In the last six months, practically everything has gone digital, creating a mountain of new digital data for fraudsters to mine. Sujata Dasgupta discusses the rise in dynamic-biometrics-based identity verification, the next step in fraud prevention for the financial services industry.
The world today is powered by digital technologies, from financial services to health, entertainment, education, travel and e-commerce – every service is available online! With the growth of online activity, there has been a proliferation of digital profiles created by consumers of varied services. Increased online activity creates an increasing amount of digital data about customers: their credentials, devices, locations, activity behaviors, payment methods and so on.
As more data circulates in the cyber world, the risk of this data falling into the hands of fraudsters rises, with the data possibly being sold on the dark web to a larger network for various kinds of fraud. Identity theft enables fraudsters to commit a wide variety of fraud across the entire customer life cycle. Examples include:
- New account onboarding fraud, where fraudsters use stolen identity documents and data to open new accounts in a bank, with malicious intent.
- Account takeover, where fraudsters use stolen ID and credentials of legitimate bank customers to take control of their online banking facilities and wipe away their funds and credits.
- Payment fraud, where fraudsters use stolen ID and cards data of legitimate bank customers to make purchases for themselves online, thereby making the bank customer liable to fund such purchases.
- Synthetic ID fraud, where fraudsters use the stolen identities of legitimate customers and augment them with fake information to create synthetic customer profiles. Bank accounts are then opened using the synthetic profiles and credit is obtained and never repaid. No real person gets caught for such fraud, as nobody with the profile exists in real life.
- Loan fraud, where fraudsters use stolen identities of legitimate customers with high creditworthiness to obtain loans from banks (e.g., auto loan, home mortgage or business loan) with the intention to never repay and make the legitimate customer liable.
Emergence of Biometrics in Fraud Prevention
In the traditional model of financial and other services, there was always a face-to-face interaction between customers and service providers. Authentication of legitimate customers was done by verifying signatures and photographs. With the emergence of online services, the absence of physical interaction necessitated customer authentication using credentials that could identify the online user as the legitimate customer. Such authentication used a combination of the two factors: what we know (user ID, password, secret question) and what we have (dynamic PIN token/card, phone for OTP).
However, with the growth of online payments and other services, cybercrime also started growing. Using methods ranging from phishing attacks and malware injection on individual customer devices to hacking data centers for a much higher volume of personally identifiable information, cybercriminals have gained access to data on both authentication factors. Our online credentials no longer safe – possibly they are all available on the dark web already, making our bank accounts highly vulnerable to fraud!
Thus, the first generation of biometric authentication was born, and online identity verification moved from two-factor to multifactor authentication, the new factor being who we are (static biometrics like face scan, fingerprint, voice and iris scan). Facial image recognition and fingerprint scans were steadily accepted as the biometrics of choice and were quickly adopted by various financial service providers for digital identity verification.
From Static to Dynamic: Next-Generation Biometrics for Advanced Authentication
While financial institutions have been adopting advanced technology for fraud prevention, the same advanced technology is being exploited by fraudsters to fool the systems by using various techniques to spoof, mask and tamper with authentication requirements.
Static biometrics also could not provide secure authentication for long, as fraudsters designed high-resolution images and masks of legitimate customers to get through facial recognition. Fingerprints were also stolen and reconstructed on imitation devices shaped like fingers, thus committing fraud despite multifactor authentication checks being in place. The ease with which such biometrics were spoofed called for more complex biometrics to be designed for a stronger authentication mechanism!
The second generation of biometrics was conceived to address this challenge – dynamic biometrics involving real-time movement of face (for facial recognition) and fingers (for behavioral biometrics). This includes several layers of verification in a complex authentication process without adding friction to the customer experience. Digital identity verification reached a new level with higher security, as the early adopters have been witnessing reduced identity-theft-related fraud after implementing dynamic-biometrics-based authentication.
Dynamic Biometrics: The AI Edge
Dynamic-biometrics-based identity verification aims to ensure that the legitimate customer whose biometrics are being used is present and authenticating for himself, as face and finger movements cannot be spoofed using photos, masks and artificial fingers. Face recognition works through selfie videos, with customers turning their head in a certain direction, or facial expressions, like eye blinking as instructed on the screen, speaking the digits displayed on screen and so on. Finger-movement-based behavioral biometrics consider the specific finger used, pressure applied on screen, area of finger touching the screen, keystroke dynamics, typing speed and so on.
Artificial intelligence (AI) has been the technology backbone of dynamic-biometrics-based authentication. Facial recognition uses the creation of 3D face maps, leveraging convolutional deep neural networks. Liveness detection is used to determine movements, ensuring presence of the customer live. Voice recognition and voice-to-text analysis verifies the spoken words as per screen-based instructions. Finger-movement-specific attributes are detected using sensor and behavioral biometrics.
With technology making rapid strides, there is a lot of research and development ongoing in this space. Dynamic biometrics is being recognized as indispensable for digital identity verification, and a combination of facial recognition with behavioral biometrics could be the next-gen fraud prevention mechanism against identity theft.
Adoption of Dynamic Biometrics for Fraud Prevention: The Way Forward
The banking and financial services sector has been undergoing a huge shift in the operating model, which gained momentum with the rise of challenger banks, also called digital banks, as they do not have any physical infrastructure and operate on digital channels only. This prompted the legacy banks to also compete by turning to digital, as the current generation of customers seem to prefer this channel over visits to the brick-and-mortar one! And more recently, COVID-19 triggered an acceleration of this digitization process, as lockdowns and social distancing discouraged physical interactions.
The consequence of increased online activity was an increase in identity fraud, as trends from the last five years suggest. This made it imperative for financial institutions to turn to dynamic-biometrics-based enhanced authentication solutions. Adoption of such solutions has been on the rise in the following areas:
- New account onboarding, to ensure that only prospects with legitimate identification are onboarded, filtering out the fraudulent ones. Even with stolen ID documents, fraudsters are most likely to fail the dynamic biometric checks!
- Online banking, to enable only the rightful customer to access his account and conduct transactions, both financial and nonfinancial, through online channels. Selfie-video-based or behavioral-biometrics-based login is a step toward password-less account logins.
- Payments. Whether digital or at point-of-sales, dynamic-biometrics-based approval of card payments, replacing the PIN/OTP method, is also gaining acceptance.
Dynamic-biometrics-based authentication may slowly make password-less online identity verification a reality across all services. As matching accuracy of such solutions increase and identity-theft-based fraud plummets, adoption will see a sharp rise. It may not be too long to witness such success stories – the journey has already begun!