As rigid, password-based systems lead to more security breaches, they are quickly replaced by real-time biometrics leading to a passwordless future.
That transition cannot happen fast enough as identity crimes are rising, Mitek’s vice president of product management Chris Briggs said.
Briggs has more than two decades of experience in the industry, including time in software and credit bureaus. Earlier this year, he said synthetic identity fraud was the fastest-growing type of fraud. It involves fabricating identities and creating fake identification. It is followed by account takeovers, where someone presents themselves as another person, tricks financial institutions and retailers into getting access to a target’s account, and then siphons money away or makes fraudulent purchases.
How password fatigue leads to fraud
One reason for the rise is fatigue. Society suffers from password fatigue, with people having to remember multiple passwords and, in many cases, having to change them every six or nine months. To prevent fraud, many sites require more and more complex passwords.
Many write them down to keep track of them, which defeats the purpose. We also use the same password across multiple sites. Scammers know this and exploit it often.
Those responsible for checking our identifications at banks and retailers are also fatigued. Do they check the signature? Does the photo on the identification (which is easily faked) match? Close enough?
And COVID-19 made it worse
Briggs said that the more activity you generate online, the more susceptible you are to being victimized by fraud. The COVID-19 pandemic was a goldmine for fraudsters, as Visa saw 40% more growth in online payments in its first six months than the previous year. Half of that growth was in people over 50, who tend to be less sophisticated.
Criminals are also blending in some old-school tactics with modern techniques. Check fraud has increased by multiples. It can be as simple as swiping the keys from a mail carrier and breaking into a set of apartment block mailboxes. Thieves go through half the mail, knowing roughly 10% contain checks. Those under $300 are acid washed and replaced with higher sums. New identification is created for those $300 and larger.
“I think it’s because everybody is moving from physical to digital that you’re seeing a larger digital footprint driving accessibility and data to fraudsters in the space overall,” Briggs said. “And it only has an upward trajectory at this point.”
The pandemic also forced banks and retailers to quickly up their online game. Many banks, in particular, struggled to replicate the physical process in the digital environment. Security protocols often did not adequately transition. Does that piece of identification they present correspond to an actual person? Is the identification real? How can companies integrate traditional documents with other authentication types?
Legal issues are part of the biometric puzzle
Briggs added that many Mitek clients need help with formal documents in the digital realm because they are legally required to request them.
“What we’re they’re trying to do now is figure out ways that they can biometrically bind a verified identity to an actual person,” Briggs said. “And that’s where the systems aren’t adequately prepared to do that. While some of this technology has been around for a relatively long period, it’s only recently that it’s become affordable and easy to implement.”
Biometrics, immutable identities, and the blockchain – who leads the way?
Can immutable identities on the blockchain address these problems? A whole lot has to happen, Briggs said. States must agree on uniform standards; then, countries must do the same. Some jurisdictions are miles ahead of others.
“That is the future and being able to create a decentralized digital ID that allows the consumer to control the flow of data and how that is shared between various vendors,” Briggs said. “The problem is there’s no standard in that space. So each company right now has to do it themselves.”
The discussion is similar to central bank digital currencies (CBDC). Because businesses are well-aught of governments working with that technology will shape its outcome.
But how much influence should they have? How should governments respond? Look to history, Briggs suggested. Swift and clearing houses were privately created and accepted by governments. But on the other end, Estonia’s government directed the transition to a digital economy. India created the Aadhar identification system.
It will be a combination of the two, he said. As much as the industry creates great solutions, governments must become involved at some point if global standards are to be established.
Briggs said that password fatigue leads to migration to real-time biometrics, but challenges remain. Real-time biometrics brings advantages such as strong predictive capabilities if two of three types can be combined. A multi-modal environment that combines a document with face and voice biometrics is highly secure and virtually friction-free.
Mass biometric adoption faces hurdles
One of the challenges is consumer adoption, Briggs said. There needs to be a mind shift away from the big brother mentality and toward acknowledging its utility in proving identity. The industry should adopt ethical standards that include obtaining consumer consent, limiting the time they can possess that information, and performing regular audits to ensure compliance. They must understand how biometrics are most effectively used and know the points in the customer journey where they are most helpful.
Biometrics are typically used for onboarding and re-verification, Briggs explained. Once someone is verified, they can be biometrically bound to a face and voice.
“You biometrically bind them together in such a way that they create a puzzle difficult for the fraudsters to unravel and get in the front door versus just decoding a password,” Briggs said. “It’s a way to combine those so that no one else can create the same pattern as we can. And it creates this singular serial capability that no one else can decode.”
Which biometrics are best?
Go to enough industry shows, and you’re pitched on various biometrics from face and voice to movement and heartbeat. While some are best in certain situations, Mitek is focused on face and voice because they are best aligned with the needs of clients whose customers often use their phones.
“The key is creating a combination of both the verification of the ID and the person,” Briggs said. “We like face and voice because we find it easier to detect liveness which is a key component of what we have in our technology. On the back of liveness, you’re testing whether someone has taken a picture of it if it’s authentic, if it’s a mask, those types of things.”
Progress is also being made on voice. Mitek can separate background noise from the main voice. It can also use that ambient noise to help detect liveness. The technology can be used across settings to detect documents, noise, and face liveness.
How the downturn could accelerate biometric adoption
Briggs constantly watches state, country, and global regulatory changes. How are identities created, managed, and stored? What rights does the consumer have to override decisions?
Credit Europe’s GDPR and the California Consumer Privacy Act for advancing the right to be forgotten and encouraging corporate compliance through hefty fines. Strangely, the economic downturn has also helped. Institutions are likely debating branch closures, which means a necessary digital migration. Systems are being assessed.
“Some of this technology that we’re talking about is not super-expensive, which could advance the purchase of biometrics because it becomes less intrinsic upon them having someone at the branch verify who you are,” Briggs said. “They might pre-verify you before you execute a transaction, or you’ll see organizations doing electronic signatures that they can verify and audit over time.
“The flip side is that we’ve seen some of the banks in the EU and even in the United States get huge fines because they’re not verified, making them flip back to going physical and hiring people checking for fraud.”
Short-term and long-term storage differences
Use cases dictate how and if a biometric is stored. For example, there are one-time use cases where someone opens a bank account. They must match their face to their passport photo and the one on their NFC chip. Those are stored until the transaction is confirmed.
Suppose biometrics need to be stored for more extended periods. In that case, they are stored as a hash string, a series of numbers and letters that allows Mitek to associate a future transaction with a past one that doesn’t require accessing the actual photo.
In many cases, there’s no way even to go back and derive what that individual looks like,” Briggs said. “That’s because it’s stored in a non-biometric format, which we think is better, and you’re starting to see many organizations move to this non-PII.”
On Oct. 24, Mitek took another step toward that passwordless future with the release of MiPass. This passwordless identity authentication solution allows people to access digital accounts using their voice and face.
To access a digital account via MiPass, users access their smartphone, take a selfie and then record a phrase. Mitek said authenticating digital identities with MiPass reduces the risks associated with on-device stored biometrics, which can be easily compromised, shared between people, or overwritten with a passcode.