May 23 2022
Consider the online services you rely on each day, such as banking and online shopping.
Now imagine how you’d feel if you were suddenly locked out of those accounts. As the panic sets in, you quickly realize that a fraudster has gained access – and likely made unauthorized transactions. You rush to call a customer helpline, where you work to take back control of your account.
This is account takeover fraud (also known as account hijacking) – when a fraudster or criminal poses as a genuine customer to gain control of an account and then makes unauthorized transactions. Account takeover fraud can have a very personal impact, such as triggering immediate financial implications, preventing access to benefits or services, and causing poor credit scores until the matter is resolved.
Fortunately, there is a solution. Biometric face authentication helps organizations to prevent account takeover fraud. A criminal can steal knowledge-based security information, such as a password or mother’s maiden name. They can dupe people into revealing PINs and account recovery information with social engineering. Once they have that data, they can change the contact number and email address associated with the account, so that one-time passcodes (OTPs) and password reset links are redirected.
Genuine Presence Assurance® helps defend against account takeover fraud by ensuring that only the genuine account owner can gain access. iProov’s technology is empowering organizations to safeguard users’ online accounts and ensure that accounts don’t end up under someone else’s control. With iProov, organizations can verify that each online user is the right person, a real person, and that they are authenticating right now.
Account takeover fraud is when a fraudster gains access to a genuine user’s account in order to reap financial gains or launder money through identity theft. It works through a series of small steps:
Account takeover fraud is a huge problem; it’s one of the most common consequences of identity theft. It can also be scalable, as consumers tend to reuse passwords; iProov research found that 59% of respondents admitted to reusing the same passwords across multiple sites.
The problem is exacerbated by ‘credential stuffing’ attacks, where collections of login credentials from data breaches are inserted into a bot which then attempts to access other accounts to automate the account takeover process. The US consumer banking industry alone faces nearly $50m per day in potential losses due to credential stuffing.
All industries can be targets of account takeover fraud. Financial service providers are common targets, such as banks and insurers. But other industries such as healthcare and higher education are targeted too – these accounts are often rich in sensitive data such as financial or medical records, which can then be used in further scams (such as new account fraud), or sold online.
Organizations face a series of challenges in detecting account takeover fraud:
Account takeover fraud can be devastating to victims:
To prevent fraud, many companies have implemented two or multi-factor authentication (2FA or MFA).This is mandated for financial institutions in Europe under PSD2 strong customer authentication (SCA) regulation. This means authentication needs to meet two or more of the following:
However, traditional knowledge-based methods like passwords are increasingly considered insecure. These are phishable – meaning they are ‘shareable secrets’ that attackers can acquire from data breaches or social engineering attacks. It’s easier than ever for attackers to acquire this information and, with so many accounts, consumers are increasingly deploying easy-to-remember passwords across multiple accounts.
Passwords are simply no longer fit for purpose. Similarly, pairing these with other 2FA methods like SMS OTPs (possession-based authentication) is inadequate, because phone numbers can easily be swapped on accounts and messages can be hijacked. The US is already issuing guidance, such as the 14028 Executive Order, recommending the discontinuation of authentication methods that fail to resist phishing, such as SMS OTPs.
Biometric credentials cannot be ‘shared’ in the same way other authenticators can be. Your genuine face cannot be lost or stolen, or used at scale in a credential stuffing attack. They are unique to a person, making them considerably more secure as an authentication factor.
Face biometrics are a compelling inherence-based option, as organizations can cross-check users with government-issued ID (most of which include photos) to validate users during onboarding and enrollment.
Users can use their face for ongoing authentication. With the right biometric solution, this means that nobody else can access that account or carry out any activity/transactions other than the genuine owner. Passive biometric solutions such as iProov’s Genuine Presence Assurance will also offer a far better user experience. Rather than having to remember and enter a complicated password, a user can simply look back at a device, making the security process effortless.
But remember, not all face biometric solutions are created equal…
Liveness detection uses biometric technology to verify that an online user is a real live person. Without liveness detection, a criminal could use a photo or a video of a victim and present it to the camera, spoofing the authentication process.
To prevent account takeover fraud with ultra-secure authentication security, you need to verify all three aspects of genuine presence: right person, real person, and authenticating in real-time. That’s where iProov Genuine Presence Assurance comes in.
iProov’s Genuine Presence Assurance (GPA) technology is an invaluable tool in preventing account takeover fraud, as it offers organizations the highest level of assurance that a user is genuine. iProov’s solution has been specifically designed to be easy to use while also highly secure and validates three vital things – that a user is the right person, a real person, and that they are authenticating in real time.
The most difficult aspect to validate is verifying a user is authenticating right now. This is done using iProov’s Flashmark technology, which illuminates the remote user’s face with a unique sequence of colors that cannot be replayed or manipulated synthetically, preventing spoofing.
What’s more, Genuine Presence Assurance is a cloud-based technology, meaning its defenses are hidden from attackers, making it far more challenging to reverse engineer. GPA is powered by iProov Security Operations Center (iSOC), which uses machine-learning technology to monitor day-to-day operations and identify new attacks, meaning GPA provides active threat management. Genuine Presence Assurance can offer additional value through its reassuring ‘ceremony’, as Flashmark assures users that additional security is taking place. When accessing a sensitive account, this ceremony is a great comfort – especially if you have experienced fraud in the past.
Example: a fraudster acquires a victim’s email and password that have been shared on the dark web following a data breach. They enter the credentials into a number of online accounts, such as banks and retailers. Some accounts have no step-up or two-factor authentication in place, so the fraudster can walk right in and cause a huge amount of damage. But in this example, the person’s bank uses iProov face authentication. When the fraudster tries to log in to the account secured by iProov, the authentication fails. Even if they had imagery of the defrauded person’s face, iProov’s Genuine Presence Assurance technology would detect that the genuine individual was not present and the access request would be rejected.
Account takeover fraud causes great emotional stress to its victims, as well as financial and data loss. Organizations face reputational damage and unhappy customers, as well as financial implications. By adding face authentication – either as a sole authenticator or part of a multi-factor authentication deployment – organizations can prevent account compromises.
If you’d like to see how iProov’s technology can bring effortless security to your onboarding and authentication processes – helping to combat account takeover fraud – book an iProov demo here.