For years, financial institutions have relied on static authentication methods to verify their users. Customers use a password or biometrics to identify themselves when they log in to an account, after which they have full access. But with account takeover attacks rising, it’s time for these institutions to consider continuous authentication methods, which monitor signs of fraud throughout the process.
In a new report, Account Takeover: Static Authentication Enables Access Without Confirmation, Javelin Strategy & Research Senior Analyst of Fraud Management Jennifer Pitt looks at the drawbacks of traditional authentication methods and why banks are increasingly turning to continuous authentication.
Current Ways of Fighting Back
Account takeover fraud cost consumers $15.6 billion in 2024, a sharp increase from $12.7 billion the year before. That’s more than double the dollar loss resulting from new-account fraud. Clearly, static authentication, the primary method of verifying identity, is not doing the job.
If a criminal logs into an account using legitimate (but stolen) login credentials, static authentication would likely validate them as the verified user. The only way the bank or organization can determine that it’s someone else is by examining account behavior: Is the user looking at the account information when they usually don’t? Are they trying to place transactions they normally wouldn’t? Continuous authentication looks at all this user behavior in the background, noting what is different from the verified user.
“It’s not going to prompt you to log in again or ask you for your credentials,” Pitt said. “With continuous authentication, AI-powered tools are essentially collecting information about what you’re doing in the account and making sure that that information is consistent with the actual user who was verified.”
If financial institutions determine that the activity is suspicious, such as an attempted transaction in a jurisdiction that is considered high-risk, they might use what’s called step-up authentication. This involves asking the user to verify using some other method, such as a thumbprint or a knowledge-based question.
Overcoming Legacy Systems
One reason many businesses have resisted continuous authentication is that it requires advanced technology. Legacy systems often don’t have the technology in place for it, and some banks might worry that continuous authentication would cause customer friction.
“Vendors that offer continuous authentication solutions really need to educate individual consumers better as well as financial institutions on what that means,” Pitt said. “It actually will mitigate friction for consumers, because you’re not requiring those continuous logins and that continuous information, but you’re still able to track unusual behavior for that consumer.”
Many financial institutions don’t know the risk indicators for account takeover because a lot of them constitute normal behavior. Indicators include somebody using a VPN or failing on a login attempt, which any user could do.
Using legacy solutions, financial institutions are left with two basic options: block everything that uses one of those risk signals, causing potential customer issues, or let everything else go because the signals may indicate something other than an account takeover.
Perpetual KYC
Similar concerns exist over traditional know-your-customer (KYC) processes, which are done during onboarding only. Typically, a customer might get something from their financial institution asking various questions: If you have a business, what business is it? What’s your income? What are you going to use your bank account for? What types of transactions are you going to make, and at what dollar amounts?
All that information is critical to understanding and vetting the customer. Most financial institutions do that only once during onboarding, or they might do it annually when they review accounts.
“If something was missed during the initial KYC, or maybe the customer lied, then you don’t know who your customers are,” Pitt said. “Maybe that customer changes from a legitimate customer to a fraudster, and you don’t know because during that year gap you have not vetted that customer.“
Perpetual KYC, on the other hand, uses AI-powered tools to vet customers in real time. Every time a consumer uses the account, perpetual KYC assesses the risk. If the risk level is heightened, then it will flag the account or the customer and send it for possible manual or step-up review.
Traditional KYC processes miss a lot of fraud and money laundering, which has resulted in significant fines as a result. TD Bank, for example, last year was the first bank to be criminally charged for failing to find money laundering. That could have been avoided by implementing perpetual KYC.
More Than Just Banks
People think mostly of account takeovers in terms of bank accounts. But one reason this fraud is so pervasive is that every type of account is at risk.
If somebody takes over a social media account, they can essentially scam the user’s friends and colleagues. Somebody taking over an email account, they can do a great deal of damage with it.
“If I only know your username and password, when I log into your financial account, maybe now I can see your email address and your phone number,” Pitt said. “I can see your Social Security number. I can see that your account links to another account at a different bank, and now I’m going to try that account.
“Banks need to get out of the thinking that it’s solely financial accounts that are being taken over and one account. They’re after as many accounts as they can, as quickly as they can.
Criminals ultimately want money, and they can get the most amount of money with account takeover. The accounts are already vetted. They’ve already gone through KYC checks, the identity has already been verified, and accounts are often linked to other financial and non-financial accounts.
“Banks are still looking at fraud the way it was 20 years ago, where we didn’t have generative AI solutions that fraudsters are using,” Pitt said. “We didn’t have bots. We didn’t have the prevalence of account takeover, because it was much harder for them to actually take over an account. We need to look at subtle behavior changes instead of major things, and we need to make the process continuous.”
