What the “decade of the data breach” can teach us
We have witnessed the explosion of identity theft over the past decade. Thanks to a steady flow of high-profile data breaches, names, passwords, email addresses, healthcare records, and more are easily bought and sold by cybercriminals on the dark web.
This has led to massive growth in account takeover fraud (ATO), whereby a criminal uses legitimate, but stolen personal data in order to seize control of an online account, change information such as the username or password, and then make unauthorised transactions with that account. In the UK alone, more than 11 million UK adults have had their credit card replaced or cancelled in 2019 because of attempted fraud. That equates to a fifth of the UK. And, according to KPMG’s recent fraud barometer report, the UK courts saw a 57% increase in account takeover cases in 2019.
What doesn’t help this already concerning situation is poor password hygiene. On average, we have 7.6 social media accounts, multiple online logins, a number of different email addresses and, unfortunately, typically only a couple of passwords protecting all of this personal and sensitive information. This bad practice has left consumers even more susceptible to ATOs. If a hacker has a username and password combination to one website, they can leverage bots to perform credential stuffing attacks to try a large number of websites using that same username/password combination. With a poor password hygiene, they have a more than reasonable chance of accessing multiple accounts.
So, what has the decade of the data breach taught us? Well, organisations can simply no longer trust that an online user is who they claim to be. And when the stakes are so high in the financial space, with consumers’ financial livelihoods and credit ratings at risk, financial services organisations in particular need to look to new ways to fight back against cybercriminals to create a safe and secure ecosystem.
Acknowledging the need for change
When the internet was new and yet to be mastered, the password was king. Using a password-based login was an appropriate form of securing confidential information on a young platform. The problem though, is that these types of passwords are inherently insecure and quickly forgotten.
The same issue is evident for knowledge-based authentication. If passwords and answers to supposed security questions haven’t already been compromised through a data breach, social media also has a role to play in their insecurity. Before a cybercriminal even attempts to use underhanded tactics to hack sensitive information, we are likely to have unwittingly provided them with enough insight such as names, telephone numbers, dates of birth and the like, to bypass passwords and knowledge-based authentication through our own social channels.
Even SMS-based two-factor authentication, whereby a user receives a text with a unique access code every time they try and log into a secured account, has its weaknesses as it is easily bypassed by hackers with evermore complex approaches to cyber theft, like intercepting the 4-and 6-digit SMS codes (via malware on the phone itself) which allows the cybercriminal to access and unlock the user’s account.
These kinds of step-up authentication methods have typically been viewed as being more reliable. However, the increasing number of data breaches and evolving skills of hackers illustrate that despite their initial effectiveness, these traditional approaches to security are being compromised, and more often than not, fail to fully protect their users.
Embracing innovations in verification and authentication
No industry is exempt from the clutches of cybercrime, but the financial services sector is an obvious target for many criminals aiming to infiltrate and profit off of big business. Financial institutions are under immense pressure from regulators and customers to ensure that their security parameters are tight. One breach could prove fatal to their business model and their customers’ livelihoods. While large financial institutions are known for being fairly rigid and slow to adopt new innovations, failing to deploy the latest innovations could see them fail in the fight against cybercrime.
Face-based biometric authentication technology is an innovative, modern approach to combating online criminals. It goes far beyond having to remember ‘secret’ phrases, numbers, SMS codes, which are all vulnerable. Facial biometrics is a more robust way of proving a user is who they claim to be since it requires the user to unlock their accounts with some type of biometric such as a fingerprint, retinal scan, face map, or voiceprint.
That being said, cybercriminals are relentless, and secure, face-based biometrics isn’t infallible. Fraudsters are already challenging the technology with spoofing techniques such as masks, and even deepfake technology, to circumvent the biometric feature. As such, further complexity is required to continue to keep fraudsters at bay and financial services organisations must keep this in mind. Unfortunately, a number of liveness detection technologies are uncertified and still rely on “tells”, such as blinks, nods and other verification prompts – all of which can be spoofed by deepfakes
This is where certified liveness detection comes in – by utilising AI and automation, these solutions are able to detect high-resolution paper and digital photos, digital deepfakes, paper masks, commercially available lifelike dolls and even latex and silicon 3D masks, all of which have been used by cybercriminals in attempts to bypass biometric-based authentication.
Face-based biometrics paired with certified liveness detection is working to do more than just protect modern enterprises and customers during the onboarding stage though. It can also be used to re-authenticate users in more precarious instances, such as wire transfers or password reset attempts, where basic username and password authentication is not a reliable or sufficient defense.
Advancements in technology have enabled consumers to conduct financial activities in ways only previously imagined – such as applying for a bank account from the comfort of your sofa. But for us to truly embrace and thrive in the online world, financial services organisations must ensure that their ecosystems are safe and secure against modern-day threats. In this way, the combination of facial biometrics, certified liveness detection and AI has become a saving grace. It is the only true way to know a user is who they claim to be. Let’s hope the decade of the data breach is followed by the decade of biometrics – ushering in a new age of data security and internet safety.
By Labhesh Patel, Jumio’s CTO and chief scientist