Andrius Sutas, CEO and co-founder of AimBrain
In 2018, security is a more salient – and more challenging – issue than it’s ever been before.
For mobile banking alone, last year’s overall number of Trojan virus attacks was twice that of the year before, and a 17-fold increase on 2015’s. McAfee detected 16 million mobile malware infestations in Q3 2017 alone: double that of Q3 2016.
Mobile enables new products, superior segmentation, remote onboarding, and a host of other benefits, but unfortunately, these advances extract a price from banks and financial services institutions. With every new tool comes a number of new attack vectors for criminals to exploit: new opportunities to coerce, dupe, and violate in pursuit of data, money, or simple mischief.
To defend themselves and their customers against these malicious forces, banks have largely focused on verifying devices, rather than people – using passwords and biometric authentication. These approaches have, however, addressed the symptoms rather than the disease. Without verifying the person, authenticity is never fully assured: if credentials can be acquired with an educated guess, a dash of plausible-sounding charm, or even interception, those credentials are not secure. Enterprises that continue to rely on passwords will be at the mercy of their considerable weaknesses.
So how can banks and financial services organisations safeguard customer data – without risking noncompliance with the law, or compromising the freedom and flexibility provided by new technology?
Banking on biometrics
For today’s and tomorrow’s challenges, the best solution is to add additional layers of security. This is achieved most easily and effectively with biometrics, which assure the authenticity of the user, instead of the device used.
A person’s face, fingerprint, or voice is an effective means of verification because it is not easily duplicated and it is not a secret that can be teased out. Anyone can find out anyone’s mother’s maiden name; it’s somewhat harder to steal their face.
This isn’t to say that biometric authentication is flawless: some less sophisticated gateways can be beaten with a video, or a voice recording. But good security is about layers: it shouldn’t matter if it is theoretically possible for a hacker to beat one level of a KYC check, because they will ideally have to also beat layers two, three, and so forth. Passwords don’t work because if a hacker has it, then they have it – and they only had to overcome one challenge for the privilege.
But which challenges can banks add for those with malign intent?
Passive bot detection
Prevention, as they say, is the best cure. Passive bot detection allows banks to feed industry or institution-specific fraud data into a passive anomaly detection module – alerting organisations to the earliest signs of suspicious behaviours. Though it’s used largely for bots, it can also detect troubling behaviours from manual (i.e. human) users, and from as early as the onboarding stage.
Why create an obstacle for hackers when you can create an obstacle course? Multiple biometrics allows you to combine and layer challenges for hackers, including voice, face, bot detection, and behavioural analysis – creating unique systems comprised of ‘step-up/step-down’ security rules and weightings on particular outcomes. The yes/no dichotomy of passwords is replaced with a complex, evolving, in-session risk-based assessment that can discern user authenticity on an ongoing basis.
AimBrain’sAimFace/LipSync solution is one example of a multiple biometrics-based solution: it combines facial authentication with a voice challenge and lip synchronisation analysis. Customers can enrol or access their account by simply taking a selfie and reading a randomised number. If it sounds straightforward, it is – and it’s impossible to spoof using any method available as of this writing.
Simple, yet smart
Finally, simple and smart tests can be combined using the latest anti-spoof and liveliness detection tools – merging simple user challenges with time-sensitive outcomes built on a foundation of artificial intelligence. Facial authentication, for example, can be combined with in-session audio prompts. It’s secure, it’s straightforward, and it highlights the principal benefit of biometrics: they’re right there, in plain sight – and with technology, can be completely useless to cyber criminals.
Secrets are fragile and dangerous: they’re there to be guessed or stolen, and in 2018, are no means of protecting customers or institutions. A modern bank can’t fully contend with fraud until it learns to anticipate it. A true biometrics partner can help an institution do just that: moving beyond the password and toward a future where the customers themselves – instead of their devices – are the best defence against attacks on their data and assets.
AimBrain is a BIDaaS (Biometric Identity as-a-Service) platform for global B2C and B2B2C organisations that need to be sure that their users are who they say they are.