Why biometrics win consumer trust and layers are critical for identity verification
Some 19 billion records containing identity data and passwords have been compromised in the last seven years, leaking the information online. We should just start from the premise that everyone’s identity data and sensitive information has been compromised; what do we do now?
The right approach, David Britton, VP of industry solutions of global fraud and identity at Experian told Biometric Update, is to have layers of device recognition, device intelligence, behavioral and traditional biometrics. Identity verification is a critical piece to the solution. By triangulating the identity of a government identification document with other unique information about the user, it will all come together in the moment of the decision. When a legitimate consumer is trying to gain access to account or make a transaction, they need a seamless, frictionless consumer experience, Britton explained, which can be delivered by recognizing them and blocking fraudsters out.
“We feel we can apply the same intelligence to solving both the fraud identity problem and enable consumer experiences that are elegant and really engage consumers from a recognition perspective. Consumers just want to be recognized,” Britton said.
Advanced technologies, behavioral biometrics and layering for strong authentication
Behavioral biometrics is the perfect example of how powerful, advanced technologies can de leveraged to recognize consumers, he adds. A user can now be identified from the way they’re using the mobile phone to navigate through an app. There are methods to capture and analyze the data to detect if it is a genuine user or a bot or a scripted attack. Based on the genuine user’s interaction with the device, there would be specific characteristics of thumb pressure and finger gestures that a bot cannot replicate, for example.
What is important to remember, Britton insists, is that fraudsters are very intelligent, creative individuals that will likely not go down the same path twice. Because we’re dealing with a dynamic market, it’s critical for companies to roll out systems that will instantly adapt to new threats and vulnerabilities if they want to successfully stop fraudulent attacks.
“A business may spend a tremendous amount of money deploying a single solution that solves the problem today, but it may have a shelf life that doesn’t solve the threat attack that comes tomorrow,” Britton says.
“So one of the big things that we’ve realized, and it all goes back to the idea of layering, is if you can invest in a platform that has dynamic capabilities to take in more data, leveraging new capabilities as new technologies come about, and not have to rip and replace your systems every time, that’s going to be a tremendous value for businesses in their fight against fraud and the challenges that come online.”
Some companies already have a good amount of data that they’re not even leveraging in risk or fraud mitigation. The data can tell which networks users are coming from and where they log in from. By deploying device recognition from vendors like Experian, Britton says, companies can piece the data together to get insights and decide, for example, if they’re dealing with a legitimate user or an imposter using a suspicious network or a computer configured in a language different from the one normally used, as well as many other insights that can paint a clear picture of the person behind the online interaction.
A big risk, however, is that advanced technologies could become another security and privacy nightmare. There is already a high number of mobile and IoT devices in the market, but the real issue is that product managers often lack a security or risk background, so their focus is rarely security.
If the device is network-enabled, Britton says it should not be released with default usernames and passwords because users will almost never bother to change default credentials, and the device will connect anyway to the nearest network without extra configuration or tech knowledge from the user. Hackers will exploit this vulnerability to access the device and laterally take over the rest of the network.
“We absolutely believe that this is going to be the new battleground and the place where a lot of new attacks may emerge from,” Britton warns. “This is also why for businesses observing incoming consumer traffic, whether it’s through the browser channel, mobile apps, or from connected devices, understanding data such as where the devices are plugged in and then deploying systems that detect when anomalous traffic is coming in is huge.”
Consumer behavior in relation to security and digital engagement is intriguing. In the last couple of year, he says, research has shown that security ranks first in consumers’ top priority lists, followed by convenience. Consumers are concerned about how their data is used and want “visible signs of security online.” However, while on paper consumers say security is critical, their behavior often disagrees.
Biometric authentication wins consumer trust
When asked about trustworthy methods of authentication, biometrics score high. Britton says Experian’s latest figures show some 65 percent of consumers feel safer if a biometric capability is involved, confirming consumers are embracing traditional biometrics such as Touch ID and Face ID and use them with confidence. Behavioral biometrics, on the other hand, might be new territory and chances are consumers are not fully aware of the interaction.
There will always be a challenge with the fraudster community that will work hard at coming up with counter measures for each standard the industry puts in place. Although consumers are comfortable with biometrics, that does not mean it should be the only authentication or security method, Britton said.
