Over the past decade, neo-banks and mobile wallets have disrupted traditional financial services infrastructure with native digital products and have quickly become one of the most widely adopted applications in the world.
Consumers have long shifted their daily digital habits from desktops and laptops to mobile devices. Naturally, essential financial services such as wallets, payments and transfers are highly attractive if offered through the most convenient and widely adopted medium.
However, the practical utility and growing adoption of mobile devices make them ideal targets for attackers aiming to commit financial fraud.
In this article, we will describe some reasons why behavioral data acquisition can be a powerful element in an anti-fraud strategy tackling these two typologies. We will also provide some general examples of flows they can be integrated into with minimal impact on user experience.
Mobile behavioral data is a powerful ingredient
Using fine-grained behavioral data to build profiles used in fraud monitoring is an incredibly effective way to minimize the number of assumptions made about a given user as early as possible in their lifecycle.
The more complete the data set, the more powerful the heuristic, the richer the profile, and the more accurately a model can be developed to predict the likelihood of various types of fraud.
Some examples of how behavioral data can be applied to things like account sign-up fraud include rating a given user for the application fluency metric (how the browsing speed of does the user compare to the average user?) or data familiarity (considering keyboard usage and device orientation, is it phone number or email copying or inputting from memory?).
Mobile interactions are rich in behavioral data
What makes these heuristics even more powerful is how they can be combined with mobile-specific data, creating an even more complete picture of the user.
Interactions with mobile devices are much richer than interactions with desktop computers from a behavioral data perspective. Accelerometer and gyroscope readings, device orientation, location data, and touchpoint patterns can all be used in multiple ways to build a profile while minimizing user assumptions. This profile can then be used as a reference for ongoing user background checks, for example.
And in the case of mobile wallets in particular, where nearly all or nearly all user interactions will be on a mobile device, not collecting this goldmine of mobile-only behavioral data leaves risk models unnecessarily broad in their assumptions. , which greatly reduces their effectiveness and ultimately makes catching cases of fraud less likely.
Friction should be minimal
Teams developing mobile wallets go to great lengths to reduce signup flows to their absolute minimum requirements, as this allows them to maximize their acquired users while minimizing acquisition costs.
Listing friction in a competitive space is just another enemy. Mobile wallets in particular require a delicate balance between minimal effort and more user data than other apps. They also require a balance of security prompts and handy utility.
The beauty of collecting mobile behavioral data during key flows such as sign up, login or entering a PIN (if applicable) is that the richest possible data set can be collected during data prompts that are absolutely necessary in the first place.
In something as simple as entering an email address or phone number during login, rich context can be established about the user and fed into behavioral profiles and fraud models. .
This means that specific verification or authentication steps for a user can be used infrequently, whereas previously (and still is for some banking apps) 2FA authentication from other devices (login in the office, mobile PIN) was required at each login or Register.
Combining KYC with mobile behavioral data
To further minimize friction, behavioral data acquisition can also be incorporated into the KYC process.
Similarly, redundant steps in the security protocol or verification process can be eliminated during login or registration, as well as in the KYC flow.
The same heuristics we described (fluidity of the application, familiarity of the data) can be measured and referenced during the mandatory KYC steps (name, address, identity verification, etc.)
Examples of Behavioral Data Collection Streams
Now that we’ve covered why behavioral data should be applied for fraud prevention, here are some examples of first-party data collection that can be incorporated into the standard feeds that most mobile wallets have for their users.
Registration / Account opening
Common input fields are name, email, phone number, account name, password creation, and address. From these few fields, the data collected includes data entry events and patterns, as well as device movement.
Check the fluency of the app (is it one of many “fictitious” accounts created by this user), familiarity with the data (is the user the owner of the email, phone number phone?) and automation (is it a bot?).
Fewer input fields, but similar fields for logging in (i.e. email, account name, password, phone number). Since the behavioral baseline has already been established during the registration flow, a connection flow allows additional data points to be compared (entry speed, touchpoint patterns, location data, orientation of the ‘device).
Transfers / Payments
Assuming the baseline was established during sign-up and cross-checked with login, transfers and payments can be checked for the presence of automation as an added precaution, as well as blocked for account-specific numeric thresholds given the risk calculation of the model (if the user risk is “X”, block all transfers / payments greater than “$Y”)
Any mobile banking app or mobile wallet is only as good as what it can safely store and how much. As mobile wallets become increasingly popular, attackers will continue to target them due to their usefulness and ubiquity.
Behavioral data collection, used in these and other ways, can be a powerful method for risk management teams to combat the costliest types of fraud like account entry and takeover fraud. account control, while simultaneously compressing the verification steps needed to keep users safe.