Why Most Modern Online Fraud Prevention Methods Are Falling Short


It was recently reported that new account fraud went up 28% in 2019 compared to 2018 global reports, and more than 100% over 2014 levels. As cybercriminals fine-tune their impersonation efforts, it’s getting more difficult for modern enterprises to distinguish between high-risk and low-risk users — and this will only continue thanks to large-scale data breaches, the evolution of the dark web and the looming threat of identity theft. Unfortunately, traditional authentication methods like passwords, knowledge-based authentication (KBA) and SMS-based two-factor authentication (2FA) can easily be spoofed as the result of the never-ending data breaches that we read about every day.

Just a couple months ago, an unsecured database on the dark web left the personal information of more than 267 million Facebook users, mostly in the U.S., exposed. This type of breach is not only a nightmare for the consumers impacted but also for businesses. When over 190,000 websites are Facebook Login Button customers and almost 40,000 live websites use the Facebook Login Button, a hacker can easily gain access to a multitude of connected accounts by simply having access to a user’s Facebook profile. This particular breach exposed Facebook profiles, as well as email addresses, meaning all fraudsters need to do is look for a consumer’s exposed passwords in a disconnected breach in order to have a good chance at gaining access to their Facebook account and subsequent connected accounts (since 50% of Americans recycle passwords across multiple websites).

Traditional methods like SMS-based 2FA and simple password authentication aren’t the only forms of authentication proving inadequate. Methods like fingerprint scanning have also come up short in recent months, proving hackable with little effort. Digital fingerprints are being sold in the Richlogs Marketplace (dark web) according to a recent report from IntSights. The report reveals that digital fingerprints which include the full fingerprinting of a user’s web browser and computer characteristics, allows an attacker to almost flawlessly impersonate the victim.

It was recently reported that the fingerprint reader on Samsung’s flagship S10 and Note10 smartphones can be spoofed with a $3 screen protector. Unfortunately, this means any person can unlock the device and access its data and any other apps opened by the fingerprint-based biometric security. Smartphone manufacturers have been implementing advanced features for users to secure their devices, using fingerprint readers, face mapping and even sensors that map out the veins in the palm of your hand, but device-centric approaches like fingerprint sensors are inherently problematic.

The biggest issue is that these fingerprint sensors are easily duped and cannot be relied on for commercial authentication use cases, but this approach also suffers from several other limitations. Multiple people can register their fingerprints on the same device, which means it’s unclear which family member was behind a given commercial transaction. Also, if the device is lost or stolen, the ability to recover access to their online accounts is challenging. Finally, device-centric unlocking functionality, such as the Samsung fingerprint scan, is also limited in terms of establishing someone’s actual digital identity for on-device purchases (i.e., users cannot use their fingerprint scans to make purchases from their desktop computer).

For any organization looking for enterprise-grade security, spoof-proof detection and cross-device support, sophisticated face-based authentication is inherently superior to fingerprint-based, SMS-based 2FA and simple password methodologies. Certain cloud-based approaches can leverage the 3D face map of a user’s face to alleviate some of the shortcomings of fingerprint-only authentication methods. Features like certified liveness detection add another layer of protection, rendering the solution practically dupe-proof. These options create a digital chain of trust to a unique user and can be used across devices. This will prove increasingly valuable with the rise of advanced fraud strategies like account takeovers, identity theft and deepfake technologies.

Philipp facilitates Jumio’s product strategy and, with his team, turns visions into products. Prior to Jumio, Philipp was responsible for paysafecard, Europe’s most popular prepaid solution for online purchases.

Source: https://forbes.com


The nature of payments fraud requires real-time solutions designed to detect and prevent fraud before it happens. Learn what is required to thwart fraud and how UP Payments Risk Management solutions can put you in control of managing risk. Learn more: http://www.aciworldwide/paymentsrisk Commerce and banking channels are multiplying and providing consumers more ways to transact than ever before. From physical channels, like credit, debit and pre-paid cards; checks; ATMs and point-of-sale terminals; to digital channels like ACH, wire, internet, telephone, mobile devices and crypto-currencies. Consumers, businesses, merchants and financial institutions all benefit from anytime, anywhere commerce…but…there’s a dark side. Sophisticated fraud threats are multiplying even faster: malware and Trojans; account takeover and identity theft; credit abuse and bust-out scams; ACH and wire fraud; data breaches; money laundering and employee fraud. In fact, a single data breach can compromise tens of millions of account holders in a matter of seconds.