“The fact that someone’s been authenticated with a biometric on its own shouldn’t necessarily be everything that the business is doing to secure that engagement. If the institution is only using the biometric portion, it’s going to miss out on intelligence,” Britton explained.
By bringing together layers, customers can benefit from enhanced security because “I do believe that at a certain point biometrics will have some vulnerabilities that every other method has had,” he warned. “Biometrics raises the game significantly. But having the layers behind it, rather than just relying on one modality, is going to be critical.”
Is there a silver bullet in ID security and fraud prevention?
One thing to understand is there is no silver bullet in securing identity and fraud prevention, as some would like to sell it. As a long-time practitioner in the fraud and identity space, especially in cyberspace, Britton does not believe in a silver bullet for anything, but does believe it is about risk management and not just risk elimination. Risk elimination is very hard to achieve in the digital world, so by layering together the data, technologies such as biometrics, capability sets and insights, fraudsters will have a much harder time attacking or taking over an account.
Hardware-based approaches could prove a distribution and convenience challenge, Britton believes. A good number of hardware-based tokens have made the shift to software for encryption. While “hardware solutions could work for highly secure transactional work in the enterprise, for the general consumer the last thing they want to do is have to carry something around and use it as a plug in,” he explains. Consumer attitude play a key role in how solutions play out. “All of the best security in the world is undone by consumer attitude,” Britton says.
Experian found that it all adds up to consumer recognition. As many as 74 percent of businesses are confident that if they can recognize the consumer and identify them upfront, then all fraud is prevented. How can human to human interactions be replicated in a digital channel where users are represented by proxies? Understanding how the consumer operates and how it interacts with their services, companies believe they can in advance tell the difference between a legitimate user and a fraudster.
Life beyond the password
But users have displayed some poor cyber hygiene along the years, which has encouraged the security industry to look into different methodologies and advanced authentication techniques for a passwordless future. Britton says we should expect an evolution in the use of passwords over time but “it’s not going to be a big bang approach.” Passwords will at some point clear the way for better approaches, but it will take a while as many industries are still “entrenched” with them.
Some would argue that One-Time Passcodes (OTPs) would reduce the attack surface and are less vulnerable than traditional passwords. Fraudsters use stolen passwords to infiltrate environments, which is why the industry’s immediate reaction is to come up with a solution that requires “out-of-band authentication,” which can often mean that the user has to use the phone for authentication and trust in the phone relationship to the user would have to be very strong. Britton feels this would only move the problem around. If you use a One-Time-Passcode in a bank, for example, the information will not go through the bank’s channel but through a cellular carrier in the case of SMS texts.
“With One-Time-Passcode we have gone to a weaker channel and it’s actually very easy and possible for someone to intercept a One-Time-Passcode by either spoofing the phone or by launching social engineering attacks against the wireless carrier,” he explains. “None of these on their own are going to be the single solution to solving the problem. However, I do think that if you layer it in with things like behavioral biometrics, which is observing how someone interacts with the devices they are engaging, device intelligence, which means how the device is configurated, and other layers, it would be possible to achieve a high degree of certainty” that the organization is dealing with a fraudster or a legitimate user.
What to expect from fraud in upcoming future?
When asked about how fraud might evolve in the digital space in the next couple of year, Britton said phishing attacks will likely not go away and will remain one of the biggest type of attacks. While back in 2004 and 2005 fraudsters were still guessing and sending hundreds of thousands of emails, fraudsters are evolving towards spear phishing attacks. The target is a specific individual, anybody from a CFO to someone that has signing authority for moving money. Fraudsters are leveraging social engineering, where they will send a very specific email after thoroughly researching the person to make them feel comfortable enough to divulge information, Britton explains.
Criminals will then use the stolen identity data to create a new bank account or steal credentials from an existing bank account. They can intercept the cellular carrier and do a cross channel attack, or intercept the One-Time-Passcode and break in, but malware is usually what they use to steal data.
In its upcoming 2020 Global Identity & Fraud Report, Experian will discuss why businesses are prioritizing personalization and will be very customer centric in their business approach. To win over consumers, enterprises will have to convince them their organization can be trusted with security and data privacy. But businesses, in turn, don’t trust consumers, Britton says, which is why everyone has to go through security measures and a decision is made based more likely on suspicion than on trust.
Experian’s 2020 Global Identity & Fraud Report will be released in February 2020.