August 4, 2020
Your personal data is never safe—cybercriminals look for every possible opportunity to acquire it. Never-ending data breaches continue to expose usernames, passwords, payment information, health records, and other personal information on the dark web, enabling fraudsters to log into user accounts and commit account takeover (ATO) fraud. Banks have been facing a concerning rise in ATO attacks against customers, with losses due to such schemes rising 72% from 2018 to 2019.
Traditional authentication methods such as SMS-based 2FA and knowledge-based authentication can no longer be trusted to protect online accounts since passwords and security questions can be easily bypassed or guessed with readily available information.
The COVID-19 pandemic has amplified the need for digital transformation, as more and more interactions with customers now occur on a screen rather than in person. Increasingly, enterprises across all industries are moving toward biometric authentication to ensure a user’s digital identity matches their real-world identity—keeping data secure and out of the hands of fraudsters.
Here are five specific trends and predictions for identity verification:
With 50% of consumers using the same credentials across multiple accounts, automated account takeover attacks will continue to run rampant in 2020 and beyond. As organizations increasingly turn to more advanced, biometric-based authentication methods, the rise of deepfake technology will become a larger concern.
A deepfake superimposes existing video footage or photographs of a face onto someone else’s head and body using advanced neural network powered AI—and it’s relatively easy to create. We will see an increase in deepfake technology being weaponized for online fraud as biometric-based authentication solutions become more widely adopted. Even more concerning is that many digital identity verification solutions cannot detect and prevent deepfakes, bots, and sophisticated spoofing attacks.
To fight fraud, companies will need to implement an advanced biometric authentication solution equipped with certified liveness detection. As criminals use more sophisticated attack methods, having the ability to detect usage of photos, videos, bots, and realistic 3D masks instead of actual selfies to verify that the user is physically present during a transaction will be critical. It's becoming increasingly important to deploy certified 3D liveness detection methods. Uncertified methods rely on “tells,” such as blinks, nods, and other verification prompts, which can be spoofed by deepfakes. Instead, modern enterprises need to adopt certified liveness detection methods that have been approved as global biometric standards.
The regulatory environment will continue to address aspects of the growing fraud and data breach epidemic, specifically aiming at the ability to discern if someone is real and (or) who they say they are when operating online in a variety of use cases, from shopping to tweeting. But these laws have significant shortcomings for protecting online digital identity.
Last year, the State of California implemented the Bot Disclosure Law, making it illegal “for any person to use a bot to communicate or interact with another person in California online with the intent to mislead the other person with its artificial identity.” In June 2019, Rep. Yvette Clark (D-NY) introduced the DEEP FAKES Accountability Act. If passed, it would require the creators of false videos to label them as such or face up to five years in prison.
While the Bot Disclosure Law and DEEP FAKES Accountability Act acknowledge that bots and deepfakes pose severe threats to democracy, they don’t acknowledge or penalize the other underlying fraud concerns. E.g., the DEEP FAKES Accountability Act doesn’t address scenarios where the cybercriminal is creating deepfakes to perpetrate identity theft or bypass traditional biometric authentication.
While regulations are continuing to move in the right direction, they are still behind the pace of innovation and aren’t properly capturing how these emerging technologies can be used for online fraud.
It has been widely reported that Social Security numbers are sold on the dark web for $1, but full medical records can command up to $1,000 since they're an identity thief's dream: date of birth, place of birth, credit card details, Social Security number, address, and emails. Because of this, fraudsters will start targeting more lucrative industries like healthcare, financial services, government agencies, higher education, and energy. Many of these industries lack the IT resources and skills to defend their organizations against sophisticated attacks adequately and represent ripe targets in terms of the type of data that can be compromised and ultimately weaponized by cybercriminals to impersonate just about anyone.
Biometric-based identity proofing and authentication has become a viable solution for the growing fraud epidemic. Previous identity verification methods, such as pinging credit bureaus, knowledge-based authentication, and even SMS-based two-factor authentication, are no longer viable, reliable, or secure means of authentication (and don’t provide a high level of identity assurance). On the other hand, biometric authentication is significantly more secure, reliable, and delivers much higher levels of assurance because you are tethering the identity to a government-issued ID and a biometric instead of relying on someone’s supposed shared secret or information that can be found in a database.
There’s been a reasonable degree of confusion between facial recognition and facial authentication, but the underlying technologies and use cases are often very different. For consumers and businesses alike, facial authentication is a win-win. Unlike facial recognition systems, which are often performed without the user’s consent, facial authentication is permission-based and provides high security and assurance to a user while letting them seamlessly access their accounts or devices. The elegance of facial authentication is that the user does not need to be subjected to the entire identity proofing process—they just need to take a new selfie when they log into their favorite app or perform a high-risk transaction like a wire transfer.
We anticipate that facial authentication will continue to grow in popularity and continue to be a trusted technology for identity verification.