The financial services industry was one of the fastest to embrace biometric security over the last couple of decades, and particularly with respect to the mobile biometrics boom of recent years – which we detailed in last week’s feature for the Future of Finance special event at FindBiometrics. It’s fair to say that the use of biometric authentication – or at least the option to use it – is now pretty widespread across the financial services sector, at least as far as digital channels go.
That’s good news. By its very nature, biometric authentication offers greater security than authentication based on passwords. But with fraudsters playing catch-up at a rapid pace, there’s a growing awareness that it’s now time to turn to even more advanced security mechanisms beyond simple face and fingerprint scanning. The latter may be banks’ first line of defense, but there is a growing need for a second line of fortifications.
The Threat of Spoofing
A big part of the reason for this is the threat of presentation attacks, or ‘spoofing’. This refers to the use of artificial mimics of genuine biometric credentials in order to fool an authentication system into granting access to an unauthorized user.
In the case of fingerprints, some systems can be fooled by a synthetic print made using basic materials like glue and tinfoil. Meanwhile, some facial recognition systems can be tricked by mere printouts of an authorized user’s face; in one particularly notorious example, the OnePlus 6 smartphone of 2018 was fooled by a presentation attack using a black-and-white photo of an authorized user.
Calling in the Cavalry
Fortunately, most biometric authentication systems are more advanced, and a growing number are adopting “liveness detection” security to thwart the threat of presentation attacks.
Fingerprint authentication systems, for example, have begun to integrate technologies like infrared sensors that can look for signs of cardiovascular activity beneath a finger’s skin as they scan its fingerprint – a very difficult thing to spoof. Facial recognition systems, meanwhile, have seen a few different approaches emerge to combat presentation attacks. Onfido’s selfie-based authentication system, for example, supports the addition of challenge-response prompts during the authentication process that can, for example, require the end user to read aloud a randomly generated number, thereby proving that a real user is present during a face scan. Artificial intelligence is also starting to play a huge role, with sophisticated new systems designed to look for subtle signals like the microvements of hair in order to verify that it’s a real, live user at the other end of the interface.
There is also an important new industry standard, in the form of the Presentation Attack Detection evaluation by the iBeta QA testing laboratory. iBeta is the only lab in the world accredited through the National Institute of Standards and Technology’s National Voluntary Laboratory Accreditation Program, and it runs a rigorous testing program to assess the effectiveness of anti-spoofing technology. So far, only a handful of industry leaders have succeeded – selfie authentication specialist FacePhi just announced PAD Level 1 compliance this month – but the more there are to follow, the greater our collective assurance that biometric authentication is getting a second line of defence against fraudsters, with both biometric matching and liveness detection keeping unauthorized users out of online accounts.
These developments are all good news in terms of the login process for end users, but what about security within an online session? This is an area of growing concern for financial services providers as new threats like social engineering attacks – in which fraudsters seek to manipulate genuine end users into divulging information or even transferring money to fraudulent ends – become even more prominent amid the shift to online banking and remote services.
Fortunately, behavioral biometrics technology has emerged as a compelling solution. These AI-driven systems are designed to look for patterns in the end user’s behavior, such as how they type or even how they hold their smartphone, in order to spot signs of both legitimate activity and potential fraud. This means that even if a fraudster manages to take advantage of a legitimately authenticated online session, the continuous, passive security of behavioral biometrics can still flag fraudulent activity as it’s underway.
It’s another example of the cutting-edge technologies that are emerging as a second line of defence for online financial services. And when combined with the strength of biometric authentication backed by liveness detection at the point of sign-in, it offers a whole other layer of security that doesn’t add any friction whatsoever to the user experience.
These tools offer a whole new level of fortification for banks and other financial services providers, and point to a future in which every financial services provider will have multiple lines of defence against online fraud.
June 25, 2020 – by Alex Perala