The newest report issued by the U.S. General Accounting Office (GAO), Federal Agencies Need to Strengthen Online Identity Verification Processes, calls for an overhaul and updated guidelines on identity proofing, highlighting the availability of data stolen in various data breaches over the years in the hands of attackers and fraudsters. Already, the National Institute of Standards and Technology (NIST) has issued guidance in 2017 that effectively prohibits agencies from using Knowledge-Based Authentication (KBA) methods for sensitive applications. Now, the GAO is going one step further, recommending that all agencies discontinue the use of KBA and highlights various alternatives for consideration. The outcome may have far-reaching implications not just for federal agencies but across the board for all private entities that conduct identity verification and authentication to provide digital products and services.
Identity is everything on the internet. Every authentication hurdle online users need to jump through, such as two-factor authentication and passwords, is aimed at one goal – verifying the identity of the user. Digital identity has never been as important as it is now and will only continue to grow in importance as digital transformation takes hold.
As banks evolve to compete in a digital-only world, their top priority is how to gain market share as fast as possible by offering special incentives and making the onboarding process as easy as possible. However, by definition, opening a bank account online is an intricate process, but streamlining it and making it as user friendly as possible, is the key to success.
This tier-one credit card issuer suffered from millions of dollars in fraud losses caused by the use of stolen personal information or synthetic IDs in the application process. Their existing fraud detection model was based on traditional means of verifying identity – personal data, device reputation, etc.
One-time passwords (OTP) remain one of the most widely used forms of two-factor authentication, despite their well-documented vulnerabilities. Earlier this year, a major UK bank was hit by an attack in which fraudsters diverted text messages from legitimate customers’ phones in order to bypass two-factor authentication and access accounts.
With 55 percent of millennials stating that difficulties in resolving problems with their bank are frustrating enough to make them leave and traditional fraud detection measures yielding 30–50 percent false alarm rates,1 BioCatch knew they had to play squarely into next-generation banking approaches to improve business outcomes.
According to a recent UK Finance report, British banking customers lost £500m to fraudulent schemes in the first half of 2018 alone, the majority of which came from “unauthorised fraud” (i.e., hacking of user accounts.) During these six months, there were 3,866 confirmed cases of vishing (“authorised fraud” or “impersonation”) in the UK, with the scams leading to £36.6M in losses, for an average loss in excess of £9,000 per person.
The problem is most acute in the UK but is not limited to that country. These types of scams are on the rise everywhere. The European Commission has revealed that it is looking into ways to address this vexing challenge. In the U.S., the Federal Trade Commission has reported that 77% of its fraud complaints involve contacts by telephone, of which vishing is a subset. Most recently, the Australian Taxation Office has issued a warning on the rise of this threat.
The paradigm for identity risk management and authentication is changing. In the new paradigm, context and data available for a specific type of interaction must drive analytics. Instead of just looking for commonality, we need to make better use of data that is unique.
Payroll systems are the life line of any company or organization. Typically, these systems assemble critical financial functions such as salaries, tax deductions, benefits, business-to-business payments, supplier bills and tax returns.
In recent years, Peer to Peer payments have shown a significant increase, passing the $120 billion mark (2017). Currently, one in three American consumers uses P2P apps to make instant payments to friends, relatives, service providers, or anyone they owe money. Since P2P account opening does not require identity verification, it is vulnerable to various types of fraud and threats including malware, social engineering, remote access, SIM swapping, call forwarding and other techniques. Using these techniques, the fraudsters are able to exploit two main points of failure:
Malware infections and Remote Access Trojan (RAT) attacks are on the rise, enabling cyber criminals to take over accounts from afar and automate fraud. Despite traditional fraud detection measures and cybersecurity safeguards, malware and RAT attacks remain prevalent. Undetected malware attacks can result in direct losses to account holders and have a long-term detrimental effect on business and customer confidence.
As account opening continues to transition from physical to digital channels, financial institutions, issuers, lenders, and other organizations must optimize the digital experience of applicants in order to compete. At the same time, fraud is on the rise as criminals have become more successful than ever, thanks to some of the same digital channel benefits enjoyed by consumers: convenience, speed, and ease of use.
