An exclusive interview with our VP of Product and VP of Sales where we agree that collaboration is critical to improving overall account security.
I recently discussed organizational responsibility for fighting account fraud with Verosint’s VP of Sales, Jason Bonds, and VP of Product, Travis Favaron. We all agree that this is a pervasive issue in today’s digital landscape affecting individuals and businesses alike.
Here’s our conversation:
Melanie: You guys recently attended the Identiverse conference in Las Vegas and had some interesting takeaways about how organizations are addressing—or not addressing—account fraud. Most people agree that combating account fraud requires a cross-organizational team effort. Still, there are big questions about who is primarily responsible for detecting and preventing account fraud.
Jason: Account fraud is a growing problem with no clear owner. Identity and access management (IAM) professionals focus mainly on the processes for registering and logging in users with standard items like user ID, passwords, multi-factor authentication (MFA), and challenge questions. Unfortunately, they don’t approach these processes with account fraud in mind. And most of the tools they use are not designed to stop fraud. Truth be told, most identity security teams are already swamped with more work than they have time for, without taking on account fraud.
On the other side, fraud and compliance professionals seem to approach fraud in a very reactive way. Most often, they detect fraud after cybercriminals have gained access via the registration and login process when they are committing fraudulent or disruptive transactions. Fraud and compliance teams do not understand IAM and are usually not in the same reporting hierarchy as the identity team.
Travis: Exactly. And, even if a company can identify account fraud (often detected through manual investigation and user reports), they lack the necessary levels of sophistication needed to prevent account fraud from occurring again. They can ban the user for abusing the platform, but they can do nothing to prevent that user from signing up again. They can reset user passwords to restore access to the original owner, and then the bad actor moves on to take over additional, different accounts.
Jason: Account fraud should be a shared responsibility, but in most organizations, it is not. To solve the problem on an ongoing basis, resources should be assigned from different teams that collaborate on the tools and processes for preventing, detecting, and mitigating account fraud.
Travis: I agree; it should be collaborative across many teams. Account fraud can dramatically impact the product/service experience you deliver to your users if it is undetected and permitted to continue. If one team ignores account fraud, or if the responsibility is compartmentalized to a single team, you may be putting your business and your customers at risk.
Jason: Most teams within an organization are impacted by account fraud, so it is more a question of building awareness and gaining the commitment of the various groups. Very much like the CISO team educates and talks with teams about phishing attacks, there needs to be that level of education and discussion in an organization about account fraud.
Travis: Your trust and safety team, your security and IT teams, but notably your product development teams as well, all need to combine efforts to fight account fraud from an application development and application security standpoint. Organizations need to look at all parts of the user journey and product experience and ensure they are taking advantage of the tools available in the market to fight fraud in real time. You aren’t going to stop account fraud by just distributing a quarterly risk report.
Jason: These teams are the frontline in vetting potential account fraud issues. For example, if a large group of users is calling Customer Support reporting that they are locked out or have been asked to reset their passwords, that information needs to be shared with the IAM and fraud teams. Social engineering is also a considerable challenge for teams in support services. These teams must be aware that fraudsters may call in and try to socially engineer their way into reinstating their account.
Jason: Most teams we talk to need more cross-functional accountability and education. We see a lot of finger-pointing or games of “kick the can” because many organizations view account fraud as an acceptable cost of doing business. With account fraud, organizational silos are dangerous because they allow fraudsters to take advantage of the security cracks that may result.
Travis: In the future, organizations must converge fraud prevention, IAM, and cybersecurity functions to fight account fraud. If you think about it, these three teams serve the same purpose — protecting the business — and they must work together to accomplish it. Aligning across departments and teams is often a difficult task to pull off. Still, I’ve seen some organizations succeed by aligning teams under the leadership of a digital product owner, for example, the owner of an e-marketplace. Fraud and IAM naturally align on user experience; assigning them to a product team is a step in the right direction.
Jason: The way to strike a balance is to only execute security measures on an “as needed” basis. Don’t treat every account login the same. You need tools to assess risk and determine when and how much friction should be applied to a user. For example, please don’t make me enter a one-time password every time I log in from the same device. I’ll get annoyed and possibly leave your service for someone easier to work with.
Travis: Security measures aren’t free. They will never be free. Sure, they may be included in your license cost or have no ongoing cost, but at a minimum, you are always paying for them by reducing the quality of the user experience. Organizations must find ways to only apply security measures like MFA, identity verification, or even a CAPTCHA as a last resort – not as the standard operating procedure. That’s the only way to ensure they are worth it when you use them.
Jason: These types of tools significantly help detect very subtle risk signals at the point of registration and login. Bad actors no longer use brute force to break into online platforms. Today’s bad actors take a stealthier approach. AI/ML tools are crucial in finding those actors who try to blend in with the masses.
Travis: I agree that machine learning models are purpose-built for detecting risk patterns that are hard for humans to detect. They can also evaluate large amounts of data in a way that is exceptionally challenging for a human review team. By using these tools to assess risk in real-time, organizations can selectively invoke security challenges only when detected risk is high. This approach is a great way to raise the friction high enough to stop account takeovers or fake registrations but keep the process fast and easy for low-risk customers.
Melanie: Thanks guys, for sharing your perspectives. It sounds like there’s much work to do to change how we organize to fight account fraud, and you’ve given us many ideas to consider. Just a reminder to everyone that Verosint can help you stop fraud in its tracks - give us a try with a free trial, or see the product in action by requesting a demo today!