Has fraud met its match?
28 February 2017 | 0
Many prognosticators have pronounced privacy a pipe dream. With the mountains of personal information on social networks and the lack of security awareness by many users, cybercriminals have more than a snowball’s chance to grab anyone’s identity.
However, there are new ideas for counteracting identity theft that would take into account a person’s physical attributes to add another layer of security. The idea of using a fingerprint reader to log on to a smartphone isn’t new, but the latest wrinkle is to incorporate the pressure with which that finger types on the phone.
More than 41 million people in the US have had their identities stolen, and millions more have had their personally identifiable information (PII) placed at risk through a data breach, according to a Bankrate.com survey of 1,000 adults conducted last month.
Keir Breitenfeld, senior business consultant at Experian, said that the continued use of “shared secrets” or static data points, such as Social Security numbers, usernames and passwords, to verify identities and authenticate consumers creates a clear problem for users and companies alike – the perpetuation of fraud. “These pieces of PII are highly valuable making them a top target for cybercriminals. A solution to this problem is the use of dynamic data, either on its own, or in combination with static factors,” he said.
Currently, 1.9 million records containing PII are compromised every day, leaving millions of people vulnerable to fraud. Additionally, according to Javelin’s 2017 Identity Fraud Study, identity fraud impacted 15.4 million victims in the United States in 2016, with the incidence rate increasing by 16 percent from 2015.
Breitenfeld said many companies use a form of authentication called identity element verification and validation. This traditional approach to authenticating individuals uses identity elements (for example Social Security number, date of birth, name, address) provided by an applicant and then compares these data points to data from trusted sources, such as credit bureaus. “Problematically, most of this data has already been stolen, making this form of authentication unreliable,” he said.
Ryan Zlockie, global vice president of authentication at Entrust Datacard, noted that an example of continuous authentication is the amount of pressure applied when typing, scrolling and swiping, which could be matched against the user’s typical behaviour. Another authentication pattern could be the time spent on a session or transaction. For example, the timing of the session contrasted with the actions completed can indicate whether answers are quickly being cut and pasted or typed out by hand. Or the cadence of typing can be used as a behavioural authentication tool that collects timing information describing exactly when each key was pressed and released as a person is typing at a computer keyboard. This cadence can be captured continuously, not just when a user first logs into a system or service.
By layering in additional dynamic data that has little to no monetary value for cybercriminals, as opposed to relying solely on static information, companies have the potential to stop fraud, Breitenfeld added. Some of the new dynamic factors include:
Biometrics – Authentication factors such as fingerprints and retina scans can be used to securely verify consumer identities, as these factors are more difficult for fraudsters to steal or replicate.
IP address – Detecting if an account is being accessed from a new/unrecognised IP address can help stop fraud by challenging the user with additional authentication factors. Additionally, users can be notified if someone attempts to access their account from a new device.
Location – Location is another way to verify users, and several companies already use this as an authentication factor for purchases. For example, if you live in Kentucky, but an item is purchased using your credentials in China, the transaction will either be blocked completely or flagged to the appropriate people.
Selfies – Facial recognition software can be used to authenticate someone making transactions on his or her mobile device.
Velocity checks – Checking the historical shopping patterns of an individual and matching that record against his or her current purchases for irregularities.
Social media profiles – Analysing a person’s social media and online accounts help identify whether they are real. For instance, someone whose Facebook profile has been established for years with a high number of friends and consistent profile information is more likely to be authentic than someone with a profile that lacks breadth and depth, which can signify a false or newly created identity.
Authorised user activity – Monitoring identities that are being added as “authorised users” to accounts is often predictive of fraud, specifically account takeover and the creation of synthetic identities. If the same “authorised user” is being added as a new authorised user to accounts for various different people, it is likely a fraudulent identity.
Zlockie added another factor to examine is hack attack pattern matching, which can show an account takeover attempt by monitoring to see if a user is rushing through the process and matching the speed of the attempted hack with similar attacks. He said the mobile push and transaction signing is not a new authentication tactic, but it’s more secure than dated approaches that rely on passwords or static credit card CVV codes. It’s more than just a way to authenticate to an application, as it can be positioned and applied to a variety of workflow automation use cases.
Besides facial biometrics, there is also voice and iris settings that can authenticate individuals based on their inherent physical traits. “Biometric authentication has expanded beyond the fingerprint for good reason thanks to the fact that biological traits are non-transferrable and provide a high level of protection against fraud. Voice and facial biometrics are flexible in the fact that they can continually authenticate users throughout a session without alerting them that they’re being monitored,” Zlockie said.
He took the physical aspect a bit further in citing the use of an electrocardiogram (ECG), heartbeat or BioStamp that can turn a user’s heartbeat into a unique differentiator that authenticates his or her digital identity. Whichever system or service a person uses could gain real-time access to their vital signs in order to verify the user throughout the entirety of a session or transaction.