Biometric selfies and liveness detection value in stark relief in Jumio new account fraud report
Companies using selfie biometrics to verify new customer identities are five times more likely to catch new account fraud than those that rely only on an ID document, according to Jumio’s 2020 Holiday New Account Fraud Report.
In an analysis of onboarding attempts by its ID Verification and Identity Verification solutions, Jumio found that fraud was detected in 1.41 percent of ID-only verifications, but the use of selfie biometrics with an official ID document made the fraud detection rate much higher, at 7.15 percent. The despite an overall decrease in new account fraud based on ID verification of 23.2 percent worldwide in 2020.
Jumio VP of Global Marketing Dean Nicolls points out to Biometric Update in an interview that the company has seen roughly 80 percent less fraud experienced by customers that require a selfie for biometric matching and liveness detection, compared to customers that only require a government-issued ID. The report attributes the difference at least in part to the “chilling effect” that advanced biometric security techniques have on attempts to defraud onboarding systems, with fraudsters abandoning attempts that involve live selfies.
The report breaks out the month of November to consider holiday shopping trends, and looks back over the past four years to analyze onboarding fraud by industry, region, and channel. The latter analysis reveals that SDK-based implementations seem to face fewer fraud attempts, with nearly twice as much fraud found in the API and web channels. Nicolls explains this is likely due to the ability of customers using API or web-based implementations to upload images, which makes it easier for criminals to avoid sharing images of themselves. Within the API and web channels, Jumio customers demanding live selfies experienced three times less fraud than those allowing uploaded images for user biometric authentication.
While some customers implementing onboarding processes that allow images to be uploaded can apply a “light form of liveness,” such as having the customer write their name, the institution’s name, and the date on a piece of paper, those methods are also vulnerable to spoof attacks.
“We try to tell our customers, ‘if you’re going to use the web channel or leverage the API, make sure you’re capitalizing on the camera for a live capture of the person’ versus just letting them upload a document, or upload a picture of their selfie, because you’re going to have more fraud,” Nicolls warns.
On the other hand, “As soon as you’re validating for their real identity and you’re validating with a selfie with liveness detection, they have a lot more at stake by using their own likeness.”
Fraud levels associated with ID cards and passports have been higher over the past several years than those using driver’s licenses, which Nicolls thinks may be related to stronger security measures in many driver’s licenses. He also sees change coming, in that regard.
“With passports I think you’re going to see that number continue to go down because of NFC,” Nicolls says. “More and more passports are being chip-enabled, they have a little biometric chip in there, and I think that’s going to drive down passport fraud quite a bit.”
In the section of the report on fraud rates with selfies, Jumio suggests several reasons why selfies are considered invalid, beyond not matching the identity document image. Those include manipulated selfies and failed liveness checks based on using the ID document image itself or a picture of a picture to match against.
Nicolls also notes that with the proliferation of stolen data, cybercriminals can now acquire “fulls” which include selfies along with identity documents and other information, which he says shows why liveness detection is so critical.
In all, however, the results show significant progress in stopping new account fraud through biometrics and presentation attack detection (PAD) technologies.
“High numbers actually mean that we’re detecting and catching it,” Nicolls observes, but adds a cautionary note. “That’s a good thing, but the sheer number of attempts that are happening is remarkably high.”