The discussion around my dinner table the other night centered around a recent fraud incident that affected a good friend. A $34,000 invoice came in with instructions to make a payment on an expected business transaction. Within a few seconds, the email disappeared, and several minutes later, another email appeared. It came from the same sender and all details appeared to be the same. The payment was made.
Several weeks later, the person received a very angry phone call saying the payment was not received. Totally confused, they called the bank to verify that the payment had left the account and that the wire was received on the other side. Turns out, the first email was real and the second was a fraudulent intercept that mimicked the first one exactly except for different wire instructions. Now, their bank will not return the funds since they, as the legitimate account holder, authorized the payment.
The Latest Stats on Cybercrime and Digital Identity
According to the FBI’s latest Internet Crime Report, this type of incident occurs with alarming frequency now. Last year, the number of cyber-related complaints rose 14.3%, but the associated losses went up by 90%, almost all of it related to business e-mail compromise scams.
Most victims wonder what they could have done to avoid the situation. They feel ashamed and often times don’t come forward. But in examining fraudulent incidents, the level of sophistication is extremely high, often boiling down to the human element – humans clicking on phish bait, humans authorizing fraudulent transfers, humans convinced that a caller is a legitimate authority and giving a fraudster access to their computer.
Last week we were reminded yet again how fraudsters get their hands on personal data and how valuable that personal data is. With a stolen record that includes a credit card number, address and email going for $25, and nearly 15 billion personal records stolen in the last 5 years, it is easy to calculate just how lucrative the black market for identity is.
Meanwhile, account takeover attacks have left consumers and victims with more than $4 billion in losses in 2018, with 3 times as many with unreimbursed expenses. New account fraud losses increased to $3.4 billion in 2018, and this doesn’t include the impact on victims that need to contend with rebuilding and reproving their identities and credit files for the next untold number of years.
Developing a New Standard for How Identity Is Defined
The answer to all this is to change the way identity is constructed and recognized. There are many organizations building solutions for passwordless authentication, relying on biometrics, the only real link between a physical identity and a digital representation of that identity to ensure that a person is who they claim to be. There are a number of flaws however with almost of the emerging approaches:
- They are not continuous
- They may introduce more friction into the user journey (in the case of authenticator apps)
- They cannot be used in the enrollment phase
- Almost all of them rely on traditional KBA or PINs and passwords as the fallback mechanism
Behavioral biometrics is unique in this respect. By analyzing more than 2,000 parameters of a user’s interaction with a device or online application, it is possible to extract powerful insights that can be used to address different use cases across the digital lifecycle. Behavioral biometrics is passive and works in the background of an online application without disrupting the user journey, a crucial component in engaging and retaining consumers today.
For example, with deep domain expertise and a vast understanding of what different behaviors mean in context, it is possible to distinguish between a legitimate applicant and someone applying for a credit card or government benefit using stolen or synthetic identities even if they have not been identified before. This added layer of visibility surpasses device identification layers, geolocation providers and KBA, all techniques that fraudsters have figured out how to circumvent, yielding a 10-15x return on investment for credit card issuers, insurance companies, digital-only banks and others who have deployed the technology into their stack.
It is high-time to implement a new standard for how identity is defined. If static, personal data and KBA are no longer the central part of how we establish who someone is, we can change the rules of the game and get past this crisis of how to protect digital identity. Behavioral biometrics can help fill in the gap.
To learn more, schedule a demo.