially think of it as a location watch list. Obviously we have to be very good at understanding that the device, the data coming from that device can be trusted. So, you know, we do a very, very thorough job of detecting things like app tampering, not just root and jailbreak, but other sophisticated instrumentation techniques that the fraudsters are employing to hide or obfuscate their location.
We do this at an apartment level precision. I like to say this is not your grandfather's geolocation solution. If you use what I'll call legacy geolocation signals like IP address and GPS, which are easily spoofable, you'll have to block an entire building. So let's say I'm operating those 50 devices from one apartment in a tower, using an IP address for geolocation or GPS, I would have to block that entire building.
Whereas the way we create these little location fingerprints at an apartment level, we can just block the signal environment, if you will, within that greater building, because those are all potential customers too, of ours. The inverse is also true for good users.
Anand also mentioned this. They get new devices every couple of years and they have multiple devices. So you need technology that can quickly recognize that those are the same users and location is a great way to do that. We have a capability we call trusted location that learns very quickly your behavior, your location behavior, because you go home, you go to your office or you go to other nearby locations, even when you travel, we can do things like velocity checks and reasonable travel.
So you don't, you can remove friction, the amount of friction or completely remove friction depends on your appetite for risk when you see a new device from a known good location.
So those are some of the things that our customers are taking advantage of, to balance out the fraud versus friction challenge.
Ronald Praetsch: Based on your information, John, we got in a couple of questions and I would like to pick the question from Sandra, who maybe needs a bit more perspective about the apartment example.
Maybe you can give some examples, John, about the kind of data, the data points, which we actually include in defining this apartment or a trusted location. I think that's like the big difference in how this kind of old technology was defining location.
John Lindner: It's a really good question. I guess the best way to explain it is, we all have one of these with us 24/7. It's never more than two feet away, right?
So we will have a small SDK on that device and that SDK essentially taps into the different location signals that that device has access to. So if you think about it right now, where each of us are sitting on this call, we're probably connected to a Wi Fi network. If you did a scan of available WiFi networks in this area, you would see probably six or seven, where I’m sitting anyway, in different relative signal strengths.
There's GPS coordinates associated with this location. If I move to the other side of my apartment or house, those single strengths might vary. So that, as you can imagine, creates an extremely precise location footprint for that location.
That's a single location. We do that with every location that a user visits and other users visit. We can also borrow from our consortium of over 200 million devices. So, if we've already learned or mapped that location, we take advantage of that and say, yeah, we know that's a trusted location for that device as well.
The other thing that approach makes extremely difficult is spoofing that location, because if you can imagine to replicate the signal environment where I'm sitting or where you're sitting right now would be nearly impossible, you'd have to get into my house and you'd have to connect to my network and all those other things.
So, that's how we do it. We can take advantage of legacy technology like IP as well as GPS, we use that sparingly, but because they're so coarse grain and high level, they're not good for this precise approach, which is what we've been discussing.
Ronald Praetsch: Thanks, John, for giving these insights, but I would like to take one more question on this topic.
Because Anand also mentioned we have a lot of Apple and Android devices and privacy is more or less important for each company. So what is happening if I disable any kind of location information on my phone or for the app, which I'm using, can you still get something out of this or you're blind completely?
John Lindner: This is all opt in. So we're GDPR compliant. We're CCPA compliant. That's part of the process. So I'd say, you know, not sharing your location for trust reasons or fraud prevention reasons could be interpreted as a signal in and of itself. Most people trust their bank and want their bank to keep them secure as we've been discussing throughout this webinar.
We see a very high opt in rate, but, what we would do is essentially use the last known information. We still have the device intelligence that we capture as well. So if it is a clean device that's not sharing location for whatever reason at that moment, again, it's up to the risk appetite of the FI.
They might elect to let them browse in their account, but not perform any transactions or they might challenge them. It really varies.
Ronald Praetsch: And now the question to Anand, I mean, now we have seen an interesting perspective from John about another layer to enhance the device recognition, but, Anand, how useful is this for you today, or do you have any experience using such technology, or what do you think is the best use case to get started in learning about how location behavior could be leveraged in the best way?
