FIDO & Mobile Fraud Detection

Trust sits at the heart of modern society, especially with respect to banking and financial services. Without trust, we’d all still be sleeping with our life savings tucked under our mattresses. 

Rising levels of fraud and cybercrime are pushing the entire financial sector towards an important decision. Organizations find themselves caught between two equally daunting pressures. The first is to meet high customer expectations for convenience and accessibility when it comes to digital and mobile banking. The second is to keep CIAM strong enough to minimize fraudulent activity. So, what will companies decide, and how can they inform their decision?

Staying competitive in this environment requires businesses to be especially aware of current tech so they can best implement strategic, trust-enhancing user experiences that put the privacy of their organization – and their customer – first.  In fact, the financial sector reports balancing fraud detection efforts with resulting customer friction as one of the most difficult and ongoing challenges.

To best address these issues, business leaders in the financial sector must ask themselves three fundamental questions:

• • How did we get here?
  • What has it cost us?
  • What can we do?

 

3 Catalysts Impacting Mobile Channel Fraud and Cybercrime 

Mainstream usage of mobile phones completely changed the modern fintech landscape. Most people today can’t imagine how they ever lived without their mobile phones. This reliance has had many consequences – both positive and negative.

Fraud is, of course, one of the most negative effects of digitization. Whether it’s identity fraud, spoofing, or the creation of synthetic identities, cybercrime has been running rampant like never before. Understanding the intricacies of the types of fraud present in digital channels today requires the examination of three important catalysts.

1. The arrival of mobile banking access 

The dawn of the digital world transformed the financial sector, boosting its efficiency in many ways. Information can now be verified instantaneously and from virtually anywhere in the world. While mobile phones have been around for several decades, mobile banking only became possible in the U.S. in 2007 with the introduction of “smartphones.” By 2012, more than 20% of mobile phone users reported using mobile banking services. In 2020, Americans alone used mobile devices to make purchases totaling $503 billion. Mobile banking activities were most often used for:

• • Checking account balances
  • Transferring money between accounts
  • Paying bills
  • Depositing checks
  • Sending money to other accounts
  • Paying for products using Apple Pay or Google Pay 

 

2. The COVID-19 pandemic 

Although mobile banking was already growing in popularity throughout the late 2010s, the COVID-19 pandemic served as a major catalyst for online banking activities, especially as in-person bank branches and retail stores were shuttered. 

One survey in 2015 asked banking customers what their primary method was for accessing their accounts and found that the most popular option was online banking, representing 37% of consumers. Just less than 10% of survey respondents ranked mobile banking first. But by 2019, when the same survey was conducted once again, researchers found that the number of respondents naming mobile banking first had jumped to 34%, beating out online banking (22.8%), bank tellers (21%), ATMs (19.5%), and telephone banking (2.4%). 

As users realized the enhanced convenience and functionality of mobile banking, an impressive 90% of respondents in one 2020 survey indicated intent to stick with their new digital banking methods, even as the pandemic effects subsided. 

3. The rise in criminal sophistication 

Cybercrime has been around as long as there’s been “cyber” anything. But when the pandemic revolutionized how we share and access information, it also led to revolutions in cybercriminal activity. 

According to a recent survey, roughly three-quarters of Americans (76%) use their primary bank’s mobile app for “everyday” banking tasks. As more transactions are channeled through mobile devices, fraudsters have taken advantage – and we’re seeing growing levels of mobile-targeted fraud.

According to the FTC’s Consumer Sentinel Network Data Book 2021, of the 2.8 million fraud reports, 25% reported losses totaling $5.9 billion. This is a significant increase from the 2019 and 2020 total reported fraud losses ($1.9 billion and $3.3 billion, respectively). These losses are only expected to grow. 

How Criminals Target Touch ID and Face ID Biometric Tools

Understanding current challenges with biometric authentication requires us to explore the status quo. Biometric data, such as the biometrics used for Face ID and Touch ID, are stored on mobile devices in security architectures known as “Secure Enclaves” for iOS devices and “Trusted Execution Environments” for Android devices. 

Because these architectures are separate from mobile devices’ operating systems, breaches are more difficult – but still possible. These attacks have largely been made feasible by malicious bot transactions. According to experts, “it is difficult to identify such bots and other types of fraudulent transactions involving synthetic identities without support from digital identity and transaction fraud detection solutions.” 

A LexisNexis Risk Solutions report published earlier this year found that more than half of U.S. banks and credit lenders surveyed documented a 10% or greater increase in mobile channel fraud in 2021. 

Although we like to think of Touch ID and Face ID as being fool-proof, they simply aren’t. It’s especially challenging, given that banks have built mobile authentication tools into the design of their own applications. Before scrapping and replacing a current platform, it’s vital for business leaders to understand the underlying technologies, along with their strengths and weaknesses. 

Touch ID

No two fingerprints are alike. The individual ridges and patterns on our fingers, as well as minute characteristics known as “Galton details,” make each person’s set of fingerprints entirely unique. But this knowledge has given rise to something commonly referred to as the “fingerprint examiner’s fallacy,” which describes the “mistaken idea that individual uniqueness of fingerprints could ever be taken as a guarantee of the accuracy of fingerprint identification.” While every fingerprint is unique, our methods of fingerprint identification are imperfect. 

The sensors currently used in recording our fingerprints are affected not only by the unique physiological features of our fingers but also by how fingers are placed onto sensors, the location of finger placement, and a host of other factors, such as moisture, temperature, and dirt. These factors lead to variations in failure to enroll (FTE) and failure to acquire (FTA) rates. 

