Where markets go, fraudsters often follow

Fraudulent transactions have grown step-for-step with legitimate economic activity – and is booming as a result of the pandemic.

The Internet Crime Complaint Centre at America’s Federal Bureau of Investigation (FBI) reports that by June of this year, daily digital crime had risen by 75% since the start of stay-at-home restrictions, and that the number of complaints received in 2020 had already surpassed the total for 2019. In a new report, Interpol corroborated these findings, tracking the same trend across EU member countries. 

This surge has been driven by a dramatic shift online of many forms of economic activity because of shelter-at-home restrictions and social distancing requirements. According to an index compiled by Adobe Analytics, online spending by American consumers was 76% higher in June than in the same month in 2019, and 55% up in July. Retail fraud has climbed similarly. By June 30th, the US Federal Trade Commission had received almost 140,000 reports since the start of the year, already nearly as many as in all the whole of 2019. And it had had more than 570,000 reports of identity theft—also almost as many as in all of last year—as criminals took advantage of the unfolding economic downturn and people’s general anxiety about the pandemic to exploit them for their personal information, credit-card numbers and banking details. 

The above trends demonstrate the realities of a world becoming digital faster than individuals and institutions can secure themselves against exploitation. Accenture, an IT consultancy group, estimates that prior to the pandemic, nearly four-fifths of organizations were introducing digitally fueled innovation “faster than their ability to secure it against cyber-attackers”. This is corroborated by Interpol, which says that cyber-criminals have exploited the abrupt global shift to teleworking at rates that more than match the growth in commerce in those channels.

Authenticating Bank Clients in the Remote Environment

Fraudsters are targeting remote banking channels more aggressively than ever before. According to Kaspersky Lab, the number of banking Trojans attacking online and mobile banking applications doubled in 2018. This clear shift in the focus of fraudsters and fraud schemes should be a wakeup call to the banking industry. Malicious actors are clearly investing more time and money than ever in attacking remote banking channels. 

The headaches caused by reliance on usernames and passwords impacts business revenue. Research shows that almost one of every three users who have to go through the recovery process after forgetting their login credentials give up on the process. According to Gartner, up to 50% of all helpdesk inquiries are password resets - an unnecessary drain on company resources.

The case against using the dated username and password-based credential system is clear and has been for some time. So how can businesses move towards an alternative?

The technology already exists

The technological ability to obsolete the nearly sixty-year-old security protocol built around the username/password paradigm exists and is already in widespread use by hundreds of millions of people. Mobile device manufacturers, such as LG, Apple, and Nokia have pioneered the technology needed for “no-password” authentication and have been using them for at least a decade. These techniques include variants of facial recognition and ultrasonic fingerprint scanners. 

Although the advancement of these technologies by the major mobile device manufacturers is important, far more vital is the remarkable ease with which they have converted hundreds of millions of consumers to adopt and accept biometric authentication. On a daily basis around the globe, mobile phone, PC and tablet users casually conduct verification of their identities by providing their fingerprint or facial image to login to their devices and/or to access services and data. 

The fact that this technology doesn’t rely on expensive sensors installed as specialty equipment on corporate owned network systems, but instead makes use of the high-quality cameras and sensors in mobile devices, laptops and tablets makes it possible for cross-platform use - because users can carry their authentication method with them and make use of them across multiple accounts and applications.

Also helpful to the widespread acceptance has been the development and promotion of open standards that have taken alternative identity authentication methods to the next level.

The move towards covert authentication

As stated already, the technology and standards for identity authentication processes that do not rely on the user providing “something they know” (e.g. a password and username) already exist. The question, then, is - how can companies lead the migration of their users to this new standard? The answer may lie in enabling layers of verification, as opposed to demanding a “hard authentication” for every interaction.

Ultimately, this will be driven by the nature of the transaction and the amount of risk that it bears. For example, during an online retail purchase, the e-commerce company most likely is ONLY concerned that the method of payment presented by the user is valid and has been approved.

By contrast, the online transactional departments of financial institutions – both large and small – must be more concerned that not only is the person initiating the transaction authorized to do so, but also that they actually ARE the person they purport to be.  

The ubiquitous spread of smart, connected mobile devices has made possible any number of potential “passive” methods to verify that a person is who they claim to be. These methods are sometimes called “covert” or “silent” since the user is unaware of the process occurring. Generic information, such as whether the person is using a familiar device in a familiar location can be sufficient to grant the appropriate level of assurance that they are the same person who has used the payment card in question in the past.

These methods can be made far more powerful when coupled with an adaptive, rules-based system that weighs just how critical it is that a user’s identity be authenticated to a higher degree of confidence.

For activities and transactions that are more serious, or expensive, an organization can introduce “intelligently adaptive authentication” to ensure that the transaction is being performed with appropriate authorization. Higher risk transactions can be authenticated using “higher confidence authentication” techniques, which may not be covert, but rather, may require the end user to interact with the device they are using – by, for example, speaking a password phrase, capturing a fingerprint, or allowing the camera to conduct a facial match against an enrolled image within a client authentication infrastructure.

This combination - ranking the importance of verification and using different levels of authentication interactions - will provide your customers with a smooth and secure online experience.

Behavioral biometrics: transforming authentication without passwords

In the coming years, the most exciting advances in end-user authentication will come from behavioral biometric authentication. 

Behavioral biometric authentication is using the behavior of a user - e.g. scrolling speed and patterns, finger size, keyboard typing - to provide ongoing authentication that runs in the background. And when implemented correctly, the user won’t even be aware that their identity is being verified. 

That data can be used to build a user profile that can be used for the personalization of services and products - another important benchmark of positive online experiences.

Behavioral biometrics should not replace the confirmation model and occasional authorization outlined in the previous section - contextual authentication should continue to be used to assess a user’s identity, only introducing appropriate friction when needed.

Forging ahead

It is absolutely possible for businesses to give customers secure online experiences without sacrificing convenience or speed. Add on benefits to the businesses taking this approach are the possibilities to leverage the technology to provide a more dynamic and personalized customer experience. 

A first step for all username and password-reliant organizations should be to begin transitioning towards a confirmation mindset. This will bring immediate benefits and allow them to fully leverage behavioral biometric authentication as the technology is widely available.

When it comes to customer expectations about online experiences, the times are changing. It is the responsibility of businesses to make sure they are changing too.