Biometrics and fraud in the COVID era—what’s changing?

1-07-2020 by Sanjay Gupta

Markets and usage for biometrics are up, down and all over the place since the pandemic hit. Meanwhile, even when people understand the importance of authenticationthe precipitous changes in consumer behavior and business priorities driving these shifts are also opening up new opportunities for fraud.

What’s keeping me awake at night (besides news headlines and cranky stuck-at-home-all-summer kids): Fraud growth trends that were already a source of business upheaval, may now be gathering even more force. And I think it’s likely biometrics will play a central role in both new problems and solutions.

 Download and read my paper Fraud Trends and Tectonics to learn more 

Biometrics markets in turmoil, far-reaching changes underway

Understandably, interest has suddenly plummeted in biometric-based account access requiring touch by more than one user. Examples: an ATM machine at a local bank branch or a point of sale machine at a grocery store. At the same time, there’s a resurgence of interest in no-touch physical biometrics like voice biometrics and face recognition; using the ATM example I just cited, one bank in Spain is planning to roll out facial recognition technology for their ATMs. 

Vendors are racing to enhance their solutions to work accurately even when people are masked. As governments and public agencies promote contact tracing, new markets have appeared overnight for solutions combining this type of biometric authentication with the ability to capture other data, such as body temperature and geolocation. Also on the upswing are behavioral biometrics, since these don’t involve physical data capture.

“The findings show people who haven’t been as comfortable with eCommerce and other digital technology have been pushed to overcome their hesitancy—and this shift is huge.” Jill Standish, Head of Accenture Global Retail Practice, quoted in CIO & Leader, May 2020

This is all very interesting and challenging for everyone involved—but I think there are even bigger changes underway. Here are three trends combining in ways that could be far-reaching:

1. Consumers going all-in for digital. Adoption and usage rates for digital services and communication channels are soaring.

Current users are spending more time online and on mobile apps. People who’ve never used them before are trying them out, especially for online banking, grocery shopping and payment of utility bills. In fact, Accenture research shows that one in five consumers ordering groceries are first-timers; one in three for those aged 56 and above.

2. Businesses fast-forwarding security. The surge in consumer demand and competitive pressures among companies scrambling to meet it are forcing businesses to accelerate their digital transformation roadmaps. In many cases, what looked two or three years out is now happening in months or even weeks.

Identity verification and authentication is an important part of these initiatives, since businesses are concerned about fraud vulnerabilities and recent research reports show how intertwined digital identity and fraud are becoming. One of these is Experian’s 2020 Global Identity & Fraud Report, which found that 84% of businesses believe that if they can better identify customers, they will more easily spot fraud. Another finding from that report is that 88% of consumers say their perception of a business improves when there is investment in customer experience, including security. Also, 55% of consumers said they didn’t feel confident their providers were accurately recognizing them, a concern that reduced trust.

Trying to expand digital services quickly while paying attention to customer experience and security, many companies are now experimenting with biometrics. It’s tricky because, as Mitek’s own research shows, consumers were wary of biometrics prior to the pandemic. But attitudes may be changing, and many businesses are betting on that.

For instance, in the hospitality industry, some resorts plan to use contactless identity verification and other no-touch technologies for self-check-in, granting access to properties, rooms, elevators and sports facilities, and auto-payments for dining, spa services and entertainment. But overall, biometric authentication solutions vary in the level of security they provide and how well they balance security with ease and convenience for users. There’s the risk of AI demographic bias, inaccuracy and false positives (legitimate customers flagged as suspicious). It’s important to take great care choosing what to deploy. Also capturing and storing highly personal and irreplaceable biometric data brings with it a substantial obligation to protect the data and ensure user privacy.

3. Fraudsters in the kitchen. With the explosion of new online accounts and digital services, it’s fat city for fraudsters—and, believe me, they’re taking advantage of the opportunity.

While people all over the world have taken to baking bread, fraudsters have been in their kitchens too. They’ve been cooking up new schemes for fraudulently opening accounts and taking over existing ones. With many more businesses capturing and storing consumers’ personally identifiable information (PII), there is an increasing number of targets for data theft.

Especially worrisome is the potential for a breach of biometric data. Also, there’s the danger that biometric data—whether from breaches or scraped off of social media video and photos—could be used to create deepfakes good enough to fool fraud defenses.

“…commerce has taken a dramatic left turn from digital-first to digital-only practically overnight—and fraudsters are finding themselves in a uniquely target-rich environment for all kinds of cybercrimes.” “Fighting fraud in the new normal,” PYMTS.com, April 2020

The more immediate future

Clearly we are leaping ahead along the vectors our CTO Steve Ritter wrote about in The Future of Identity. I read the paper again last weekend because Steve’s optimism as well as his concerns and guidance seem so pertinent—and immediate—now.

One of these is the need for consumer awareness and control over the use of biometric data. There’s a big difference, for instance, between an application that captures and stores biometrics from social media or third-parties without explicit consumer consent vs. an application where the consumer submits their own image from a government-issued ID along with a selfie for biometric comparison and verification. Consumers need to know biometric data is being captured, they need to be informed about how it will be used, and they need to have some say over whether it can be stored and for how long.

Consumers also need to be aware of when biometric data is being used for other than IDV purposes. For instance, if a resort is using facial recognition technology to track every where I go on the property, I might like the way that enables them to tailor services to my needs and provide me with place- and time-appropriate information. But I might also start to feel it’s intrusive, especially if they’re using these insights for too much in-my-face marketing or sharing data with partners. The creepiness factor could quickly outweigh convenience.

Similarly, we all need to think about how biometric data is being combined with other types of data, such as passive biometrics (data captured on how we type, hold and swipe our mobiles, etc.) and behavioral biometrics (data captured on sites we frequent, browsing behavior, purchasing behavior, etc.). Amalgamations of all this data are being used not only to identify us, but to characterize us. Such characterizations, in the form of dynamically updated profiles, may follow us across any number and variety of online and mobile interactions. They might be used not only to target marketing offers and ads, but also to determine the types of services we’re offered and the information we’re given.

Mitek Fraud series: Biometrics and Fraud in the COVID era. What's changing? | Identity Verification through the customer journey The Pandemic blindsided us; will surging digital fraud do the same? | How to fight fraud with data | What is a Deepfake and how does it impact fraud? | Financial services and online marketplaces face shifting fraud landscapes What is synthetic identity fraud? | What is Account Takeover Fraud