Anand Bajoria: I think location is becoming more and more critical as part of your ATO stack, right? As I said, device ID has its own challenges, location has its own challenges, but together they actually play a very, very significant role and they can be actually transforming for your KPIs for your organization. I had the opportunity actually to work and build this in the past, some kind of location fingerprinting, and that has actually helped clear a lot of false positives that we had and also on the prevention side a lot of fraud loss as well. Because it's very unique, right?
If you just take a pattern of human behavior, you know, the way they move around, and it kind of creates its own unique sauce and recipe there, and it becomes very difficult for someone to actually spoof or replicate that kind of behavior. So it becomes a very, very unique sauce. Our recipe for us to verify and say, “Hey, this is John there who’s doing this transaction,” or “It’s not John there, somebody else is doing the transaction.”
It's a very, very important tool. I think one other KPI we manage is reducing costs. So this actually plays a role, because it's not like the fraud team has all the money in the world to go after just building solutions.
You also have to do it in a very cost effective way. So, it also helps in reducing our costs a lot. And I think location is here to stay in the future. And I think more and more companies would add it in their ATO strategy.
Ronald Praetsch: Good points, but also you mentioned something about costs, and we know a lot of companies, especially the bigger ones, or let's say the tech companies always make the decision of, do I build this in house or do I trust the third party and implement the tech faster?
Do you have any experience, Anand, from your side, looking at this topic? Would it even make sense to build this in house or would you just say not doing this at all? Did you ever try to build something like this to outsmart any third party who was doing this?
Anand Bajoria: My experience back then, I think we didn't have many third parties. It was very new in the industry, right? So we have been, depending upon company to company, it's always buy versus build.
You know, what makes the solution depending upon the flexibility that the company has or the product gives with a third party or what do you want, and also the cost of maintenance, right, becomes very, very key. Important key in the buy versus build. But back then, I wish Incognia was there so we could have actually just gone ahead and integrated.
But, we had to build and building always comes with its own challenges, own pain points, right? Some of the things are technically not very easy. For example, location spoofing is so common on Android, right? If you are in the food delivery business, that's a big scam in the food delivery business, right? So it becomes very, very critical.
Ronald Praetsch: Perfect. Before we go into more questions, I would like to share and hand out for the audience, actually, there's an inside report created together. Which actually was about Incognia, about the innovative approach which they have. So you can now see a pop up where you can actually download this report.
Again, it's just more information, more insights, about what is really behind the scenes. And the second point, again, we have many financial institutions in this call right now. That’s also a short document, which gives a bit more perspective about how this service or how this technology can be used, especially for financial services.
Again, we always talk now a few times about food delivery. It's also quite a challenging environment where we're looking at, you have a restaurant, a driver and a customer. So it's quite a complex ecosystem. And we talk about similar things for FinTech. Also has certain let's say targets for many fraudsters.
And that's why it's always about leveling up. And we talked about before a few times, there is no silver bullet and devices will be important. But as this picture illustrates location behavior, I think it's an important word here. It's called behavior, just not location data or location itself, but how the location actually behaves is a good extra layer to feed into your models.
But I would like to go back to one topic which John mentioned before that was related to the question. So how would you see if Ronald logs into the service but does not share the location at all? Would you see this as more risky or how would you look about this?
Because I have seen, personally, I'm often using a VPN and I see certain companies or certain websites don't allow me even to access the website anymore. I just need to disable my VPN to actually access these websites. Would you go the same way or would you maybe just look about, okay, he's looking in from a location which you don't know and then you might disable certain functionalities or would you really block customers straight away from even looking in?
Anand Bajoria: So, as I said earlier, I think somebody asked as well, right? Just one particular method or one particular signal is not the silver bullet here, right? Again, it depends. Ronald, when you're logging in, we see other signals too behind the scenes. One is device, a trusted device. There's also other methods like mobile authentication happening, right?
Depending upon the device you're logging in from. And again, it's a factor of all these signals, how they come in and how we score you. And depending upon that, we let you log in, or we don't. So there is no one silver bullet on if you're not enabled location, we actually prevent you from logging in.