In recent years, a growing number of organizations have employed two-factor authentication (2FA) as a primary safeguard mechanism. They all share the notion that requiring a second security layer will be instrumental in reducing data breaches and identity theft. Two-factor authentication is based on the fundamental assumption that at least two out of three authentication factors are used in the process (“something you know, something you have, something you are”). 2FA is not a new security measure, nevertheless, it is in extensive use, despite the growing recognition that it is not so effective.
As account opening continues to transition from physical to digital channels, financial institutions, issuers, lenders, and other organizations must optimize the digital experience of applicants in order to compete. At the same time, fraud is on the rise as criminals have become more successful than ever, thanks to some of the same digital channel benefits enjoyed by consumers: convenience, speed, and ease of use. To achieve the necessary balance between preventing fraud and providing a delightful experience for consumers, an approach to identity proofing that accounts for the channel, product, customer, and threat environment is absolutely critical. But regardless of the approach, inconspicuous solutions — like those based on applicant behavior — have a distinct role to play in how institutions manage the risk of application fraud.
With account fraud rising and large amounts of personal information already compromised, financial institutions realize the shortcomings of basic passwords and OTPs and the need for biometric authentication to bolster security and enable a seamless user experience. However, many biometric platforms still use knowledge-based information to enroll customers, which makes it easy for hackers to create new accounts using personal identifying information.
Behavioral biometrics is a breakthrough cybersecurity technology that identifies people by how they do what they do, rather than by what they are (e.g., fingerprint, face), what they know (e.g. secret question, password) or what they have (e.g. token, SMS one-time code). Behavioral biometrics measures and analyzes patterns in human activities. Historically, these included keystroke patterns, gait, signature and the like. Today’s advanced behavioral biometric techniques capture an array of human interactions between a device and an application, such as hand-eye coordination, pressure, hand tremors, navigation, scrolling and other finger movements, etc.
The widespread digitization of financial services is causing large-scale and sweeping transformations across various facets of the business, creating new growth opportunities but also new challenges and inherent risk. In the insurance sector, particularly, digital transformation is driven by new competitive threats, ongoing cost pressures, aging technology and increasing regulatory requirements. Put all together, there is a huge opportunity to modernize, to create new business models, acquire customers on new channels and create competitive and compelling customer experiences.
The global insurance market is a multi-trillion-dollar market worth more than $4.5 trillion in gross insurance premiums (2015). In 2016, the gross insurance in premiums in the U.S reached $2.67 trillion with $1.5 trillion in paid claims.
Digital transformation in banking and retail is rapidly evolving. In this fast-moving environment, where finance and fraud intersect, there are several ramifications for financial institutions and the user experience.
The equation is quite simple: where there is money, there is fraud. As the use of mobile banking grows, so do the threats of hacks, malware and other remote attacks. Traditional means of detecting fraud can take considerable time and resources, sometimes taking weeks to detect or to confirm an incident.
In the digital world - whether mobile payments, e-commerce or online banking – this is much too long. Transactions happen quickly, and any delay can have significant repercussions, both from a consumer confidence perspective and a cost perspective. In the digital world, it seems there is always a choice to make between security and the user experience.
With cyber-attackers becoming much more sophisticated, security measures must get smarter too. The key is to implement security measures that continuously monitor and test the authenticity of users in ways that are difficult to replicate. Many experts and market leaders agree: behavioral biometric profiling is the only effective way to achieve this level of security.
BioCatch is a cybersecurity company that delivers behavioral biometrics, analyzing human device interactions, to protect users and data. Banks and other enterprises use BioCatch to significantly reduce online fraud and protect against a variety of cyber threats, without compromising the user experience.
According to multiple threat index reports issued at the end of 2018, the threat of Remote Access Trojans (RATs) is at an all time high. One RAT made Checkpoint’s Global Threat Index Top 10 list, while Proofpoint reports that the number of RATs doubled each quarter of 2018, accounting for more than 5% of all malicious payloads for the year, marking a significant change from the past.
As mobile devices eclipse computers and laptops as the preferred method of going online, fraudsters have followed users, porting their modus operandi –account takeover, social engineering, and malware based remote control attacks – to the mobile arena. Mobile has opened up many new ways for users to communicate and connect without being tied to a desk or a power outlet – and at the same time, it has presented hackers with many more opportunities to perpetrate fraud and carry out attacks that cannot be detected with traditional tools used to detect attacks in web sites. As a result, companies need to apply new fraud controls to protect mobile users and enable them to carry out transactions, check bank accounts, make purchases, etc.