Speed and ease of use have made online lenders increasingly popular with consumers, but those same qualities have put them in fraudsters’ cross hairs.
There were approximately a million cyberattacks targeting online lending applications in 2016, according to a report from the security firm ThreatMetrix. Had the thieves been successful in every attempt, $10 billion would have stolen. Overall, the number of attacks specifically aimed at alternative lending increased 150% from the third quarter of 2016 to the fourth quarter.
Although the entire financial services industry is a hot target for cybercriminals, online lenders are perhaps particularly vulnerable. They differentiate themselves based on their ability to process loan applications quickly. For cybercriminals, that’s an advantage. Meanwhile, the rise in attempts underscores the need for financial firms that manage digital identity and authenticate customers to evolve.
As Credit Union Journal has reported, data breaches at financial institutions -- including CUs -- were down by 26% last year, though total breaches rose by 40%, including attacks on merchants and others that can result in losses for FIs.
The amount of new loan application fraud is higher than ever before as cybercriminals buy, trade, augment and monetize stolen identity credentials for financial gain, perhaps seeing these new players as a softer target than some of the larger established banks, said Vanita Pandey, vice president of strategy and product marketing at ThreatMetrix.
Online lenders “typically make decisions more quickly – that’s one of their selling points – and use nontraditional metrics to lend,” Pandey said. “They also often target the unbanked, so their appetite for risk is higher and may be seen as easier targets” in the eyes of fraudsters.
That dynamic makes it important for online lenders to be vigilant with security, said Diwakar Choubey, chief executive of MoneyLion, a New York-based online lending firm.
“This is an issue that is top of mind for a lot of us and something we think about on a daily basis,” Choubey said. “We invest heavily in [security] technology and work with the data bureaus and have a significant infrastructure in place.”
The challenge for such lenders is that these fraudulent applications are becoming increasingly indistinguishable from authentic identities because they are created using a variety of stolen data, Pandey said. In total, ThreatMetrix detected 80 million attacks that used fake or stolen credentials in the finance sector in 2016.
New strategies of fraud can be more difficult to root out and stop, said Canh Tran, co-founder and CEO of Rippleshot, a provider of fraud analytics services. He said “synthetic fraud,” in which criminals create an entirely new fake identity, is becoming popular among cybercriminals.
Generally in synthetic fraud, a criminal uses a combination of different data to apply for a credit card – for example, one person’s name and a different person’s Social Security number, Tran explained. When that information gets run through a credit bureau, the application will get denied, since the name and Social Security number do not match, but the bureau then has that name and number combination in its system. The fraudster will then go to an online lender for a small loan, and typically the lender might simply “ping” the credit bureau to see if this name and Social Security number simply exist together. The bureaus often then respond affirmatively, Tran said.
“Online lenders usually offer access to smaller loans than banks,” typically $2,000 to $5,000, Tran said. “These online lenders pride themselves on speed, and making a decision quickly with less information. There’s not the paperwork of, say, getting a mortgage.”
Further, many fraudsters have worked out how to “crack” the algorithms of online lenders, Tran said. This means that if a lender asks for 10 pieces of information, the algorithm really only relies heavily on four or five of those to authenticate. Fraudsters figure out which those are, and focus on making sure those pieces of information look as authentic as possible, rather than the entire application, he said.
Synthetic fraud “is the next step in fraudulent criminal activities,” Tran said.
Tran and Pandey said these examples are part of the larger issue of more effectively managing how people’s digital identities are authenticated. They noted, as have many others, that authentication tools such as usernames and passwords are simply ineffective today.
“Identity data has become quite available; you can buy someone’s credentials from the dark web for next to nothing,” Pandey said.
Instead, financial firms should incorporate things like device authentication and biometrics. Further, Pandey said they should utilize behavioral analytics, such as analysis of a user’s intricate and often diverse online footprint as a way of identifying anomalous and high-risk behavior. Machine learning can also help provide a predictive model based on past behavior and transaction data.
“It’s a constantly evolving cat-and-mouse game,” Pandey said.
Choubey and others say there's a need for better ways to authenticate identity. MoneyLion asks for a robust amount of information when users first sign up, and often requires a driver’s license or other paper documentation. For recurring customers, it uses two-factor authentication plus an “out of wallet” question at the end. (“What was the color of your first car?” is an example of an out-of-wallet question.)
In the future, Choubey said, authentication should be biometrics-based, such as a facial scan for all financial transaction authentications. But since fraudsters are continually looking for new ways to gain access, firms that house customer financial data must continue to evolve, he said.
“Both sides continue to try and one-up each other and we have to continue to pay high attention to this,” Choubey said.