Password-based attacks such as credential stuffing aren't much of a concern. We know fraudsters aren't getting around ClearKey at login.Toby Ceselski Business Data Analyst III
Previous authentication solution produced a flow of false positives but starved the Fraud department of data. Customer complaints increased. There was no way to investigate the root cause of the cases.
The telecom provider – already succeeding with iovation FraudForce – decided to transition to iovation ClearKey for seamless two-factor authentication. The switch unlocked significantly more data for the Fraud team.
The Fraud team works closely with the Customer Care team to streamline the login experience for website users. Customer complaints about the login experience dropped. Password based attacks and account takeover (ATO) are no longer a problem.
It’s a modern love story. Customer meets fraudster on a dating site. Fraudster earns customer’s trust and requests login credentials to account at major telecommunications provider. Fraudster orders four new iPhones by opening four new lines on customer’s account. Payment becomes a chargeback.
Customer cancels the four new lines.
Telecom provider loses thousands of dollars in product and service revenue.
“Because of the fraud levels we used to see, our IT department put up a digital wall,” explains Toby Ceselski, Business Data Analyst III at this telecom provider. “Some users would encounter not one but two two-factor authentication challenges on certain portions of the website. Compared to our position now, we were putting these customers through a needless hassle.”
The telecom provider had been using an authentication solution for several years. They were ready for a change.
“We weren't driven away from the previous authentication vendor by a fear of password-based attacks,” Ceselski explains. “It was more about our customers’ experience. In the last six months of that contract, we were impacting many more visitors than we should have been.”
The previous authentication vendor was flagging too many false positives. Legitimate customers called to complain about step-up authentication challenges at every login. Toby and his team had to correct the authentication vendor's mistakes manually.
“There was no rhyme or reason to the false positives,” says Toby. “For example, the vendors product would challenge a customer from a familiar, unique IP address. At other times, it failed to stop login events from foreign IP addresses.”
The underlying problem: limited data. The previous authentication solution was supposed to work as a learning system. Feedback from Toby and his team was supposed to teach the solution how to weight subsequent events.
“The previous solution was sold as a ‘device-fingerprint solution,’ but we couldn't get more than a username, the IP address, and the score assigned to the event,” Toby remembers. “When we had an issue, we didn’t have any detail with which to conduct a root-cause analysis. When we approached the vendor and got a preview of the upcoming version, we could see that we wouldn’t get what we needed.”
Need for greater volume and quality of data drove switch to ClearKey
The Fraud team drove the change in authentication solutions. They could have their choice as long as it didn’t impact customers. Preferably, the Customer Care team would receive fewer complaints about the login experience.
Toby knew he wanted to replace the authentication solution with iovation ClearKey; “We'd been happy with iovation FraudForce for several years by that time. We expected end-to-end visibility from login to checkout. Whether customers place an order or change their contact information, we can protect and analyze the entire journey.”
How ClearKey Adds Seamless Two-Factor Authentication
iovation ClearKey adds the critical ingredients of context and risk to the telecom provider’s customer-facing authentication solution. iovation's patented recognition technology uses hundreds of device attributes and their unique orientation with each other to instantly identify each device without needing any of the customer’s directly identifiable personal information.
Customers get an invisible, frictionless web experience by using their device as an additional factor of authentication. They can choose the devices they want associated with their accounts and used for authentication, or the telecom provider can register accounts and devices automatically on behalf of its customers.
Powerful risk insights allow the telecom provider to guard against indicators of ATO attacks, including device anomalies, spoofing, and evasion. New or suspicious devices attempting to authenticate may receive step-up challenges, enhancing existing authentication procedures without heavy lifting or intense coding.
“Our IT and Security teams supported our request to switch to ClearKey. Customer Care loved the prospect of fewer frustrated customers calling about their login experiences,” Toby recalls. “My team craved the greater volume and quality of data that ClearKey would deliver.”
All stakeholders benefit from ClearKey
“When we switched to ClearKey, we got the information that we needed to automate more analysis and re-secure of compromised accounts,” Toby shares. “Now, we recognize devices and act accordingly. No more vague scores to base our decisions on.”
Along with richer detail have come more nuanced and configurable rules. With the previous authentication solution, Toby and his team could blacklist countries and whitelist known test accounts, but nothing else. Now, they can use iovation’s powerful rules engine and risk policies to determine exactly how ClearKey responds to trusted customers, specific threats, and detected anomalies.
The transition to ClearKey has brought tangible results, according to Toby; “We're saving the company money. Along with helping to automate our efforts, iovation's data has been effective at reducing our manual review queue. Many of our checks use logic based upon the data that we pull from iovation, data that we didn't get from the previous authentication vendor.”
Toby’s weekly reporting shows that ClearKey has improved the customer experience. In fact, ClearKey has increased collaboration between the Fraud and Customer Care teams.
“We've become more attuned to the customer experience,” says Toby. “When we launched iovation FraudForce, we made a lot of hard denies to stem a wave of fraud. Now that iovation ClearKey gives us a cleaner picture of the devices logging into our site, we've become more accommodating.”
With ClearKey protecting the login experience, Toby and his team are helping to make transactions easier. Instead of a blanket two factor authentication experience for all customers, those using a trusted device will have a smoother experience.
“We're re-thinking and re-architecting the way many of our customer flows work,” says Toby. “In the future, with the amount of data available to us in real-time, we will be able to create more granular rules and logic to keep fraudsters at bay while reducing customer friction. Our customers are going to love it.”
I call it a golden age of fraud. As far as account takeover is concerned, I don't think we've been in this good of a position for a year and a half.Toby Ceselski Business Data Analyst III