Asia: Despite spiraling online fraud, behavioral biometrics is yet to gain ground
By Frank Tan, Commercial Director, APAC, Callsign
In a region of 4.6 billion people and with about half having mobile internet access, Asia’s take up of behavioral biometrics is surprisingly low. Surprising, both because payments make up the lion share of online financial transactions and because there is intense competition from banks, insurers, online retailers, new entrants, and others all vying for a slice of revenue.
The smartphone is now the communications, work, life and information center for hundreds of millions across Asia. Yet, the approach to verification, authentication and authorization remains reliant on outdated technologies to determine proof of identity.
Outdated approaches coupled with growing smartphone usage has meant the level of online fraud has gone through the roof, with scammers leveraging old technologies and various techniques to trick victims into giving up sensitive information for illegal financial gain.
Take, for example Hong Kong, where banks reported a 145 percent increase in phishing frauds involving suspicious websites, mobile applications, SMS and emails in the first six months of 2021. Phone scams are an ongoing issue; last January, an elderly Hong Kong resident was scammed to the tune of US$32 million in an impersonation case. Despite world attention, the following month, an almost identical scam netted $2.5 million from another Hong Kong individual.
As an indication of just how bad the scamming situation has become in the Asia region, according to Callsign’s own research, consumers receive an average of three scams a day with a quarter saying they receive more messages from fraudsters than genuine messages from family and friends.
Some countries are more prone to specific scam types.
In Hong Kong, phone scams are common, while over in Singapore, there is a surge in vaccination scams. In the Philippines, Thailand and Indonesia consumers most commonly fall victim to SIM card swap fraud and account takeovers.
According to research conducted by Callsign this year, 83 percent of respondents said they have received a scam or fraud message with nearly half (44 percent) saying they are a scam victim. Supporting the theory that fraudsters use the same channels companies use to communicate with legitimate account holders, most messages received are purported to be from a bank, then retailers, delivery companies, and mobile network operators.
The knock-on effect of a low barrier of entry for criminals and the seemingly endless trail of victims is having an ongoing – and devastating — impact on brands. Almost a third of consumers who have been a victim of fraud say they stopped using the company the fraudster used to execute the scam. Given that most scams are under reported, this means brands are suffering reputational loss and losing hard earned trust.
Yet, despite the scamdemic, providers continue to use 20th Century thinking to combat a 21st Century problem thus further eroding customer confidence, damaging brands, and allowing fraudsters to strike almost with impunity.
Fraudsters mimic legitimate platforms
The constant barrage of online fraud, cyberattacks and the ease with which criminals can mimic legitimate platforms for financial gain, proves digital identity, and consequently digital trust, is broken. This situation is exacerbated because banks, for example, expect their customers to continually navigate ever more security procedures – sometimes due to compliance requirements — even though verification, authentication, and authorization processes, techniques and technologies have been vulnerable for so long.
In the last couple of years, there has been a facial recognition pivot but the reliance of one photo as a single form of authentication is again risky, open to fraud with fraudsters presenting spoof images and, if the hardware used is low end, facial recognition technology can exclude large parts of the population.
What is required is a 21st Century solution to a 21st Century problem.
Moving forward with biometrics
The solution harks back to 1961 when the password to access computer systems first made an appearance. All that was required then was for a string of characters to be entered, confirmed by the computer, and the digital journey began. The user did not need to answer security questions or provide sensitive personal information. The whole experience was straightforward and secure compared with today.
By layering behavioral biometrics in multifactor solutions, digital journeys may begin again with the same level of ease as sixty years ago. As it was then, everything needed to verify, authenticate, and authorize is unseen by the consumer although the level of sophistication is 21st Century.
Through the combination of inherence-based attributes, in the form of keystroke dynamics such as how you type, on top of traditional PIN and passwords, behavioral biometrics crunch away in the background whether on a high- and low-end web or mobile device.
The natural swipe of a phone screen is unique to the individual and any attempt to replicate this easily fails and so would any would-be scammer.
This ‘under the hood’ solution removes friction in one fell swoop and combined with threat detection for any malware or unusual behavior, shuts out bad actors. By combining behavioral biometrics with artificial intelligence and machine learning, customer digital journeys are checked at key points along the way, meaning they are events based rather than cookie based.
Callsign’s biometric behavioral technology is focused on the authentication of a consumer from the very beginning of their digital journey. During this interaction, data is gathered from an array of inputs, such as the pressure applied by the user in touching the screen, the speed they trail their fingers across the display, their typing cadence, and the angle the device is held.
This is unique to the customer and virtually impossible to crack. If any abnormality is detected, a security layer is added asking the customer if they want to make the transaction or that a scam maybe in operation etc.
Behavioral information is fused with other capabilities including device binding, location analysis, and threat detection to give organizations an easy to use, strong customer authentication capability that is both secure and compliant with legislation such as the EU’s Payment Services Directive 2 (PSD2).
Authentication shake up required
A radical shake up of how authentication is being made by public and private organizations is needed and one that does not rely on requiring the housing of sensitive customer information. There is a firm belief that the introduction of behavioral biometrics to verify, authenticate, and authorize online journeys, will result in a dramatic fall in fraud.
It is hard to imagine the scamdemic getting worse than it is now. Even though there is a notable lag in behavioral biometric infiltration in Asia, there are some positive signs that this is about to change.
In July 2021, the Merchant Risk Council (MRC) — a global community united in combatting online fraud – formed the MRC Asia Pacific Advisory Board. Callsign along with Razer, Microsoft, Google, Facebook, Netflix, Air Asia, Lazada, Gojek, Accerify, Payoneer, Adyen, 2C2P, Visa, Riskified, and Ethoca (Mastercard) are all board members.
Of course, it would be wrong to put biometrics at the front and center of ending the scamdemic, but by taking a unified front involving consumers, vendors, governments, and associations, there is a great opportunity to catapult biometrics to the forefront of fraud prevention.
About the author
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.