Cybercriminals have found ways to employ sensor-level machine learning algorithms that are able to generate artificial fingerprints with the potential to unlock one in three fingerprint-protected smartphones. 

Researchers realized that the probability of a random person unlocking your phone through touch ID on the first try is roughly one in 50,000. However, security researchers have discovered that well-funded and technologically sophisticated attackers can “fairly easily” bypass these technologies using methods like 3D printing, achieving a success rate of approximately 80%.  

Face ID

Face ID feels is sometimes perceived as a “new” technology because of Apple’s unveiling of the capability during the introduction of the iPhone X in 2017 as an alternative to the use of fingerprint authentication. But facial recognition has been around for more than half a century, and as computers have improved, so has their ability to recognize and distinguish faces.

Face ID is a mobile authentication measure that utilizes facial features to confirm the user’s identity, which is stored locally on devices. While Face ID can be duped, doing so is much more difficult than spoofing Touch ID sensors. 

Although our facial features are considered highly unique, Face ID technology can still be fooled, as is made clear by identical twins – and even siblings born years apart – who can unlock one another’s phones. Face ID algorithms also have difficulties identifying those under the age of 13.

Face ID can be fooled by something as simple as contact lenses or a photo of the user. As more smartphones and apps make use of Face ID as a security identifier, its failure rate proves concerning.

What is FIDO ID? 

As the weaknesses of Touch ID and Face ID come into focus, we can see opportunities for other authentication methods, like FIDO ID. 

FIDO is an acronym for “Fast IDentity Online,” and the technology utilizes a pair of cryptographic keys to verify a user’s identity. The first part of the pair is stored on the mobile user’s physical device (not online), and the other half is stored in the online service. Because the mobile user’s private key stays on the device, FIDO ID is more resistant to the types of security issues experienced by users with password-only authentications. It also means that not all information is stored and accessible server-side. 

Understanding FIDO’s biometric keys

The “keys” used by FIDO refer to any biometric data used to verify the user’s identity. With the biometric keys all stored on the user’s device, the service or online entity cannot access that biometric information. 

As a result of this distinctive, two-part key system, accounts using FIDO are more secure, especially in a world where individuals, for the sake of convenience, are far more tempted to reuse passwords – like their pet’s name or a hometown – thus making them easily phishable. This makes it more difficult for accounts to be linked by password authorization information while maintaining the convenient account access capabilities that financial customers want. 

FIDO-certified

As more businesses embrace FIDO identification, it’s critical to select a company that has been certified by the FIDO Alliance. 

Certification verifies that the provider’s FIDO technology won’t be attacked by bad actors. This is paramount for financial institutions when selecting mobile and online application verification systems. 

The FIDO Alliance validates vendors using a certification process and at proctored events where other companies can experiment with compatibility and security functionality. 

FIDO certification is important, because in addition to making sure that the FIDO ID functions correctly and can’t be hacked by fraudulent actors, interoperability is verified so that the technology fits seamlessly into existing platforms. 

FIDO has three certification levels: 1, 2, and 3. These Certified Authenticator Levels are important because of what each level protects against and each level’s requirement to build off of the previous one. To meet Level 2 requirements, a system must have passed Level 1, and the requirements are stringent. Level 1 devices are for hardware and software that protect against phishing and other scalable attacks. Level 2 devices must support Restrictional Operating Environments (ROE) and defend against authenticators with a hardware-protected border (AROE) and against remote software attacks. Level 3 devices have security resistance against a physical attack and protect against all attacks from levels 1 and 2 as well as remote and local hardware attacks. 

FIDO ID Advantages

FIDO ID has four primary advantages over authorization systems, like Touch ID and Face ID, that directly integrate with mobile device operating systems:

• Strong security: FIDO ID’s strong security stands out against its Touch ID and Face ID counterparts because of the requirement of the key pair.
• Futureproofing: FIDO ID-certified technologies are independent of the platforms they live on, so they can easily be upgraded as institutions advance.
• Easy implementation: Since passkeys are safer than passwords, only a single implementation is required for a user to access accounts system-wide. 
• Lower cost: Besides the money saved by fewer data breaches system-wide, FIDO ID solutions require less IT costs associated with password execution. Deployment is a cost-saving solution that doesn’t require in-house platforms or new devices.

While FIDO has proven to be the best solution to handle quick and easy authentication, true solutions are needed for institutions that require ID verification.

FIDO-Certified Solutions From Daon 

Daon® has been a founding member of FIDO since its inception in 2014. Our solutions combine the security and privacy of FIDO with the increased accuracy, auditability, and expanded capabilities of server-side biometrics.

Historically, the biggest challenge for financial institutions has been the burden of redesigning and rebuilding a platform to integrate with the latest, ever-changing technologies. FIDO solutions from Daon are scalable and futureproofed, with automatic compatibility whenever new devices and upgrades come to market (which saves time and money every time a new OS is developed). Customers enjoy the benefits of FIDO ID because options like Liveness Detection can prevent spoofing and ATO (account takeover). 

Daon offers FIDO identity solutions to organizations that have already implemented Touch ID and Face ID. By using Daon’s IdentityX® platform, which includes face & voice biometrics and liveness detection, businesses can save time and money with easy integration and scalability. 

Solutions like FIDO+ build from FIDO authentication by boosting it with server-side identity verification, authentication, and recovery.

 

Your financial institution is ready for an upgrade. Learn more about how our identity solutions can help you and schedule a 10-minute demo.