Biometrics

Has fraud met its match?

Pro
Image: Stockfresh

28 February 2017

Zlockie said cognitive authentication is still in the research stages, but it collects multiple parameters to create a unique user profile. When a person is presented with a novel stimuli, like a familiar photograph or song, it measures his or her response using a variety of techniques like EEG, ECG, blood pressure volume, electrodermal response, eye trackers and pupillometry. Cognitive authentication would then validate the user by matching the response to pre-recorded metrics.

What’s next?
Looking further into the future, to truly devalue data the industry needs to consider a more comprehensive approach to identity authentication – a hub of identities, Breitenfeld said. This centralisation of information would combine dynamic factors with PII to create a centralised “consumer identity.” Companies would then request authentication of that specific identity, rather than requesting, sharing and ultimately storing consumer PII. “This removes the burden from a company collecting and being responsible for consumer PII that is unnecessary to the transaction, and having to risk the potential of being hacked and dealing with the consequences,” he said.

Don’t credit card companies already block irregular purchases though?

Breitenfeld admits that is the case, but what he espouses is the consistency of identity elements being used to open an account. “At Experian, we analyze more than 3 million identity transactions (not solely financial) a day, and over time we can start to see if elements like names, addresses, SSNs and dates of birth are being used consistently or not,” he said. “For example, if we see that one specific person’s information is used at a relatively normal velocity and consistency, and we can verify their identity, that’s a low risk of fraudulent activity. If, however, we begin to see that person’s name with five different addresses and SSNs, or we’re seeing high velocity of any one of these elements, that’s a bad sign. Overall, we’re looking for the consistent use of identities; deconstructing them down to the element-level enables us to see if they’re being used to perpetrate fraud.”

Experian also uses device risk assessments, a combination of specific device attributes, habits and associated identity elements, to verify the identity of the person making a purchase or logging into an account. For example, geolocation (a device attribute) helps ensure that the person is conducting a transaction (making a purchase or logging in) from an expected and/or regular location.

OS attributes
Another example of information that could be part of an identity hub is the attributes of operating systems. What if the language of the device’s operating system does not match what is expected for that specific identity? If one unique device is associated with different locations and languages, in addition to different personally identifiable information, there’s a clear problem, he said.

“So, this information, combined with their regular habits, creates a baseline of what people typically use their device and then compares that data to identify deviations. Everything from the resolution of the screen to the exact version of an operating system are device attributes that can help identify if an account is being used fraudulently,” Breitenfeld noted.

Multi-factor authentication is a common method of verification that uses step-up authentication treatments. These include knowledge-based authentication questions (such as security questions), one-time passwords and document verification such as selfies, e-signatures or application form fills to certify that a user is authorised to conduct a transaction.

While this method has been used for years, traditional multi-factor authentication is not as secure as some might think, Breitenfeld said. For example, when a code is sent via text, there is no way to know if the correct user is seeing the text. The phone may have been stolen or a criminal could be using a technique called mirroring to receive texts sent to a cell phone. This authentication method can be improved by adding more dynamic data, such as a selfie, to the process.

The selfie example would work such that when someone fills out an application for a product or service, he or she submits a picture of his or her driver’s license, displaying the driver’s name, date of birth and address. This information is scraped from the photo and used in the application form, and it is verified by capturing the static ID info. Later, if someone has trouble logging in and fails to answer security questions, the system could ask for a selfie to compare to the user’s photo already on file.

Patterns and verification
Experian also uses fraud models that enable verification processes to run a user through a variety of known fraud patterns and determine if there should be additional verification prior to confirming the person’s identity. For example, the model takes into account multiple factors that are common among cybercriminals to create profiles that help identify potential fraudsters. A consumer’s identity elements are compared to this model to determine risk for companies. A fraud model can also be adjusted to meet a company’s desired risk threshold; this frequently occurs during the holidays when consumers are making more purchases, and companies do not want to be a barrier to transactions – although the purchase behaviour is abnormal for the individual.

Experian also uses consortium files that are shared records with verified and updated fraud lists. They are collected by various entities, including banks, credit card companies, telecommunications providers and other lenders, and used to support participating organisations in stopping regular fraud offenders. Information shared could include high-velocity SSNs, addresses that are established as fraud mail-drops or risky locations, recycled phone numbers, and repeat physical addresses and email addresses that are associated or connected to existing fraud records.

Generally, these files would be managed or housed by a trusted third party, such as a credit reporting agency. Data would be collected from multiple sources, such as banks, and the credit agency would allow access to these files in real-time.

 

Ryan Francis, managing editor, CSO magazine (IDGNS)

Read More:


Back to Top ↑

TechCentral.ie