Banks are facing a stern challenge to their security credentials as account takeover fraud becomes commonplace. The time has come to move beyond security systems based on usernames and passwords towards more high-tech solutions such as face-based authentication and biometrics.
Account takeover fraud takes myriad forms, but the results are typically financial losses for the individuals and a loss of confidence in their bank.
Of course, it is not always easy for banks to spot when an account has been taken over because the nature of the fraud is such that the criminal is pretending, convincingly, to be someone they are not.
For banks, this creates a serious problem because their security systems have effectively been bypassed and from there a great deal of damage can be done. Indeed, US businesses were estimated to have lost more than $5 billion as a result of account takeovers during 2017, up three times in one year, according to Javelin Research.
Passwords and codes are no longer enough
The underlying problem is that hackers can use stolen information, often bought on the dark web, to access the bank accounts of specific individuals and then send funds to any number of different accounts as they wish. However, the issue is often compounded by the habits of consumers, who often use the same passwords on multiple sites, which then makes it easy for hackers to login to all those different accounts. Frictionless payment systems can also be part of the problem, given their objective of not excessively slowing or halting transactions.
Currently, account takeover fraud only looks set to grow and cause increasing problems for banks. Indeed, barely a week goes by without reports emerging of a high-profile international company having had its systems hacked and its users’ personal information stolen. In the past year alone, there have been incidents involving the theft of hundreds of millions of usernames and passwords at the social media giants Facebook and Instagram, online video game Fortnite, data collection company Exactis and hotel operator Marriott, to name just a few.
“What’s important for banks to realise is that just because their own systems might not have suffered a security breach and data theft incident, it doesn’t mean they won’t be impacted, as cybercriminals may have the login data at their fingertips,” says Dean Nicolls, vice president of marketing at identity verification firm Jumio.
“For banks, the big question that follows is how can they better protect their customers and deliver better user experiences? That’s where our technologies come in.”
The answer by many banks is two-factor authentication, in which a one-time code is sent to the genuine account holder’s phone when they log in with their password: a final access control. But these systems also have their vulnerabilities and among these are man-in-the-middle attacks in which people are tricked into divulging their codes by a pretend bank employee on
the phone. For hackers accessing stolen data on the dark web, the established forms of authentication are increasingly easy to overcome as their techniques and technologies become more sophisticated.
Jumio’s face-mapping biometric technology really comes into its own when there is a need for someone to prove their identity to their bank
Selfie-based security adds real protection
As more data breaches hit the headlines every week, interest among banks is growing in physical biometric solutions, which are generally much more difficult for any fraudsters to get beyond. Face-based biometrics, such as that provided by Jumio, are a particularly vibrant aspect of this still nascent market, with consumers responding well to the convenience of snapping a selfie as evidence of identity. The process of taking your own picture is of course very familiar to a great many of us and Experian research shows 74 per cent of consumers already think physical biometrics will protect their information more than passwords.
According to Mr Nicolls, there is already strong interest among digitally sophisticated banks in face-based biometric solutions and the use of selfies as a form of online identity authentication.
The process relies initially on capturing a 3D face map, during the selfie-taking process, along with a government-issued form of identification, when opening a new bank account. In and of itself, the process overcomes many of the obstacles that banks traditionally face as they aim to establish someone’s identity to open a new account in their name. The process does not, notably, require a bank customer to visit a physical branch location or to present a plethora of supporting documentation. All of which makes for a substantially streamlined process.
Jumio’s face-mapping biometric technology really comes into its own when there is a need for someone to prove their identity to their bank. This could be required for any number of reasons, but perhaps most importantly for unusual or large-scale transactions. In this situation, a bank can request authentication and within a matter of seconds a consumer can demonstrate conclusively whether or not they are the person in control of the account, and they can approve or reject any transaction almost as quickly.
In these cases, the customer only needs to take a new selfie, from which a fresh 3D face map is generated, and is then compared to the original captured at account enrolment for an immediate authentication decision. It is not only an effective block to cybercriminals, but also a strong deterrent in the first place as they will not want their faces captured.
Providing the security consumers want
Asked whether consumers might have concerns about having a 3D mapped image of their faces, Mr Nicolls points out that financial service providers already retain access to plenty of information on their customers. “Ten years ago, you would have had to prove who you were in-branch, so you would’ve had to take all your documents to the branch,” he says. “Face-mapping is really just a contemporary version of that process, except it’s much more secure and you can do it incredibly easily via your mobile phone.”
In the end, what consumers want in banking is the best chance of keeping their accounts safe and well protected. On that basis, solutions enabling the use of a selfie as a form of authentication look set to be popular among consumers, as well as among service providers that need to get better at protecting their customers to remain competitive, but also to avoid potential reputational damage.
To find out more about 3D selfie-based authentication please visit jumio.com