Monday, 7 November 2016

When fraud prevention goes wrong & a lesson in why banks need to make mobile their prime channel

I recently returned from a trip to the US to attend a conference organised by RSA Security. After spending almost a day in getting from London to New Orleans I arrived at my hotel, weary and in need of a shower and some rest. 

The room was already paid for but I needed to present a credit card to the hotel receptionist for incidentals during my stay. Unfortunately, my business card was declined and even more worryingly a second privately-owned card was also declined. There were adequate funds on both cards so I assumed that the bank's fraud service had flagged the attempted transactions as being high risk and in need of investigation. This has happened to me a couple of times before when travelling outside of the UK and previously I swiftly received a call on my registered  mobile phone from the bank to query the transactions. On this occasion, no call. 

I decided to call the bank myself by ringing the number provided on the reverse of the card. I bank with a large international bank and it was past midnight in the UK. As I was using a contact centre channel I was requested to authenticate using the method that the bank has assigned for telephone banking. Being a sensible security professional I had set up a 12 character alphanumeric passcode that included special characters. As a convert to mobile banking I had last used the telephone channel over two years ago so had managed to forget the 12 character alphanumeric passcode. As a result, I couldn't gain access to the bank's contact centre to inform them that I was actually in New Orleans and not at home in London. As a result of my failure to get access to a customer care resource I couldn't unlock my cards and use them for the hotel. 

Fortunately I had an alternative card, issued from a different bank, that I was able to use and allow me to get to my room. It still meant that I couldn't use two of my primary cards whilst away.

When I arrived home I noticed that I had a letter from the bank asking me to call them urgently as they had witnessed potential fraud activity on my card. Yes, a letter. Some five days after the incident they sent me a letter. I may have experienced time travel on my journey home and returned to the 1980's (if you could listen to my Spotify playlist you probably would think I am still there).


What are the lessons?

This was a very frustrating experience for me and it drives home how reliant we are on our banks to provide access to our funds whenever where ever. This is also not just about the technology. People and Process are vital components in delivering convenient 24/7 financial services. You still need to connect business processes with technology.

Could I have used my mobile banking app? Possibly, but my bank app doesn't have the capability to inform the bank of false positive transaction attempts. In any case with my biz account I still need to use my OTP token to authenticate and I didn't fancy whipping out the token in a crowded hotel lobby to gain access. 

Inconsistent experience in managing fraud: Why didn't the fraud team call me on my registered mobile as has been the case? It was outside of UK business hours but I think I am offered 24/7 support and it is an international bank and to come home to a letter!

Make the mobile the prime authenticator and channel: We are now in the era of the mobile native so why not leverage this channel in more efficient ways. When the fraud system declined my cards my mobile was in my hands (behavioral  biometrics could prove that I was holding it) and connected to the local radio cell and receiving GPS data to inform them where I was (Geolocation). This data in itself could give a very good indication that I was in a hotel lobby in downtown New Orleans. If the bank (card issuer) wanted more data it could have sent a push notification to my mobile to ask "Are you in this hotel in this location and are you attempting to make a transaction of $n?" I then could be promoted to use a registered biometric (fingerprint or EyePrint) that the bank supports in its mobile app to give the risk engines more data and prove to a reliable percentage that it was actually me and not a fraudster with my card. 

This can be done now as the technology is available today to support banks and card issuers in turning an inconvenient and highly annoying episode into an event that gives me a great level of assurance that my bank is taking care of my money. In an age where agile FinTech companies are seriously providing an alternative to established banks I feel that the traditional banks need to sit up and start using the technology that is available to them to make our lives a little easier. Start with the customer and work backwards - feel my pain!

A postscript.  It was pretty ironic that this incident happened whilst I was attending an RSA Security event and spending time with the Fraud and Risk Intelligence team discussing ways in which to improve customer experience whilst reducing financial fraud by leveraging biometrics on smart mobile devices. Perhaps we could drop the letter!