Use liveness detection to cut stolen data’s value, and explain why: panel
![Use liveness detection to cut stolen data’s value, and explain why: panel](https://d1sr9z1pdl3mb7.cloudfront.net/wp-content/uploads/2022/07/27132556/data-privacy-1024x629.jpg)
The information that people present as evidence of their identity claims is widely available enough on the internet to undermine identity verification, but biometrics have an inherent security characteristic that separates them from all of the other data. This was the key point of emphasis in a panel discussion on “The Role Biometrics Can Play in Devaluing Stolen Data.”
The panel was part of a policy event on “Identity, Authentication and the Road Ahead” co-hosted by the Better Identity Coalition, FIDO Alliance, and the Identity Theft Resource Center. A recording is available from the Center for Cybersecurity Policy and Law.
FaceTec SVP for North America Jay Meier moderated the panel, and began by turning to CITeR Director Stephanie Schuckers to define what it means to reduce the value of stolen data.
“You’re adding additional layers of security that make it much more difficult for the attackers to use that data, even if they steal it.”
This is possible with liveness detection technology that can identify even advanced deepfakes made with generative AI and injected into video streams.
The panel also included Arun Vemury, speaking not in his role as an advisor to the ITRC, and not representing the Department of Homeland Security, ITRC COO James Lee and National Consumers League VP of Public Policy, Telecom and Fraud John Breyault.
The recent wave of data breaches is the “capture phase” of a crime wave, Meier said, and now we are entering a “harvest phase,” in which the data will be used for fraud.
Lee talked about the urgency of establishing defenses against this expected increase in online fraud. “We’re going to get more of it over time,” he warns. But biometric provide a way to move beyond this vulnerable analysis of static data.
Vemury noted that the inherence factor (something you are) of biometrics allows a relying party to tie the identity back to the original identity binding process, unlike possession and knowledge factors. Without liveness, however, that biometric factor is no different than any other data point that can be typed into a data field.
With each scenario that liveness negates the ability of an attacker to penetrate a system, the stolen data is devalued, Lee pointed out.
But the introduction of new and powerful technologies also makes some people nervous, with some justification, Meier said, while also presenting an opportunity for fear mongering.
Asked about the potential for harmful unintended consequences, Breyault cautioned that even a net win for society should not blind observers to potential costs to consumers. Marginalized, disabled and darker-skinned people may be suspicious of the use of biometric data, based on past use of biometrics that have excluded some people, intentionally or not.
Biometrics should be reserved for certain types of transactions, Vemury suggested. Some online transactions can be carried out with at least some degree of anonymity, Vemury said, which could reduce the number of honey-pots of consumer data for hackers to steal.
When it comes to public perception, Schuckers noted that the term “biometrics” refers to a broad range of applications that covers use cases many people find acceptable, and others that even biometrics advocates consider unacceptable.
“The connection between the biological and the digital is the key piece,” she said, referring to liveness.
Meier noted that consumers and politicians do not seem to be clear on this distinction.
The identity fraud and theft statistics are staggering however, and while Breyault says the consent-based model is generally broken, it should be embraced for biometrics, given a non-coercive implementation. Breyault and Lee both emphasized the value of data minimization for reducing risks to consumers.
The panelists were united in the belief that better explanations to consumers about what is happening and why could encourage the adoption of biometrics and liveness detection.
Meier noted the overlap of the above points with best practices like those identified by DIACC.
Those best practices are important in part because of the tension between the pace of technology adoption needed to stem the tide of fraud and the need for social dialogue, which takes time. Best practices discussed included the disclosures that should be made to consumers, and the need for an alternative pathway for identity verification and authentication.
Ultimately, the panelists agreed that robust tools are available to devalue stolen data today, but they should be selected based on a full range of considerations, including independent testing, and they must be layered properly to be effective.
Article Topics
biometric liveness detection | biometrics | CITeR | FaceTec | Identity Theft Resource Center | Stephanie Schuckers
Comments