How Can Biometrics Limit the Impact of Data Breaches and Prevent Identity Theft?

The recent GoDaddy data breach was a timely reminder of the vulnerability of passwords and the importance of biometric authentication. The data of 1.2 million customers may have been exposed because an unauthorized person was able to access GoDaddy systems using a compromised password.

iProov has long warned that passwords are not a secure method of authentication: they can be borrowed, or stolen and then shared on the dark web.

This is why biometric face verification and authentication are so important to online security. Your face cannot be stolen – it can be copied (for example, with a photograph or mask) but it cannot be stolen. This means that:

• Criminals are prevented from using stolen data to create new accounts online (for example, a new credit card or applying for government benefits) using a victim’s identity because the criminal will not be able to verify themselves using face verification
• Stolen credentials cannot be used by criminals to access existing user accounts online if those accounts are protected by the genuine owner’s face biometric
• If systems and accounts are protected using highly secure biometric technology, criminals cannot break in to steal data in the first place

How can face verification help solve the problem of data breaches?

1. Face verification prevents stolen data from being used for identity theft and new account fraud

The problem: If personal data is stolen during a breach, it can be used by criminals to impersonate a victim for new account fraud. Criminals can build dossiers of data from breaches – one breach of 1.2m accounts could provide the e-mail addresses and home addresses of those victims, for example, while another breach might also provide their date of birth.

By combining this data, criminals can have enough information to steal someone’s identity and create accounts online in their name. This could involve setting up new bank accounts for the purposes of money laundering or applying for new credit cards or government benefits for financial gain.

How face verification helps: iProov’s face verification technology helps to prevent new account fraud by securely verifying a new customer’s identity during online onboarding. A new customer is asked to use their mobile device or computer to scan their trusted identity document (for example, a driver’s license or passport). They then complete a brief face scan using iProov technology. This face scan is matched against the photo in the document to confirm that the applicant is the right person (not someone pretending to be that person). The face scan also confirms that the applicant is a real person (not a photo or video or mask). What makes iProov’s Dynamic Liveness™ unique is that it also verifies that the applicant is interacting right now (not a digital injected attack).

2. Face authentication prevents stolen credentials being used for account takeover

The problem: If a criminal group acquires the data of 1.2m people, they can theoretically use that data for account takeover on a huge scale. This can involve gaining access to those people’s bank accounts or social media accounts to steal money or demand ransoms.

If the criminals have been able to access email addresses and passwords, they can use those credentials to try and break into bank accounts, retail accounts and other sites where that email address and password combination may have been used.

Alternatively, they can access the email account and use that to convince the victim’s bank (or other organizations) to replace passwords, phone numbers and other details with their own, so that they have full control over a victim’s accounts.

How face authentication helps: iProov helps organizations to prevent online account takeover by authenticating users online with face biometrics. Because a customer’s face cannot be stolen, a criminal would not be able to gain access to their account, even if they had an email address or password. Face authentication can be used for primary authentication or as part of a multi-factor authentication strategy; if one factor, such as a password, is compromised, then the iProov biometric factor remains secure.

For example; login details from the GoDaddy breach are leaked on the dark web. A bad actor takes these credentials and uses them on a number of online websites. The first few accounts, they’re in luck: the accounts are not secured with iProov, so the bad actor gains access. However, they then try the user’s bank account. They’re dismayed to find that the bank uses iProov to authenticate each login or for every transaction. The bad actor is out of luck: they are not the right person and real person authenticating in real-time, so they can’t gain access to the victim’s money.

3. Face authentication prevents criminals from breaching systems

The problem: Data breaches continue to be a global problem because any system is only as strong as its weakest link. If a password can be compromised, then any system that relies on passwords can be compromised.

How face authentication helps: If systems are protected using iProov’s face authentication technology, either as primary authentication or as part of a multi-factor strategy, then criminals cannot gain access.

GoDaddy, data breaches and biometric face verification: a summary

• GoDaddy is the latest organization to experience a data breach. This was caused by a compromised password and has resulted in the data of over a million customers potentially being exposed.
• Biometric face authentication can help to prevent criminals from breaching data by reducing an organization’s reliance on passwords for security
• If data is breached, biometric face verification (where a face scan is combined with a trusted photo source to verify identity online) can prevent stolen data from being used for online identity theft and new account fraud
• Biometric face authentication helps to prevent stolen data from being used for online account takeover

If you’d like to know more about how iProov biometric face verification and authentication can help protect your organization, please contact us or book your iProov demo today.