The newest report issued by the U.S. General Accounting Office (GAO), Federal Agencies Need to Strengthen Online Identity Verification Processes, calls for an overhaul and updated guidelines on identity proofing, highlighting the availability of data stolen in various data breaches over the years in the hands of attackers and fraudsters. Already, the National Institute of Standards and Technology (NIST) has issued guidance in 2017 that effectively prohibits agencies from using Knowledge-Based Authentication (KBA) methods for sensitive applications. Now, the GAO is going one step further, recommending that all agencies discontinue the use of KBA and highlights various alternatives for consideration. The outcome may have far-reaching implications not just for federal agencies but across the board for all private entities that conduct identity verification and authentication to provide digital products and services.
Identity is everything on the internet. Every authentication hurdle online users need to jump through, such as two-factor authentication and passwords, is aimed at one goal – verifying the identity of the user. Digital identity has never been as important as it is now and will only continue to grow in importance as digital transformation takes hold.
One-time passwords (OTP) remain one of the most widely used forms of two-factor authentication, despite their well-documented vulnerabilities. Earlier this year, a major UK bank was hit by an attack in which fraudsters diverted text messages from legitimate customers’ phones in order to bypass two-factor authentication and access accounts.
Vishing costs British banking customers millions of pounds every year and has become the fastest growing scam in the United Kingdom, but the risk is not limited to that country. In a typical vishing fraud case, the criminal dupes his/her victims into performing financial transactions. For example, a fraudster may call the victim disguised as a security official from his or her bank and, after establishing trust, coerce the victim into transferring funds from his or her account into the scammer’s account as a ‘security measure.’ This voice-based, social engineering crime is only growing in popularity and is set to cost banking customers even more money in the coming years.
The paradigm for identity risk management and authentication is changing. In the new paradigm, context and data available for a specific type of interaction must drive analytics. Instead of just looking for commonality, we need to make better use of data that is unique.
As account opening continues to transition from physical to digital channels, financial institutions, issuers, lenders, and other organizations must optimize the digital experience of applicants in order to compete. At the same time, fraud is on the rise as criminals have become more successful than ever, thanks to some of the same digital channel benefits enjoyed by consumers: convenience, speed, and ease of use.
With account fraud rising and large amounts of personal information already compromised, financial institutions realize the shortcomings of basic passwords and OTPs and the need for biometric authentication to bolster security and enable a seamless user experience. However, many biometric platforms still use knowledge-based information to enroll customers, which makes it easy for hackers to create new accounts using personal identifying information.
There are many faces of fraud in the insurance market - using stolen identities to obtain a new policy - or just as troubling, an account takeover to make a false claim or change payee information to receive claim funds. And when fraud hits, it hurts everyone in the pool. In fact, according to the Federal Bureau of Investigation (FBI), annual losses related to insurance fraud is approximately $40 billion, costing the average American family $400-$700 in increased premiums each year.
BioCatch works with leading banks around the world and monitors more than 2 billion transactions per month. Join us as we provide a summary of fraudulent activity gathered via our behavioral biometrics platform in 2016, review the latest trends in online fraud and share some insights as to what 2017 will bring.