A lot of attention has been given to organisations’ use of biometrics: authentication based on a human characteristic unique to the individual that, in theory, cannot be copied. But is this the identity crime panacea we hope it is?
Examples of biometrics include voice patterns, face, fingerprints, and the veins in the finger. Some organisations are using voice pattern recognition to authenticate their clients when they ring to avoid going through tedious security questions. One bank has issued finger vein scanners to corporate clients, while others are taking advantage of the fingerprint readers on smart phones to allow customers to access their personal banking apps.
While this sounds like progress, biometrics is not without flaws. There are debates about the relative security of these options, but even if we assume they are completely secure, issues remain.
Most obviously, they currently only secure one access channel: voice recognition works over the phone; vein scanners only work online; fingerprint readers only work when a person is trying to access their account through the mobile banking app on a new(ish) mobile device.
These different methods of securing accounts make the experience of using certain channels more user friendly. But as yet, they don’t completely secure the account. For that there would need to be at least one method of biometric authentication on all channels for accessing an account, including in branch, on the phone and with all methods of online access.
New organisations can force their customers down particular access routes, should they so choose: for example, only allowing access via a smartphone app. This allows them to concentrate on securing only that route, but it does restrict their potential customer base to those that have the required technology and a willingness to submit to the organisation’s terms of access.
This approach provides another advantage: authentication take place both on the individual, and on the device as well. This adds an additional layer of security, particularly where a biometric alone may not be strong enough. For example, a person’s face shouldn’t be considered reliable enough on its own (particularly given the different conditions a picture might be taken in, affecting the accuracy of facial recognition software). A selfie taken on a device that is known to belong to the account holder, however, could provide that extra level of surety.
This, though, makes a major assumption – that the individual being biometrically authenticated has been correctly identified in the first place.
In 2016, Cifas member organisations identified seven and a half times as many cases of identity fraud as the takeovers of existing accounts. This means that while any increases in security must be applauded, the increased implementation of biometric authentication cannot be taken as a reason for everyone to sit back, relax, and let the technology take the strain.
This leads us to the next question: what aspects of identity can be used effectively to accurately identify a person in the first place?
One of the most effective methods of preventing fraud and protecting identities is by sharing the details of previous frauds and compromised identities. Fraud prevention would be made easier if we could collect biometrics at account opening and match them against those known to be previously involved in fraud, or that are known to belong to an individual whose identity has been compromised.
Unfortunately, it’s not that simple. As we’ve previously seen, there are a range of biometrics which an organisation could choose to collect in different circumstances. If one organisation has recorded a voice print and another a finger print for the same individual, they will not be able to tell if they are dealing with the same person.
This is not to say it is without merit. Where legal and proportionate, any additional information that can augment fraud cases which feed into data sharing schemes and police systems can support future investigations.
We also have to consider the deterrent of capturing a biometric. One of the reasons for the explosion in identity fraud is the anonymity provided by online applications, but by supplying a biometric a fraudster could be quite literally leaving their fingerprint at the scene of the crime.
The WannaCry ransomware cyber attack caused problems for organisations across the UK. Find out how to protect your business in the aftermath of such an attack.CONTINUE READING
Cifas' CEO Simon Dukes looks at why collaborating with your competitors is such an effective way to tackle the threat of fraud and financial crime.CONTINUE READING