Ronald Praetsch: Perfect. We are coming close to the hour. I just want to have enough time while also wrapping this up. I mean, please still ask questions. If something is in your mind which you want to ask John or Anand. But, maybe back to John, being in the industry for a while, what is maybe the next level? I mean, now we talk about location behavior, which technology, which could come next or how on your roadmap internally,—I guess you'll have a product roadmap—where we're going to enhance the services every day. Is there something significant which you maybe can share or provide an outlook, how location even becomes more important?
John Lindner: Yeah, that's a great question. We recently introduced a web solution.
We started as a native mobile app solution for Android and iOS devices, and we recently introduced a web solution, obviously, with a completely different set of signals that are available on the web relative to location versus mobile. But I would say new channels being, you know, omni-channel, wherever there's digital customers looking for solutions.
Another example of that is living room devices like a smart TV. We have customers who have apps that run on those and they have different types of policies, let's call them policies, they want to enforce around things like account sharing. So being able to develop solutions for those types of devices.
Obviously, today we work on, you know, iPads, iPhones, et cetera, Chromebooks. But when, when it comes to these set top devices, that's a whole new thing. I think then the whole IOT movement, which is, you know, we don't talk a lot about anymore, but it's just kind of happening in real time and we're accepting it.
You can unlock your car with your phone now. There's all kinds of things that you can start your car with your phone that are being enabled. So I think there's a large movement that's advancing where location behavior and device intelligence will continue to be in demand to solve problems.
To an earlier point, we did start with, and let's call them more traditional location based industries like food delivery. Some of our clients are the largest food delivery companies in the world, the largest marketplaces in the world. And they're using us at onboarding, for instance, where, you know, they want to block people from opening a bunch of fake accounts, right?
Or they want to enforce policies around account sharing. Like if I'm a driver and I've gone through an IDV process, I am not allowed to share my account with my friend who's not covered by my insurance—I'm sure there's other issues too—so he or she can make some money on the side.
The problem we solve for them is detecting those types of things like account sharing or a lot of fake accounts being set up. Things like promotion abuse is very common. This is also true in other industries. But again, if you're just wiping your device, you can keep getting discounts on meals and things like that and other, and other types of promotional offers.
So it kind of started there and solved those problems for the customers. And, you know, like good entrepreneurs, we've pivoted into these other industries, including financial services, whereas Anand points out, you know, location behaviors here to stay. It's relatively new, on the forefront, at least the way we do it.
I mean, everyone knows IP address and they know GPS, but in terms of creating these signal environments and trusted locations and what we call suspicious locations, which is the inverse, it’s relatively new, but I think it's gaining momentum because of all of the issues that we've been talking about today, where it’s harder to profile devices and these signals, there's not a lot of new signals available every day. So location is clearly becoming more and more important to FIs as well.
Ronald Praetsch: I also liked the approach which you brought up, John, not looking only about what is fraud, but also potentially looking at different revenue streams.
Maybe that's a question to Anand. So if you are a bank today or FinTech today, and you actually have this location data. I've seen a lot of interesting use cases in the past already where someone tried to make location based offers from partners. I mean, if you have an app and you go to a certain location in the city, you might even push certain offers or promotions to your customers because you know where they are or at least the area.
Is it something where you get internally requests from your team members and maybe different business units? How can we use location data for other services? Or would you see location data as the most powerful one for stopping and detecting fraud?
Anand Bajoria: Yeah, I think we have actually had similar ideas in the past at a different employer, right? Which is kind of omni-channel. A lot of it is retail-based. Actually getting this location data and triggering offers has been one of the key strategies to actually up the revenue or build alternate revenue streams for the company.
So that's actually one interesting angle apart from [intelligible] as well on the location. And it's been actually successful.
Ronald Praetsch: Okay. I mean, that's also again, maybe just like a moonshot idea for the audience. It's not just to stop fraud, but once you have the location data, you can also potentially use this for other services with your business units internally.
