Within the past decade, neo-banks and mobile wallets have upended traditional, brick and mortar financial services infrastructure with digital native products, and have quickly become some of the most widely adopted apps in the world.
Consumers have long been shifting their daily digital habits from desktop computers and laptops to mobile devices. Naturally, essential financial services like wallets, payments, and transfers are highly appealing if offered through the most convenient and widely adopted medium.
However, the convenient utility and growing adoption of mobile devices make them perfect targets for attackers aiming to commit financial fraud.
In this article, we’ll outline some reasons behavioral data acquisition can be a powerful component in an anti-fraud strategy tackling these two typologies. We’ll also provide some general examples of flows they can be integrated into with minimal impact on the user experience.
Mobile behavioral data is a powerful ingredient
Using fine-grained, behavioral data to establish profiles used in fraud monitoring is an incredibly effective way to minimize the number of assumptions made about any given user as early in their lifecycle as possible.
The more comprehensive the dataset, the more powerful the heuristic, the richer the profile, and the more accurate a model can be developed to predict the likelihood of various types of fraud.
Some examples of how behavioral data can be applied to things like account opening fraud include assessing a given user for application fluency measurement (how does user navigation speed compare to the average user?) or data familiarity (given keyboard usage and device orientation, is this phone number or email being copied or inputted from memory?).
Mobile interactions are rich with behavioral data
What makes these heuristics even more powerful is how they can be combined with mobile-specific data, building an even more complete picture of the user.
Mobile device interactions are far richer than desktop interactions from a behavioral data perspective. Accelerometer and gyroscope readings, device orientation, location data, and touch point patterns can all be used in a multitude of ways to establish a profile while minimizing assumptions about the user. This profile can then be used as a baseline for continual background verification of the user, as one example.
And in the case of mobile wallets specifically, where nearly every or all user interactions will be done on a mobile device, not gathering this goldmine of uniquely mobile behavioral data leaves risk models unnecessarily broad in their assumptions, which considerably shrinks their efficacy and ultimately makes catching fraud instances less likely.
Friction must be minimal
Teams developing mobile wallets spend considerable effort reducing sign-up flows to their absolute bare minimum requirements, as this allows them to maximize their users acquired while keeping acquisition costs minimal.
Sign-up friction in a competitive space is just another enemy. Mobile wallets in particular require a delicate balance between minimal effort and more user data than other apps. They also require a balance between security prompts and convenient utility.
The beauty of gathering mobile behavioral data during key flows like sign-up, sign-in, or PIN entry (when applicable) is that the richest possible data set can be gathered during data prompts that are absolutely necessary in the first place.
In something as simple as inputting an email address or entering a phone number during sign-in, rich context can be established on the user and incorporated into behavioral profiles and fraud models.
This means verification or authentication specific steps for a user can be used rarely, where previously (and still the case for some banking apps), 2FA from alternate devices (desktop sign-in, mobile pin code) was required at every sign-in or sign-up.
Combining KYC with mobile behavioral data
To continue on minimizing friction, behavioral data acquisition can also be layered into the KYC process.
In the same way, redundant steps in the security protocol or verification process can be eliminated during sign-in or sign-up, and so can they in the KYC flow.
The same heuristics we outlined (application fluency, data familiarity), can be measured and baselined during the mandatory KYC steps (Name, address, ID verification, etc.)
Example flows of behavioral data collection
Now that we’ve covered why behavioral data should be applied for fraud prevention, here are some examples of first-party data collection that can be integrated into standard flows that most mobile wallets have for their users.
Sign-up / Account Open
Common input fields are name, email, phone number, account name, password creation, and address. From these few fields, data gathered includes data entry events & patterns, and device motion.
Check for application fluency (is this one of many “dummy” accounts this user created), data familiarity (is the user the owner of the email, phone number?), and automation (is this a bot?).
Less entry fields, but similar ones to sign-un (ie Email, account name, password, phone number). Given behavioral baseline was already established during sign-up flow, a sign-in flow allows for additional data points for comparison (entry speed, touch point patterns, location data, device orientation).
Transfers / Payments
Assuming baseline was established during sign-up and cross-checked with sign-in, transfers & payments can be checked for the presence of automation as an extra precaution, as well as gated for specific numerical thresholds given the risk calculus of the model (if user risk is “X”, block all transfers / payments over “$Y”)
Any mobile banking app or mobile wallet is only as good as what and how much it can store safely. As mobile wallets grow even more popular, attackers will continue to target them because of their utility and ubiquity.
Behavioral data gathering, used in these and other ways, can be a powerful method for risk teams to combat the most expensive types of fraud like account opening fraud and account takeover, while simultaneously compressing the verification steps needed to keep users secure.