Behavioral biometrics can effectively fight digital fraud, security experts say
Last year, American consumers lost nearly $16.9 billion because of identity fraud, John Buzzard, lead fraud and security analyst at Javelin Strategy & Research told Suparna Goswami, Associate Editor at ISMG Asia, in a video interview.
Scammers and cybercriminals can easily infiltrate financial institutions and use account takeover and social engineering tactics to steal money. According to Buzzard, 72 percent of the fraud activity was related to account takeover, often involving a credential stuffing attack. If a physical document is used for identification, these are often counterfeit in Photoshop. However, Buzzard believes continuous authentication could be the solution in fraud prevention.
“If you’re a banker, and I have signed up for your online banking, your mobile application, it’s important to not only authenticate my credentials when I use my username, or when I signed on, but throughout the process of any interaction that I’m doing with your application,” Buzzard explains. “A lot of folks in this industry really put a lot of value reasonably on trusted devices, as well. So, we’re trying to holistically not only just say you’re with us online, but it’s your device, and it’s your activity.”
Too many users submit fake identity proof or documentation, and the problem often is that to prove identity, most companies require some form of plastic combined with a utility bill. But behavioral biometrics mixed with machine learning and a skilled workforce could be a great method to confirm a user is showing legitimate documents, and to ensure continuous authentication.
“If you are authenticating some physical documents that are being presented to you and then you are benchmarking and analyzing the customer’s digital behavior when they are with you in a digital banking transaction, that is pretty powerful in understanding some fascinating aspects of their profile,” Buzzard said.
Buzzard has worked in fraud, security and risk management for over twenty years, and greatly contributed to card fraud, risk and security services through research and consulting.
Uri Rivner, Chief Cyber Officer at BioCatch shares Buzzard’s belief that behavioral biometrics could be the solution to identity and authentication challenges. Rivner warns that the gig economy and COVID-19 are changing digital identity, as trust and safety are becoming an issue. Now that people are working from home, it is easy for digital accounts to be abused.
“When digital accounts are misused and shared, there are far reaching implications. Lack of accountability. Lack of attribution. Impact on reputation when foul play is discovered. And, quite often, trust and safety concerns,” Rivner writes.
Password authentication is part of the past, and has repeatedly proven ineffective. While the trend in the last twenty years has been to use a trusted device and a one-time passcode, these methods are no longer appropriate in establishing identity. Not only is it easy for criminals to bypass device checks, but simply because a user logs into an account with a trusted device and passcode, doesn’t mean that is the genuine owner of the account.
Once these methods proved ineffective, selfies and fingerprints grew in popularity, but the truth is they are “convenience factors” and a user can add as many fingerprints and facial images as desired to unlock the device.
“Unless the face image or fingerprint are matched against a central database or a separate document that can be independently validated, all they really mean is that the device recognizes the person who has set it up,” Rivner explains.
However, passive and behavioral biometrics are the new trend because they are less intrusive, can provide continuous monitoring and verify the user by behavior. They don’t necessarily replace passwords, but simply match current and previous behavior to confirm the user is legitimate. When someone working from home shares an account with friends and family to make some extra money, behavioral biometrics prevent account breaches or misuse, and alert the organization that there is a case of split digital identity.