Americas

  • United States

Asia

Oceania

Contributor

N-dimensional behavioral biometrics: a viable solution for digital fraud?

Opinion
Jul 18, 20185 mins
Artificial IntelligenceBiometricsFraud

Artificial intelligence can be used to stop identity fraud from reaching record-breaking highs.

fingerprint scan biometric security system
Credit: Thinkstock

Identity fraud is expected to reach an all-time high in 2018. Javelin Research Center reported a record 16.7 million consumers fell victim last year, in large part due to the massive Equifax breach which left millions of consumers’ data exposed to would-be hackers. Now, hackers are using exposed credit and debit card numbers to steal from bank and loyalty accounts, shifting to digital attacks without ever needing a physical card in their hands. According to Javelin, card-not-present fraud (CNP) is 81 percent more likely than point-of-sale fraud (PoS). In 2017, more consumers had their cards misused in a CNP transaction than at the cash register.

The changing fraud landscape

Credit card fraud at the PoS has dramatically decreased thanks to the deployment of EMV chip cards, which makes it extremely difficult for fraudsters to create counterfeit cards. While physical fraud has gone down 28 percent over the last three years, hackers are getting more sophisticated and are constantly changing their attack vectors.

Through card skimming at ATMs and online data breaches caused by phishing and other types of attacks, hackers are illegally obtaining consumer card numbers to commit CNP fraud, or selling them on the dark web for others to use. CNP is one of the most prevalent types of fraud in countries that have adopted EMV cards. As the leading e-commerce country in the world, the percentage of CNP fraud in the U.S. is currently lower than in other countries, but the recent migration to EMV is expected to contribute to a surge in CNP fraud. From 2000 to 2014, the CNP growth rate was 16 percent per year. In Canada, CNP fraud increased by 205 percent from December 2010 to December 2015, and accounted for 76 percent of all fraud in 2015.

In addition to CNP fraud, cybercriminals can take over a consumer’s financial accounts to make extravagant purchases or drain their funds. Account takeover poses a significant threat to online merchants, and financial and mobile payments providers – total losses have reached $5.1 billion, a 120 percent increase from 2016. Another challenging threat is synthetic fraud, in which hackers cull together information they’ve obtained from various consumers’ accounts to create an entirely new identity and associated account. This makes it quite difficult for service providers to tell whether a transaction is fraudulent or not. The prevalence of these threats, in effect, have caused online fraud to skyrocket 106 percent.

New sweeping regulations cause concerns over privacy and security

Since May of last year, much attention was on the EU’s implementation of GDPR and how enterprises doing business in the EU needed to scramble to comply with stringent regulations in a tight timeframe. At the same time, however, the UK also set PSD2 into effect – the Second Payment Services Directive, otherwise known as Open Banking.

Under the directive, the UK’s nine largest banks are required to release their data securely, to be shared more easily between authorized parties online. This includes everything from branch locations and explicit details on product offerings, to transaction details on bill, loans and shopping payments, which is a cause for concern among consumers not comfortable sharing that data. In reality, PSD2 puts power into the account holder’s hands, as they control who can receive their data. 

Broad-sweeping laws like GDPR and PSD2 are expected to inspire similar regulations in the U.S., like the recent California privacy law which requires companies to reveal to state residents what information they are collecting and how it’s being used, and giving consumers the option to revoke permission to stop using that information. For now, most businesses are focused on compliance with overseas regulations. 

Are organizations offering sufficient protections?

Regulations, like PSD2, require strong customer authentication, incorporating knowledge-based elements such as passwords and PINS, a key material, inherent characteristics like biometrics, and a unique authentication code for remote transactions.

To adhere to these requirements, some businesses are embracing biometric authentication methods, like fingerprint sensors and iris scans, in tandem with two-factor authentication (2FA) solutions. However fixed biometrics and 2FA methods are not foolproof, and are still subject to hacking and copying.

An emerging alternative now being recognized by enterprises is behavioral biometrics. With this method, AI and machine learning (ML) algorithms can be trained to adapt to a consumer’s behavior and run on-device, continuously building behavioral models based on the way they interact with the device in their hand, including the way they type, tap and swipe, which is much more difficult for a fraudster to replicate. Behavioral biometrics also greatly reduces the risk of breaches of third-party vendors that do not follow the same set of security standards as the financial institutions they work with.

Some organizations utilize “black box” ML, in which the algorithm flags a potential incident of fraud without a reason why. This is counterintuitive, as transparency is key for any fraud detection application (and for open banking). An audit trail of a given transaction, coupled with the amount of cash held in an account and other account details, is needed in order to understand why something was considered fraudulent, which in turn fosters transparency and compliance. AI algorithms must analyze the consumer’s behavioral model for even the slightest deviation in activity, and then flag that anomaly for the user to determine whether it was a legitimate threat.

Continuous behavioral authentication that incorporates AI brings a new level of personalized defense that fixed biometrics and MFA alone cannot enforce when combating CNP and other types of online fraud. Without it, identity fraud will continue to reach new astronomical highs that will cause major headaches from a consumer and regulatory standpoint.

Contributor

Deepak Dutt brings over 18 years of technical and entrepreneurial expertise in bridging the technology and business worlds. He has a range of experience from small software companies to large worldwide software and telecommunication companies and a reputation for going after tough tasks, hard goals, and accomplishing what the business needs to thrive.

Prior to his latest venture, Deepak Dutt worked in various roles in new venture development, R&D, product management and cyber security at Nortel, Siemens Telecom Innovation Center, and Newbridge Networks. He was awarded the award of excellence by the Nortel CEO in 2003.

Deepak has a successful track record in his entrepreneurship path where he co-founded a software company in India, Intsyx, specializing in eLearning simulation which was subsequently acquired by an Ottawa based firm, bringing him to Ottawa at age 22. As the CEO of Zighra, an emerging leader in mobile security and fraud prevention solutions, he has expanded the business globally with operations in Canada, U.S., UK, Middle East and India.

The opinions expressed in this blog are those of Deepak Dutt and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.