
To say that identity theft and fraud is a major issue is an understatement. In fact, odds are you or someone you know is one of the record 16.7 million U.S. consumers who fell victim to identity theft last year—a group that grew by 8 percent and was cheated out of $16.8 billion by fraudsters in 2017 alone (according to Javelin Strategy & Research).
Why the increase? Over the past couple of decades, the fraudster persona has changed from the ski-mask, bank robber to the person—or network of people—using technology to steal identities and money from consumers and organizations at alarming rates. What was once considered more of a targeted action is now a web of steadfast theft across multiple touch points—web, mobile apps, contact center, etc.—with costly, domino-style effects.
Given the magnitude of this issue, various organizations and governing bodies are proposing measures to combat fraud. In California, for instance, the Information Privacy: Connected Devices bill (SB-327) is set to go into effect on January 1, 2020, making it illegal for companies who manufacture an internet-connected device (such as a router or webcam) to set a weak default password on the device. Given that consumers oftentimes do not change the passwords leaving them the targets of fraud, manufacturers will now be required to set complex, unique admin passwords on their devices or have a start-up procedure that requires the user to create a strong password when setting up the device for the first time.
While this law signals a step in the right direction, it’s a small Band-Aid for a much larger problem: there are still so many vulnerable points of entry to fraud. Not to mention that using traditional alphanumeric passwords across these touch points is like leaving your door unlocked and inviting thieves inside to steal your belongings.
The bottom line is that anything that is knowledge-based—such as passwords, PINs and challenge questions—will always be susceptible to fraud, no matter how complex they are.
So what can consumers and organizations do to protect themselves? As consumers, we need to demand a multi-modal authentication approach from the organizations we do business with. And businesses should subscribe to them. Single authentication methods should not be used.
Second, we need to move from knowledge-based methods to inherent safeguards like biometrics. As the name implies, knowledge-based methods authenticate using something we know (and must remember) while biometrics authenticate using a unique biological key that we always have with us. It doesn’t require us to come up with a password, remember that password, write that password down or put it in a computer file.
Not only are knowledge-based passwords easily stolen or duplicated, but they are also frustrating when forgotten and need to be reset via email or text (which is also hackable). Biometric technologies on the other hand, utilize a person’s unique inherent traits (our voice, behavior, fingerprint, face, etc.), and are the deciding factor as to whether we can access an account, make a transaction, or perform other tasks. These types of security mechanisms are extremely critical in today’s online and mobile commerce environment where we may interact with an organization through a number of vehicles. For instance, starting an interaction by calling the contact center, then moving on to a mobile app or website to complete a transaction.
In the case of voice biometrics, a person's voice is compared to a voiceprint stored on file, and is analyzed for hundreds of physical and behavioral factors, making it secure and reliable. Unlike knowledge-based authentication, a person’s unique voice cannot be stolen, copied or re-used. The beauty of a technology like voice biometrics is that it can be active or passive, securing against a broader range of fraud. An example of active is when a consumer utters a passphrase like "my voice is my password" to gain access to their account and self-serve through a digital channel (like an app or website). An example of passive is when the technology "listens" in the background of a conversation with a call center agent and compares the caller’s voice to the voiceprint on file without any additional input from the customer, authenticating the caller in as little as 3-10 seconds.
Additionally, with behavior biometrics, our interaction patterns (such as how we type, swipe, hold a device, apply pressure, use a mouse, and even the surface area occupied by our finger) can be compared to an expected profile of that same user. It provides continuous authentication where a user is constantly compared to her profile to ensure that someone else has not hijacked the session.
In addition to improving customer experiences via easy and seamless authentication, biometrics can save organizations millions while keeping customers happy and their accounts safe. While password laws, in theory, are a good idea and certainly an indication that more must be done to combat fraud, they ultimately won’t fix the issue that the username and password paradigm is fundamentally broken. It was never designed for—and is inherently incapable of addressing—the use cases of the modern digital environment.
Current and future authentication and security challenges require a modern solution. And biometrics is it.
Edited by
Maurice Nagle