Written by: Philipp Pointner, Jumio
It was recently reported that new account fraud went up 28% in 2019 compared to 2018 global reports, and more than 100% over 2014 levels. As cybercriminals fine-tune their impersonation efforts, it’s getting more difficult for modern enterprises to distinguish between high-risk and low-risk users — and this will only continue thanks to large-scale data breaches, the evolution of the dark web and the looming threat of identity theft. Unfortunately, traditional authentication methods like passwords; knowledge-based authentication (KBA) and SMS-based two-factor authentication (2FA) can easily be spoofed as the result of the never-ending data breaches that we read about every day.
Just a couple months ago, an unsecured database on the dark web left the personal information of more than 267 million Facebook users, mostly in the U.S., exposed. This type of breach is not only a nightmare for the consumers impacted but also for businesses. When over 190,000 websites are Facebook Login Button customers and almost 40,000 live websites use the Facebook Login Button, a hacker can easily gain access to a multitude of connected accounts by simply having access to a user’s Facebook profile. This particular breach exposed Facebook profiles, as well as email addresses, meaning all fraudsters need to do is look for a consumer’s exposed passwords in a disconnected breach in order to have a good chance at gaining access to their Facebook account and subsequent connected accounts (since 50% of Americans recycle passwords across multiple websites).
Traditional methods like SMS-based 2FA and simple password authentication aren’t the only forms of authentication proving inadequate. Methods like fingerprint scanning have also come up short in recent months, proving hackable with little effort. Digital fingerprints are being sold in the Richlogs Marketplace (dark web) according to a recent report from IntSights. The report reveals that digital fingerprints, which include the full fingerprinting of a user’s web browser and computer characteristics, allows an attacker to almost flawlessly impersonate the victim.
It was recently reported that the fingerprint reader on Samsung’s flagship S10 and Note10 smartphones can be spoofed with a $3 screen protector. Unfortunately, this means any person can unlock the device and access its data and any other apps opened by the fingerprint-based biometric security. Smartphone manufacturers have been implementing advanced features for users to secure their devices, using fingerprint readers, face mapping and even sensors that map out the veins in the palm of your hand, but device-centric approaches like fingerprint sensors are inherently problematic.
The biggest issue is that these fingerprint sensors are easily duped and cannot be relied on for commercial authentication use cases, but this approach also suffers from several other limitations. Multiple people can register their fingerprints on the same device, which means it’s unclear which family member was behind a given commercial transaction. Also, if the device is lost or stolen, the ability to recover access to their online accounts is challenging. Finally, device-centric unlocking functionality, such as the Samsung fingerprint scan, is also limited in terms of establishing someone's actual digital identity for on-device purchases (i.e., users cannot use their fingerprint scans to make purchases from their desktop computer).
For any organization looking for enterprise-grade security, spoof-proof detection and cross-device support, sophisticated face-based authentication is inherently superior to fingerprint-based, SMS-based 2FA and simple password methodologies. Certain cloud-based approaches can leverage the 3D face map of a user's face to alleviate some of the shortcomings of fingerprint-only authentication methods. Features like certified liveness detection add another layer of protection, rendering the solution practically dupe-proof. These options create a digital chain of trust to a unique user and can be used across devices. This will prove increasingly valuable with the rise of advanced fraud strategies like account takeovers, identity theft and deepfake technologies.