Embracing biometrics to tackle banking fraud
Neil Costigan, CEO BehavioSec
High profile hacking attacks on global corporations in the media serve as an unwelcome reminder of the increasingly sophisticated nature of cybercrime. Yet, beyond complex hacks on global enterprises, simple techniques to gain access to sensitive data continue to be a burden for both consumers and enterprises.
According to Financial Fraud Action UK, last year online fraud rose 48%, resulting in £60.4 million in losses. Far from the sophisticated cyber-attacks imposed on large corporations, one of the most common threats to consumer security is telephone scamming. The technique, which involves hackers posing as a bank or the police, is four times more likely to affect those over the age of 55 than the rest of the population, according to the Financial Ombudsman. This demographic is at most risk of being tricked into sharing their banking passwords security credentials via the phone, which the scammer can then use to gain access to their finances.
Alongside social engineering and phishing, this type of scam will always be a risk all the while people are the sole gatekeepers of their own security. Being forced to remember numerous password and log-in details, as well as who we can and cannot share them with, is a burden for us all, not least for those who grew up in a pre-digital era. The industry needs to embrace a layered approach to security – that reduces the burden on consumers.
New era of security
Biometric authentication has been introduced as a means to reduce this responsibility – and the subsequent risks involved. One of the most well-known forms of biometrics solutions is fingerprint scanning, thanks largely to the widespread adoption of this technology amongst smartphone providers including Apple. This form of authentication, known as physical biometrics, verifies users based on something they are, rather than something they know.
A less well known form of biometric authentication is behavioural biometrics. Relying on sophisticated machine learning algorithms, the technology builds up a unique profile of the user based on how they interact with the device. Keeping track of measurements such as typing speed, the angle at which the user holds the device or the pressure used to type, biometric checks verify that a person is who they say they are throughout their interaction with the device, rather than simply at point of log-in. Thanks to the numerous sensors available on smartphone technology, behavioural biometrics is particularly suited to mobile and tablet banking.
Such technology responds to the growing concern around phishing, social engineering scams or telephone scams. A hacker could enter the correct credentials for a customer’s online banking – but the technology would pick up that an intruder is simply posing as the valid user.
As we increasingly move our banking activities online, the risks associated are inevitably rising. Halifax recently revealed that over 50% of its interactions with customers are via mobile. However, simply putting tighter restrictions on digital banking will not solve the inherent security issues. Customers embrace online and mobile banking because of their convenience factor. Adding security hardware such as card readers for two-factor authentication provides a frustrating barrier to an otherwise smooth transaction process. Behavioural biometrics appeals to time-poor convenience-focused banking consumers, as it sits in the background of technology devices, rather than proactively asking the user to pass through any additional authentication processes.
Stopping the scammers
The increased vulnerability of over 55 year-olds to scams such as telephone heists does not suggest that the younger generation, or even enterprises, are immune to such risk. Earlier this month the financial director of London-based hedge fund Fortelus lost his job after being conned into giving financial details over to a phone scammer claiming to be the company’s bank – losing the company $1.2 million.
Falling for a scam is a relatively simple mistake to make – but the consequences can be costly. Simple security solutions such as passwords will always be undermined by simple hacking techniques. As such it’s important that industries – and in particular the financial industry – take a layer on top of solutions such as passwords with additional security solutions such as behavioural biometrics. By adding innovative security layers, banks reduce the responsibility on the customer to look after their own security data. Added security doesn’t have to mean added inconvenience. If we are to tackle the banking scammers and fraudsters, the industry needs to embrace solutions that find the right balance between sophisticated security and ease of use for the customer.
The technology is just providing the safety for smartphone users only, I think. However, the phone scammers are working on the ancient device, yes, the home phone. For now, there’s not many phone carriers that provide its customers with some safety devices. Home phone users still facing so many scam attempts until today. At least, I can find 2 or 3 cases regarding these phone scams at http://callercenter.com just today. I hope that home phone companies will soon give its customers more devices or services that can make them avoid those scammers.
Bruce, you are quite right. But here voice recognition is a very promising authentication technology.
A necessary development is to implement varying authentication methods that adapts to the device being used and sensitivity of the information, so that, for instance, a small transaction can be carried out with a simpler authentication mechanism and a large requires a mutli-factor authentication.
Yeah I know, I am totally agree with that. That’s why I said that it needs to be implemented to the landlines. Since most of those scammers are targeting people with access to their landlines. Just few scammers target mobile device users (if it is compared with home telephone).
Bruce, the problem is that the consumer has no way to authenticate the caller to prove they really are the bank or police. If the consumer was given a simple one time token immediately prior to the call, delivered through a trusted channel, that the caller has to recite back to them, then they have a means to verify the caller really is who they say they are….Sedicii has developed a technology that does this.