Biometrics alone will not win the authentication wars

July 24, 2016 - 

This is a guest post by Terry Nelms, Director of Research at Pindrop

Robbing a bank used to mean walking into a building, making threats and walking out with a bag of money. Now, fraudsters rely on committing crimes without a physical presence. From halfway around the world they can phone-in or use the Internet to commit crimes. Obviously, the rules have changed.

Hackers target banks and any business with a digital presence to steal people’s identities and export valuable private information. Increasingly hackers are using impersonation methods to pose as individuals to commit fraud digitally and over the phone. Especially in the call center, where fraud is expected to grow by 97 percent between 2015-20 (Aite Group).

In addition, the increased presence of the Internet of Things in the consumer realm such as watches, rings, and Amazon Echoes, make us all more reliant on voice interaction. We’ve placed the future of security in the hands of the connected and need to counterbalance this growing threat.

The warning comes not a moment too soon as attackers use a smorgasbord of social engineering tactics and technology to accomplish account takeovers through enterprise call centers. A 2016 Aite report, found 72 percent of financial institutions executives believe social engineering is a major to critical concern with respect to the call center. Fraudsters use tactics to hide their origin and mimick their victim using Caller ID spoofing. They steal (or purchase on the black market) personal data from customers and knowledge-based authentication service providers to impersonate their victim and fool call center reps. They jump back and forth from the online channel to the phone channel to obtain data they can use to authenticate.

The problem is significant – Pindrop research shows a 45 percent increase in fraud calls since 2013 resulting in an average loss of $0.65 per call due to fraud. This adds up to tens of billions of dollars. In addition, fraudulent calls cause a significant loss to productivity and time by forcing call centers to screen every single call. This is driving the search for technologies to help identify customers and fraudsters in enterprise call centers.

There are three common factors used for authentication: something you know, something you are and something you have. Currently the “something you know” factor is the predominant one used by the call center. However, this factor is known to be the easiest to beat and many fraudsters can successfully pass knowledge-based authentication (e.g., what’s your mother’s maiden name) using information about the customer that is accessible online.

Biometrics “something you are”, for example in the form of a fingerprint, has been augmenting or replacing “something you know” or password authentication on laptops and mobile devices. Biometrics serve many advantages by liberating us from keeping track of multiple passwords and making recovering access to a device much easier using the authenticity of your own voice, fingerprint, or iris. They provide much stronger authentication than “something you know”, but suffer from both false rejection and false acceptance errors. When a rejection occurs (false or not) the fallback is often “something you know” authentication. Voice analysis is typically the biometric of choice for “something you are” authentication in the call center since it is readily available. It can be used to verify a customer, saving time and providing a higher level of security than knowledge-based authentication. In addition, capturing a negative voiceprint allows for the “blacklisting” of callers, alerting or blocking them when they call.

The “something you have” factor refers to an item in the possession of the user. Hand-held tokens, proximity cards and magnetic strip cards are common examples. The biggest authentication risk for this factor is the “something you have” item being lost or stolen. At the call center the phone device employed by the customer to place the call can be used as the “something you have” item. Each phone device has a unique phoneprint that can be examined by extracting and analyzing features from the phone audio signal such as noise, loss and spectral characteristics. Because phoneprinting relies on source and channel features, it is difficult for an adversary to mimic without possession of the customer’s device. Also, like voice biometrics, phoneprints can both authenticate customers and detect fraudsters.

None of the authentication factors are perfect; however, combining them in the form of multi-factor authentication can significantly improve their effectiveness. For instance, consider authenticating callers with both voice biometrics and phoneprints. Voice biometrics identifies the user by examining properties of their voice, while phoneprinting extracts measurements from the audio signal to identify the device. When you put them together, you can ensure you identify the right caller from the right phone. According to Gartner, “using voice biometrics combined with phoneprinting provides the strongest method for authenticating callers and detecting fraudsters.” Therefore, when strong authentication is required, biometrics alone is not the answer. Instead it should be combined with another factor, preferably “something you have” such as your phone.

DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.

Leave a Comment

comments

About Terry Nelms

Terry Nelms is the Director of Research at Pindrop where he leads a team of applied researchers solving challenging problems in fraud detection and authentication. Prior joining Pindrop, he spent over a decade inventing, designing and developing protection technologies at ISS, IBM and Damballa. His research has produced new security products, patents and publications in top industry and academic conferences. He holds a B.S. and M.S. in Information Systems and a Ph.D. in Computer Science from the Georgia Institute of Technology.