I got an interesting question from one of the users who actually is asking about the SDK and how it's implemented into the banking system. I think that's an easy, easy answer from John about this. It's not really implementing the SDK into the banking solution, but maybe John has some good words to explain it.
John Lindner: Yes. So the way it works is first of all, the SDK is very lightweight because it's doing something very specific. You know, we're not boiling the ocean, right? We're primarily looking at the device signals and the location signals. So think about maybe 500 kilobytes for Android and a megabyte and a half, perhaps, for iOS.
So very lightweight, and then you compile that in your mobile app. We do something similar on the web with some JavaScript. But just sticking with the mobile app, you would compile that in a mobile app and then as the next release, you know, whatever your sprints look like, you have a new mobile app released every couple of weeks.
We'll be inside that, if you will, but the integration itself is fairly painless and takes a couple of days, requires a mobile developer, and that's about it. We also, I should add, we also offer a proof of value where we don't do any decisioning, but we just collect data and we compare the data that we collect over a 30 day period with what the customer sees on their side.
And that's where we show the lift in either reducing false positives or increasing the fraud capture rate, as an example.
Ronald Praetsch: And the second question is just following on this topic. I mean, once you have the implementation done, potentially you get data or a lot of data. Maybe you can give some perspective, John, is this like a good or bad, does the location provide 10 signals, a hundred signals, thousand signals? And I've been using different technology myself, and sometimes it's not easy to really understand what is the right signal.
Do I need to use like 50 out of the 200 or just using three? Maybe we can give in a nutshell a best practice, how companies get started using all these location signals.
John Lindner: Yeah, so we communicate via an API at different points of the customer journey.
So if it's that log in, for instance, like we've been talking about account takeovers, what we would do is deliver a risk assessment. And that's going to be either high risk or low risk or unknown risk if we haven't captured any information. But if it's high risk or low risk or unknown risk, you're going to get reason codes as well as English-based reason.
So it'll tell you why it's high risk. Like this is an unknown device. Or a known risky location, you know, in other words, where fraud—we were talking about location watch lists before—let's say, a negative location watch list. If that device has been associated or that location, forget about the device.
We don't even really need to know the device. We just know that that location is not trusted or it's suspicious. So we'll deliver that. This is also presented in a dashboard. So a fraud analyst could go into the dashboard and do further root cause analysis they want, export data, et cetera. A lot of our larger enterprise customers will import our data into their risk engines.
That's very common and, and we'll score independently. Typically, we're at the top of that waterfall, that scoring waterfall, because the location signal strength is so strong, especially if we're saying this is good, this is trusted or this is bad, we know this is not a trusted location.
Ronald Praetsch: Perfect. Thanks, John. We're getting close to the hour. So I would like to take the last chance for Anand, also for John, giving any kind of final comments or final thoughts about location behavior.
Anand, any final statement before we're closing this for today?
Anand Bajoria: I said earlier, location is here to stay, right? It adds to the stack. I think without it, it's going to be really, really hard for any institution to actually serve a successful and safe experience, especially for an FI.
Ronald Praetsch: Cool. Thanks, Anand. John, good evening.
John Lindner: Yeah, I would just close with, you know, our location behavior is unique to us. They're like snowflakes, if you will. We did a back test with one set of customers and it was like, one in 17 million where it's that unique, right. Each of our behaviors, even people from the same household have different location behavior.
They may live together, but then they go and they go to other locations, whether that be for work or other things in their free time. So it's an extremely strong and individualistic signal for these trust and risk use cases.
Ronald Praetsch: Maybe that's an interesting data point. One out of 17 million to understand how unique it is.
Perfect. Big thank you to Anand, big thank you to John for being here today and sharing your thoughts. I hope we provided some good perspective and insights to the audience. And again, for everybody, please feel free to ask any kind of questions. Also, after this webinar today, you have the names here.
You also get an email afterwards with the contact details. So please feel free to reach out to John directly and Anand or to us at AboutFraud. And yeah, then we wish you a nice day and hopefully we see you soon again in another webinar. Thank you.
John Lindner: Thank you.