As digital e-commerce surges during COVID-19, criminals are using this disruption to scale up security attacks and steal information they can exploit for financial gain. Google says it is blocking more than 240 million COVID-themed spam messages each day, along with 18 million malware and phishing emails.
Financial fraud costs billions of dollars every year and could rise during the pandemic as more people will make transactions online. Hackers can harvest passwords and PIN numbers by the millions, using them to access personal data and run up big credit card bills, clean out bank accounts or apply for lines of credit.
In March, when social distancing kept many people at home, Mastercard’s biometrics and analytics arm NuData Security saw a 679% increase in the creation of suspicious accounts… for just one global retailer.
According to a recent Mastercard white paper produced with Purdue University researchers, “the advent of biometric solutions has prompted a shift from knowledge-based methods of verification to those that employ intelligent recognition—replacing the password with the person.”
That makes a person’s behavioural uniqueness the best defence against fraud: not only your fingerprints or your face but how you type and how you swipe on your mobile phone. Because these traits are nearly impossible to replicate and exploit, using physical traits and behaviour combined with the context of your usual activities, are the future of Biometric authentication and protection.
And as online shopping and digital payments quickly become consumer habits that will last long after the pandemic, the outlook for biometrics is equally incredible. A study by Juniper Research predicted biometrics on mobile devices will authenticate US$2 Tn worth of remote and in-store payments in 2023, up from just US$124 billion in 2018. It expects more than 80% of smartphones—about 5 billion devices— will have some type of biometric hardware by 2023, and that 1.5 billion smartphones will feature software-based facial recognition.
The evolution of protection
We have come a long way since the ‘what we know’ verification of PINs and passwords. Even though many people still use them, the codes are notoriously easy to forget and often simple to hack. There is an even worse security risk in using the same password across multiple devices or accounts.
The second stage of authentication is ‘what we have’: most commonly one-time passwords sent via mobile messages or emails. While these methods offer increased protection due to automated expiry after a set time, the consumer experience is not always great, with high failure rates in the delivery of messages and also the hassle of flipping in and out of the shopping site to complete the entry of the passwords.
The next evolution has made verification more natural with the ‘who we are’ physical biometrics of the fingerprint, iris and facial scans that appeared in the early 2010s that are now standard on many mobile phones. These tools offer even greater security and are very convenient, but can be affected by outside factors, including moisture and placement (for fingerprint scanning), lighting and hats (for facial scans), and accents (for voice recognition). They also lack common standards and trust levels depending on the device.
Now we are moving into the fourth generation, with ‘how we are’ verification based on recognizing a pattern. Behaviour authentication includes day-to-day actions of how we hold the phone, how we type, whether we are left- or right- handed, the number of errors we make and numerous other ‘silent’ factors.
These passive behavioural patterns are not foolproof—people do not always do the same things exactly the same way—but they offer clues to identity that can be combined with other verification steps. Is your device in an unusual location? Are you using a different IP address or internet browser? Is your connection speed slower than normal? By identifying anomalies, this mix of content and context results in a powerful real-time authentication process that makes it extremely difficult for fraudsters to copy.
Risk-based authentication
How does biometrics encroach on personal privacy? The critical thing to note about biometrics is the artificial intelligence used for the verification process does not need to know much about you. All it needs is enough to recognize you and that your behaviour is relevant, expected and unique to you.
This does not negate the fact that trust is paramount. People must have confidence in the safety and security of the technology to want to use it. With biometrics growing more widespread in commerce, travel, healthcare and even offices, the Mastercard white paper noted that a key factor of authentication security is where and how the biometrics data is kept.
Storing the information on databases makes it vulnerable to hackers—by creating one large target for them. They can steal millions of fingerprints or facial scans just as they would scoop up PINs or passwords. That makes encryption on your device the preferred option. With the data stored in a secure part of the phone that cannot be accessed by the operating system or the apps, it is used only to check for a match between your fingerprint or face and the information in the encrypted template.
The rollout of EMV 3DS and risk-based authentication has been a major shift for the financial industry. We are now seeing significant engagement with many clients on physical and behavioural biometrics to combat account takeovers, coupon and loyalty fraud, account creation fraud and automated bot attacks —all without interrupting the customer experience.
We are also seeing a very positive response from governments and regulators. The Revised Payment Services Directive (PSD2) rules in Europe clearly identified the inherent safety in physical and behavioural biometrics compared to traditional tools such as one-time passwords. Many governments are exploring the use of biometrics in their public-facing apps and websites as an added layer of protection.
In our increasingly-digital economy and society, the future of authentication is all about the most unobtrusive way to provide the best customer experience, without any trade-off between security and convenience. With the right approach to technology and protection, the benefits of biometrics follow on as fast as it takes to swipe right.
Karthik Ramanathan is senior vice president for cyber & intelligence solutions Asia Pacific at Mastercard