Harnessing new technologies to stop today’s modern account takeover threats
Massive data breaches over the last decade, including the likes of Yahoo and Equifax, have compromised the Personally Identifiable Information (PII) of billions of consumers. As such, the dark web has emerged as a significant threat to financial services organisations where cybercriminals have a safe place to congregate, collaborate and buy and sell this information.
Account takeover (ATO) is a method of fraud that financial services organisations need to become particularly more vigilant in light of this. With this form of identity theft, a criminal uses legitimate, but stolen, customer details and personal information to access an online account. According to UK Finance’s Fraud the Facts 2019 report, account takeover fraud resulted in just shy of £18 million being taken from consumers in 2018-2019 and unfortunately cases of ATO are continuing to rise. In fact, a recent report highlighted that the number of ATO cases going to court in the UK climbed 57% in the first half of 2019.
The numerous large-scale data breaches that have taken place in the past decade and the subsequent emergence of the dark web has undoubtedly fueled the growth in ATO. However, due to financial organisations’ continued use of outdated, legacy methods of authentication, such as knowledge-based authentication and SMS-based two-factor authentication, the level of ATO shows little sign of abating. Presumably secure information can now be purchased for next to nothing on the dark web, which is why these legacy forms of authentication are fast becoming obsolete.
Credential stuffing is also on the rise due to the ease with which cybercriminals can obtain personal information on the dark web. This is a type of cyberattack where stolen account credentials, consisting of lists of usernames or email addresses and corresponding passwords, are used to gain unauthorised access to users accounts through large-scale, automated login requests. Unlike a brute-force attack, which involves cybercriminals identifying valid login credentials by trying different values for usernames and passwords, credential stuffing attacks do not attempt to access an account with brute force or guess any passwords. The attacker simply automates the logins for thousands to millions of previously discovered credential pairs using standard web automation tools, therefore limiting the amount of tries necessary to succeed.
To crack down on these kinds of online fraud, the financial services industry needs to look seriously at alternative identity verification solutions. Namely, face-based biometrics paired with certified liveness detection.
Giving the power back to financial services
The majority of the security C-suite (86%) would be happy to abandon traditional password authentication if possible, according to a recent research by IDG and MobileIron. What’s more, an IBM study found that two-thirds (67%) of consumers are already comfortable using biometric authentication today. This trend has been accelerated by the broad adoption and familiarity of facial recognition integrated within the most popular smartphones, such as Apple Face ID. However, it is important to understand that Apple’s Face ID, and similar technology installed on industry leading smartphones, are not the answer to prevent the increasing levels of fraud due to their lack of a government-approved trust anchor.
Nor should organisations be opting for the most basic biometric-based authentication solution. Due to the sophistication of cybercriminals, some face-based biometric authentication solutions can easily be tricked by the use of deepfake technology or high-quality masks. Financial organisations therefore need to adopt solutions with certified liveness detection if they want to be assured of security. These solutions are able to detect high-resolution paper and digital photos, digital deepfakes, paper masks, commercially available lifelike dolls and even latex and silicon 3D masks, all of which have been used by cybercriminals to bypass biometric-based authentication.
These solutions capture a 3D face map using a standard 2D camera. Then, when future authentication is required, either for day-to-day account access or to authorise a high-risk transaction, the user captures a fresh selfie and a fresh 3D face map is recreated and compared to the original 3D face map and trust anchor for instant authentication. It’s this ability to constantly re-authenticate a user that makes face-based biometric solutions with certified liveness detection so secure. Sadly, the vast majority of financial institutions still rely on legacy authentication processes due to cost, familiarity and an unwillingness to adopt newer technologies but because of this, their security is compromised.
Creating a customer-centric, secure solution
Over half of online customers, according to a research by Signicat, abandon their attempts to sign up to new financial services, despite huge investments in digital technology. The online identity verification process can be hindered by a multitude of factors. For instance, the user may have a low-quality camera, take an image in bad light, move the ID during the shot or accidentally cover the lens when taking the photo. When any of these scenarios happen, the verification cannot take place and must be rejected.
However, the latest face-based biometric verification solutions have the ability to notify a user in real-time of these environmental factors that result in an image capture (of an ID document or selfie) that is unusable and results in a rejected identity verification transaction and advise how they can course correct and retake the image. Above this, thanks to artificial intelligence and the significant data set being created each time a user verifies an ID, the technology is able to mitigate certain imperfections, without reducing the level of security. This ensures users have a more streamlined experience and ultimately, the financial services organisation isn’t missing out on potential customers.
As more of our important financial interactions move online, financial services organisations must look to biometric-based identity verification and authentication solutions that protect them from the many forms of fraud, including ATO and credential stuffing. However, this cannot come at the expense of customer experience, because it will lead to a drop in conversion rates. By harnessing the power of sophisticated new technologies, financial service companies can rest assured that they have the strongest security measures in place, while maintaining a first-class customer experience.
About the author
Philipp facilitates Jumio’s product strategy and, with his team, turns visions into products. Prior to Jumio, Philipp was responsible for paysafecard, Europe’s most popular prepaid solution for online purchases.
Sponsored insights by Jumio