Will Multi-Factor Authentication End Fraud?

Over the past several years, trends in fraud prevention strategies have moved from planning and prevention, rules based strategies toward securing your sites from the cyber criminals with Multi-Factor Authentication. “Prevent them from entering your site and you won’t have fraud” some think. There isn’t a security solutions company out there that won’t sell you a slice of their solution pie. But does it?

How many times have you tapped on your desk waiting for your computer to finish “computing” a calculation you have already completed in your head? Or told Siri she was dumb because she couldn't understand what you were asking? Maybe became frustrated with auto-text? These actions are completed by algorithms – computer knowledge based on a defined subset of action = reaction. The key word being “defined”.

A fraud manager I know misguidedly believed that preventing a specific action through system code would prevent the occurrence of that specific action. No training nor policies were set in place to ensure adherence to the prevention of the action or intended action, nor were reports developed to monitor the resulting outcomes. The result? The code worked exactly as intended. It prevented THAT specific action. What it didn’t prevent was the colorful and creative ways that the customer service employees attempting to help customers worked around the code; nor the creative methods devised by friendly fraudsters to skirt the system. This resulted in multiple departments being affected by unintended consequences and lack of preparation for identifying and preventing losses.

The point? You can’t code for creativity. It is inherently an oxymoron.

In developing my fraud prevention strategies, my first step is to develop a list of vulnerabilities – systematic and organizational, and break those down into how they potentially can be exploited.  I ensure I identify anticipated methods of exploitation.  I then review the prevention strategies that are currently in place or have been tried and failed - what is working, what isn’t? And WHY?  (Was there improper training? Was there a mistake or bug? Was there a misunderstanding in the data that the prevention strategy was developed upon? Have internal stakeholders unknowingly, although in good faith created a work around? Or, have your fraudsters adapted and overcome your strategy?) And finally, what tools will I need to prevent attacks? Identity management and authentication is simply that - one tool in a belt of fraud prevention strategies.

As fraud practitioners, we are on the front line of account take over, fraudulent account and friendly fraud attacks. Fraud prevention strategies are exactly that - strategies. Meaning, there is a system and network of tactical offense and defense that must be played. No football team wins the game by running the same line and same play the entire game.

Much like the code the fraud manager in my example above developed, failures in fraud prevention strategies occur when you are not prepared to employ multiple tactics, and continually review, adapt, and overcome. Why? Because your fraudsters have no other responsibility but to exploit your weaknesses.  Multi-Factor Authentication is no different.