Account takeover fraud growth signals wider need for biometrics
Identity fraud holds no prisoners when it comes to payments. If a fraudster gets hold of a consumer's credentials, everything from mobile wallets, to a checking account, savings account or P2P account is in jeopardy of takeover.
Total identity fraud reached $16.9 billion in 2019, according to research from Javelin Strategy & Research, which notes that fraudsters are targeting fewer victims but inflicting far more damage once personal information and passwords are in their possession.
Identity fraud increased 13% year over year from $14.9 billion in 2018, but biometrics technology, which is getting stronger with each passing year, could dramatically decrease account takeovers, said Norman Marraccini, senior vice president at FIS, a partner in the Javelin identity fraud study.
Something has to be done to halt account takeovers, which rose 72% in 2019, with the criminal taking over a full account in more than half of the instances, the report stated. When taking over an account, criminals assume an identity with multiple account updates such as changing e-mail addresses (30% of the time), updating online passwords (27%) or physical addresses (27%) and obtaining a new payment card (25%) and changing a PIN (21%).
Each one of those actions should call for a biometric authentication step to authorize it, Marraccini said.
"We have seen biometrics in the movies for years, like in 'Minority Report,' where the Tom Cruise character goes through iris scans all the time," Marraccini said. "That's a movie, but that sort of technology is available."
Organizations like Faster Identity Online Alliance have pushed for years to replace static passwords with biometrics and other dynamic authorization technology, but it continues to be a slow conversion for banks and businesses alike.
"We should be using biometrics everywhere we can when moving money," Marraccini said. "It's a bump in the road that many consumers don't like, but that bump helps them know it is safe to move their money and the extra few seconds to authorize with biometrics should be worth it."
Even though biometric steps stand in the way of faster payments and faster actions by customers, it provides a key self-defense layer. "It is probably the barbed wire on the top of the fence that you are not going to get over, but there are other layers of defense that you have to get through to get to that point," he added.
The logical place to start is with mobile devices, but the biometric protections can expand to other settings, said Krista Tedder, head of fraud at Javelin Strategy & Research and co-author of the report.
"The challenge with mobile payments is that less than half of Americans lock their phone, so anyone can steal that phone and then steal information," Tedder said. "Biometrics can prevent that type of fraud pretty much from the get-go."
Nearly 70% of those who do lock their mobile devices choose fingerprint or facial scans to unlock them.
"We are seeing more friendly fraud when it comes to P2P apps as well, with people sending money to themselves from other people's devices," Tedder said. "But when you protect with biometrics, it means the security is there with you because you take your phone everywhere."
In addition to being a fast authentication method for payments or a way to bypass filling out credentials each time when opening new accounts, biometrics also allow a bank or business to realize when someone else might be trying to hack into an account.
"My bank knows that I use biometrics to get into my mobile banking app, so if someone tries to get into my account using another method, my bank flags that and asks if it is really me," Tedder said. "So, it's not just about how you access accounts, it is having your financial institution also know how you access."
Most U.S. consumers, at 84%, say that static passwords are safe enough, even though 86% feel safer using biometrics, the report noted. Although 88% say they are willing to change, they also say static passwords are fine.
That creates complacency, Tedder said, because most people trust their bank sites to be secure. It means that banks and businesses will have to force consumers to convert to biometrics as the safer authentication process they want to implement, she added.
"We have to create so many passwords, and we use the same ones over and over again," Tedder said. "But it often turns out that we use a password on one site that is similar to what we use on our banking site."
Falling into that trap emphasizes how poor or weak passwords remain at the center of the fraud problem.
The study also recommends disabling static passwords because, overall, 88% of consumers say they are willing to change but just need to be pushed. The security focus that is on payment card transactions needs to spread across the entire consumer relationship and all accounts, which increasingly become targets of criminals.
If using biometrics came into play every time a consumer did any task related to moving money or changing account information, it would save institutions from significant fraud loss, FIS' Marraccini said. "Do it all of the time. You don't want to lose $1,000 or even $100 because you got tricked on a phishing scam and shared some information."
A thumbprint, a facial scan or voice biometrics could come into play in eliminating the staggering number of passwords that people currently deal with, Marraccini added.
"Just have people log in once with a thumbprint or facial scan, but even if you are going to keep using passwords, at least use biometrics that indicate how a person types," he said. "That tech may not be as good as it could be yet, but you have to turn it on and see how good it is."