Nowadays the world revolves around data and access to the data, especially the use of Personally Identifiable Information or PII. Once a PII record has been breached the door is open for identity theft and fraud. Fraudsters of all sorts can easily use this data and use valid user credentials to perform fraudulent transactions. Financial crimes such as fraud and money laundering are estimated to cost the world economy around $2.1 trillion per year.
The explosion in mobile transactions brings with it a significant increase in mobile fraud. In the U.S. in 2016 there was a 40% increase in PII breaches. Massive data breaches are hitting the headlines almost on a weekly basis. The recent Equifax breach saw 143 million Americans have their PII stolen.
Fraudsters continuously refine their techniques, and the measures to prevent fraud need to evolve as well. The question is, what methods can we use to allow the continued expansion of online business and banking, whilst mitigating the risk to both individuals and the world economy?
Strength in Behavior: A Deeper Dive Into the World of Biometric Authentication
The path of authentication development has taken us into the world of biometrics. But within this world lies both the right and the wrong way to use biometric information. Let’s take a look at how we use two types of biometrics to prevent fraud and protect PII and their effectiveness.
The Rise of Biometric Security
Biometrics as an application for recognition, is as old as ourselves - after all, we recognize friend and foe from facial features. However, the application of biometrics in the world of technology is a little more recent. From the 1960s onwards we have been using fingerprint/facial/speech recognition for entry systems - albeit in a more rudimentary fashion than the current use in mobile devices. Biometrics as a consumer method for device access, really crystallized as a concept in a 1998 book entitled “Biometrics, Personal Identification in Networked Society: Personal Identification in Networked Society” this book detailed how biometrics could be used in a modern technology context.
Static biometrics is now well-established in mobile devices with Apple bringing out the iPhone 5S in 2013 with integral fingerprint based unlocking. These types of biometrics are based on an unchanging parameter like a fingerprint or iris. Although static biometrics are very consumer friendly and have improved the user experience greatly, they have security flaws. One example of such a security flaw was when a group of German hackers demonstrated how they could easily, using high definition photos, successfully spoof the German defense minister’s biometric login. In another example, the Office of Personnel Management (OPM) breach of 2015, involved the theft of 5.6 million U.S. citizens fingerprints.
Biometric data can be stolen and used for fraud. For example, researchers at Tokyo’s National Institute of Informatics were able to reconstruct a fingerprint based off of a photo taken from nine feet away, and face recognition software can be fooled as well. Static biometric data stored in databases can be as easily stolen as the passwords. Indian media recently reported a "breach" of the biometric data-linked Aadhaar national identification scheme.
The fundamental problem with static biometric data is that it cannot be reset, like a password can, by consumers in case of a breach. Another shortcoming of static biometrics is that it only identifies a user at the login: once the session began it is impossible to effectively verify who is the real user. A static biometric is essentially a sitting duck for fraudsters to make use of.
The Rise of Dynamic Biometrics
This brings us to the next phase of biometrics, a much more dynamic one, which takes changes into account and makes for a ‘real-world’ implementation of the technology. Dynamic biometrics take a more behavioral view of a biometric, weaving in patterns of use and the way a user normally behaves when using their device. This can include variables such as walking gait, the way you type, and so on; instead of being built on a single variable, it uses multivariate analysis.
The old belief that the protection of personal data starts at the point of entry will no longer suffice. Dynamic biometrics is definitely a step in the right direction, but we can go even further in creating a more accurate and spoof-proof biometric authentication system by adding in dynamic behavior.
Upping the Game of Dynamic Biometrics with Behavioral Biometrics
Dynamic biometrics is the new wave of biometrics that is upping the game. By adding in a new dimension including dynamic behavior, it creates an even more applicable, and certainly more secure, method of continuous authentication. Behavioral biometrics adds the dynamism of a behavioral profile, unique to an individual. By adding complex patterns of behavior, such as the pressure a user places on the touchscreen, fingertip size, or their swipe speed, etc., behavioral biometrics creates a matrix of interwoven behaviors that pinpoint the user continuously throughout the entire session without the need for step-up authentication, and do it to a very high degree of accuracy.
Due to its sheer complexity and the fact that hundreds of behavioral traits are constantly being analyzed, behavioral biometric patterns are impossible to mimic even by a very adept fraudster.
Using Human Behavior For Good
Like everything else in the field of fraud prevention and authentication, behavioral biometrics is part of the evolution of improvement in technology. It is a promising technology that is used to maximize fraud detection, reduce false positives and offer strong authentication in line with new regulations such as PSD2 and Open Banking. We now have a much better chance, with advances in mobile computing, to implement these changes and create a human-centric, yet secure, offering, to enable the push of mobile into the world of banking and e-commerce. As business development manager, of Equiniti, Brian Fitzpatrick, said recently: “Offering biometrics to customers makes users view the corporation as overwhelmingly more innovative.”