The competitive advantage in modern business relies more and more on the customer experience. With the availability of technologies such as AI, data has become the most valuable asset. AI is turning our online behaviour, and even our common mistakes and typing quirks, into an effective way to keep us safe while making our user experience simpler and faster – a big win for companies looking for a UX advantage in an increasingly competitive digital landscape.
Card-not-present fraud remains a real threat to South African shoppers, accounting for 80% of credit card and 54% of debit card fraud last year according to SABRIC statistics. However, potential security solutions can be weighed up against creating too much friction and depreciating the user experience.
As humans, we are used to identifying people by various means. One person may be very tall, another may be wearing unusual glasses. In a similar way, we all have unique ways of interacting online, whether we are aware of it or not. The huge computing power of AI and machine learning allows us to passively authenticate an entity by determining behavioural patterns online. Risk-based authentication (RBA) is helping organisations, including some banks in South Africa, to seamlessly authenticate a user’s journey by collecting various data points and signals.
RBA makes use of the vast computing power of machine learning to analyse thousands of data points to determine how risky a transaction may be. This includes obvious markers such as the type of device, the IP address, geolocation markers, the network, the time of day, and even the type of transaction. It also makes use of user-specific markers that the system learns over time.
The way we engage online can easily differentiate us as users. By activating behavioural analytics, passive biometrics, as well as device intelligence, it is possible to produce a risk transaction score for each user in real-time. Then, depending on the risk score set by the organisation, RBA can trigger an immediate authentication challenge if needed. The power of AI and machine learning means that we are able to bring security down to the individual user level. The power of this is not just added security for customers, but it means we can offer a near frictionless experience – the nirvana of digital commerce.
Relying on insight used almost two centuries ago
After the first telegraphic message was sent from Washington, D.C. to Baltimore in 1844, telegraph operators quickly learned to identify fellow operators by their unique style. Today, our RBA engines are also able to identify individuals using keystroke dynamics which tracks how we enter data through a keyboard. Even our habitual spelling errors, how hard we tap our touch screens, or at what angle we hold our device, all form part of the behavioural biometrics that advanced AI can use to determine if we are who we say we are.
When transacting, Entersekt’s engine will apply that ‘normal behaviour’ in conjunction with device identification to determine user identity. If deemed a low-risk payment it won’t generate the usual speed bumps like OTPs or authenticating yourself through your banking app. However, if your behaviour sets off a flag – perhaps you are moving your mouse in an unusual way or you appear to be in a country that you don’t usually transact from – then step-up authentication will be required. This can take the form of an in-app push prompt, a FIDO-certified security key, or any of a number of options we use. With a little help from smart risk-scoring technology and the collection of positive and negative behavioural signals, payments can become almost seamless.
People want their bank, insurance provider or any company that has access to their money or information, to offer the most sophisticated and slick experience. We judge today’s brands by their digital offering and being able to combine extra strong security without the clunky authentication processes so many still use.
Looking ahead, the power of machine learning and AI means companies that deploy RBA engines now are best placed to benefit from new advancements in the future.
We see AI enabling a future of continuous risk assessment. So, after login the engine will monitor if a user behaves consistently across the entire session. If, for example, your typing speed dramatically changes, or if you are in a Firefox browser and then on the very next page you are using Chrome, this will trigger an alert that your session may have been taken over. This zero-trust principle to never trust, always verify, will further help organisations reach the goal of a truly safe and frictionless experience.