How Machine Learning and Continuous Monitoring Can Prevent Fraud Attacks

Guest Blog: Greg Hancell, Manager of Global Fraud Consulting at OneSpan, explains how banks can apply continuous monitoring and machine learning to defend against account takeover attacks. #AIWeek2021

Account takeover fraud (ATO) is one of the top threats to financial institutions and their customers. In an industry survey by the Aite Group, 89 per cent of financial institution executives pointed to account takeover fraud as the most common cause of losses in the digital channel. Today, cybercriminals remain focused on ATO, new account fraud, and card-not-present fraud. The 2020 Identity Fraud report by Javelin Strategy & Research found account takeovers trending at the highest loss rate to date, up a staggering 72 per cent on 2019, to $5.1 billion, and a 120 per cent increase on 2016.

Continuous monitoring and ATO

An effective way to recognise and defend against account takeover attacks is to implement continuous monitoring on digital platforms.

In the past, we would generally authenticate users during login or a transaction. Now, however, we have an abundance of data because users access their account through the web or mobile banking, and there are events constantly streaming to the financial institution as the user progresses through their session. This movement to digital banking lends itself well to continuous monitoring ­the capacity to keep watch on all the events as they happen – not just the login and the transaction, but also requesting a balance, creating a new beneficiary, adding a new device or changing an address. From the moment a user lands on a webpage, continuous monitoring enables behavioural understanding, as it identifies their normal online journey and interactions with their accounts and devices. Moreover, a profile can be created on all devices used in a particular session.

This combines seamlessly with other protections such as two-factor authentication or dynamic linking, because it allows the bank to utilise context from these authentication methods as well. (Dynamic linking, a requirement of the second Payment Services Directive (PSD2), ensures that there is a unique authentication code for each transaction that is specific to the transaction amount and recipient). Continuous monitoring provides that, as the behaviour of the user becomes known, new behaviour can be identified that might indicate a new person (i.e., an attacker) or a bot. Typical indicators of attacks, such as new or known nefarious devices, cookies, headers, referrers, locations, bots, beneficiaries or others, can be monitored in real-time and distinguished from normal customer behaviour.

This approach establishes a continuous risk profile for the session, which can change with each action undertaken by the end-user or their device. Not only does this allow the financial institution to take automated real-time actions when anomalies are detected, it also allows the bank to reduce friction for legitimate sessions by decreasing the number of authentications required for genuine interactions. This ultimately diminishes attack propagation as well as losses, and enhances the user experience.

Machine learning is enhancing fraud detection

Machine learning reduces human bias such as availability and confirmation because, unlike humans, it is able to see all events and learn from them, analysing large volumes of disparate and high dimensional data (a combination of many different data points) in real-time.

With machine learning, there are two main algorithm types applied to fraud detection: supervised and unsupervised.

Unsupervised vs supervised machine learning

Unsupervised machine learning tends to use models that identify anomalies between what is usual and what is unusual based on the distance between features (data points).

With supervised machine learning, the model is trained using labelled data (fraud or genuine) and predicts the likelihood of fraud (fraud score). A machine learning model can apply, in real-time, to every event that is occurring and send a score back. This can allow a solution, or a user, to take an action based on these events.

One of the challenges for a financial institution is how to move to supervised machine learning. The data set they have is unbalanced, in that there is a majority of genuine events against a minority of fraud. Data scientists are using more advanced techniques such as synthetic data to generate more data points and enable the training of a supervised model. Some financial institutions are moving to semi-supervised machine learning, which combines a small amount of labelled data with a large amount of unlabelled data during training. This approach can considerably improve learning accuracy.

Account takeover fraud is likely to continue to grow, as it is a relatively easy source of profit for bad actors who will continue to exploit all available weaknesses in the financial banking system. However, a multi-layered security approach can significantly assist in mitigating the attacks that lead to account takeover. Technology that protects the user, the device, the app, and the communication channel, combined with a comprehensive risk analytics engine and intelligent authentication framework, are essential to moving forward in the fight against account takeover fraud.

This article, written by Greg Hancell, was first published in Fraud Intelligence


You can read all insights from techUK's AI Week here


Katherine Holden

Katherine Holden

Associate Director, Data Analytics, AI and Digital ID, techUK

Katherine joined techUK in May 2018 and currently leads the Data Analytics, AI and Digital ID programme. 

Prior to techUK, Katherine worked as a Policy Advisor at the Government Digital Service (GDS) supporting the digital transformation of UK Government.

Whilst working at the Association of Medical Research Charities (AMRC) Katherine led AMRC’s policy work on patient data, consent and opt-out.    

Katherine has a BSc degree in Biology from the University of Nottingham.

[email protected]
020 7331 2019

Read lessmore