Coronavirus-era fraud needs better biometrics than keystrokes
At the beginning of 2020, few could have imagined the world engulfed in a pandemic which would create such widespread disruptions of work and personal lives. Now, at midyear, many parts of the world have weathered enforced shutdowns of business and strains on our health care systems.
COVID-19 has created not only disruption but also an acceleration of digital transformation across many aspects of our lives. The use of online and mobile transactions and communications has taken a huge leap forward during the pandemic, creating new opportunities and new threats.
Everyone today is adjusting to the new normal including remote work, social distancing and a widespread shift to online transactions and communications. The changes caused by COVID-19 have been so significant that Bain & Co. has increased to 67% its forecast percentage of transactions performed digitally by 2025.
For consumers, new modes of online and mobile commerce, particularly contactless payment, are rapidly becoming the standard. Visa and Mastercard have raised their transaction limits for contactless payments in many markets, and other digital payments, such as Apple Pay, Samsung Pay, Google Pay and other wallet apps, are seeing increased rates of adoption as they have become the go-to alternative for safe, secure and risk-free transactions amidst this pandemic.
With the chaos created by COVID-19, fraudsters are seizing the opportunity to launch new attacks on people and companies distracted by the challenges of navigating the pandemic. Fraud is definitely on the increase during COVID-19, particularly mobile fraud. In a new report by Aite Group, financial institutions that had previously expected an 8% decrease in fraud in 2020 are now projecting a 10% to 15% increase in 2020.
Fraudsters are taking advantage of people under stress, outside of their normal routines, to widen their attacks, and they are having success. Phishing and social engineering scams are on the increase with COVID-19 stimulus payments offering a particularly fruitful target for fraud. According to the security firm CheckPoint, more than 4,000 malicious websites were set up to take advantage of people and businesses looking for government support.
Fraudsters are using synthetic and stolen identities to steal these subsidy payments. Also with the implementation of social distancing measures and the shift to remote ordering, card-not-present fraud is increasing as fraudsters take advantage of this new behavior to mix fraudulent charges in with the increased transaction volume. Payment providers are seeing these trends, with companies such as Square increasing cash holdbacks from merchants to address increasing rates of fraud.
With the shift to mobile commerce, web-centric security defenses are not enough to keep mobile users secure. Identification and authentication based on static credentials have become too easy to steal or fake, and two-factor authentication methods using SMS codes or challenge questions are not secure and create significant friction for the mobile user.
Fraud detection for the mobile era requires new dynamic, adaptive approaches. It is no longer sufficient to use “something you know” as proof of identity for authentication. Too many pieces of user information are now available for sale on the dark web and are being used as the foundation of synthetic identities. Using “something you do” as a second factor for authentication offers much stronger defense against fraud and also the potential for frictionless security.
While the use of behavioral biometrics such as keystroke patterns has become commonplace for web-based security, this has less applicability to mobile commerce given the different form factor and interface of a smartphone. Location-based behavioral biometrics, however, harnesses a mobile device customer's unique behavior patterns, including the user's location behavior history to create a dynamic location fingerprint that is extremely difficult to fake or forge. As an added benefit this location-based fingerprint is not tied to personally identifiable information, making it the basis for a private identity that will keep fraudsters out of accounts.
COVID-19 has accelerated digital transformation and the move to mobile commerce. With fraudsters capitalizing on opportunities to launch new fraud attacks, mobile application providers need to look to dynamic, adaptive defenses provided by behavioral biometric solutions to stay ahead of the fraudsters.