Why Traditional Identity Verification Methods Are On Their Way Out


When was the last time you provided your mother’s maiden name, or perhaps the name of your first pet, to prove your identity to access an online account? Probably not that long ago. This type of online identity verification, known as knowledge-based authentication, is little more than a speed bump to the modern fraudster. More modern methods, such as SMS-based two-factor authentication, also have their own set of vulnerabilities that today’s cybercriminals can exploit.

Simple social media searches can reveal the answers to supposed secret questions used by KBA solutions and the 4- and 6-digit codes from SMS-based 2FA can be intercepted. Because cybercrime and the dark web have evolved and become far more sophisticated, traditional forms of authentication that were once effective can no longer reliably ensure that the person logging into their online account is the actual account owner.

Hitting the headlines

In many cases fraudsters don’t even need to comb your Facebook account or intercept your text verification code for your personal information — they often already have it. This is because of massive data breaches that have sent millions of sets of personal data spilling into the ether. Names, usernames, passwords, telephone numbers, dates of birth and security answers — cyberspace is awash with it.

Data breaches happen on a near-daily basis and include global names like Yahoo!, Facebook, Quora, and Marriott/Starwood. One recent example is a December 2019 Microsoft data breach that exposed 250 million customer records — that’s a quarter of a billion people impacted by just one data breach alone.

Even in the GDPR era, these breaches are coming at a rapid-fire pace, and it’s therefore vital that we move away from traditional identity verification methods. This is where facial biometrics need to be considered as a safe and secure alternative for accessing accounts and verifying certain transactions or activities online.

Out with the old

None of the traditional methods of identity verification come without weakness and the risks are far more widespread than you think — including methods you might have considered sophisticated not so long ago. This is indicative of the speed of tech innovation and the evolving nature of online fraud, which underlines the current lack of innovative security methods.

Password-based logins are problematic because passwords are easily forgotten and inherently insecure. Out-of-Band or SMS-based 2FA also continues to be a common form of authentication, but hackers are able to easily intercept the 4- and 6-digit SMS codes via the SS7 telecommunication protocol network, or through phishing attacks.

Token-based authentication is also failing to meet the mark as a modern form of verification. An obvious drawback is that tokens must be carried at all times and are non-transferable — a characteristic that’s outdated in today’s user experience-focused world. There is also the simple weak point that tokens or fobs can be lost or stolen, presenting a further argument for more secure methods, such as biometric authentication.

Despite this, biometrics are not necessarily a silver bullet solution. Innovative fraudsters are now capable of deploying spoofing techniques, sophisticated enough to beat many kinds of biometric security once deemed robust. However, liveness detection in tandem with facial biometrics is presenting a very real solution to the problem, and with the help of Apple’s Face ID, millions of people are more familiar and comfortable with the process of using your face as a security measure.

The new dawn

The sun may be setting on the wide range of traditional verification methods that no longer cut it, but this doesn’t leave us alone in the dark. Providers of innovative identity proofing and authentication are bringing about a step change for businesses across the industrial spectrum. Using cutting-edge AI and video selfie technology, the identity of the user accessing the associated account can be linked — this is a glimpse into the future of online identity verification.

This powerful technology is available today, and it’s reliable and fast enough to eliminate variables that would once have skewed results and enabled hackers to gain access. For example, weight loss and weight gain, wearing glasses or the loss or growth of facial hair have previously been changing factors that have disrupted less sophisticated tools.

The technology’s power to restore confidence, safety and successfully analyse variables are not the only trailblazing characteristics. It will also clear a path for innovation across a range of industries. To bring this to life, it could allow you to confirm your identity in a range of situations where necessary, from checking into a hotel room you’d booked, or unlocking the keys to a car you had rented using just your selfie. It even unlocks the possibility of doing away with passwords all together. In terms of evolution, the process will take a few mere seconds to complete and will require nothing more than a smartphone, relegating the need to remember tens or hundreds of passwords to a thing of the past.

The vital need for this security enhancement is being realised by leading companies, from industries like financial services, healthcare, travel, entertainment and gaming. Modern businesses are understanding that in light of cybercrime, the dark web and the global nature of online fraud, they need to dispense with traditional, insecure and unreliable methods of authentication, and adopt modern biometric-based methods.

Philipp facilitates Jumio’s product strategy and, with his team, turns visions into products. Prior to Jumio, Philipp was responsible for paysafecard, Europe’s most popular prepaid solution for online purchases.

Source: https://forbes.com


%d bloggers like this: