Authenticating Consumers And Preventing Fraud In An Age Of Distraction
We’re living in the age of distraction.
Concerns over health, the pandemic, personal safety and the economy are all top of mind. And in the midst of it all, we’re tethered to our devices, scrolling and clicking through the news and emails that are part of everyday life.
The fraudsters are using our distracted natures to make off with ill-gotten gains. According to some estimates, U.S. losses from COVID-19 fraud and identity theft total nearly $100 million.
PYMNTS’ research shows that 22 percent of Americans have reported being targeted by COVID-19-related fraud.
In an interview with Karen Webster, Stephen Ritter, chief technology officer of Mitek, said that “it’s unfortunately very common that the fraudsters take advantage of moments of weakness. They try to achieve what they want to achieve when people are distracted. [Consumers] are more worried about their health than they are vigilant about the emails they read and the links they might click.”
It may seem puzzling that the methods and schemes have been the same before and during the pandemic — yet they have been devastatingly effective. As Ritter noted, the fraud attacks typically start with a traditional phishing foray, designed through emails, texts or social media messages to get someone to click on a link.
That clicked link will most often lead to malware being installed on a victim’s machine, or to them being fooled into entering private information in a subsequent screen or web app.
It’s an incredibly difficult situation when a consumer is presented with a web page or Twitter link that seems to come from a trusted source — promoting, say, high-quality protective gear or easier ways to get unemployment benefits. And no one has the time or expertise to hover over URLs to uncover lengthy email addresses or server names that look suspect.
At a high level, maintained Ritter, “it’s really important for our organizations, our governments, our banks and our other businesses to be very clear on how they will use these different forms of communication — and what they won’t do within those channels.”
For the banks and enterprises themselves, it’s the flipside of the coin: There’s so much floating around the dark web in terms of stolen credentials and IDs that firms must change tactics to separate good customers from fraudsters.
Dig a little deeper, and there are specific verticals being targeted more sharply than what was seen in the past, said Ritter. He pointed to gig economy firms, such as grocery delivery, where business is seeing a spike in COVID-related demand. The large-scale pivot toward contactless payments, avoidance of biometrics (where we touch things to enable identification) and card-not-present commerce has given the bad guys places to hide.
To gain some measure of protection, said Ritter, “we really should not be relying on those publicly available, easy-to-access factors of identity in order to verify people.” And at the same time, he added, “just because some information is private doesn’t mean it should be used as a ‘secret'” when establishing an ID.
You may be familiar with the classic tenets of identity: something you have, something you know, something you are.
“You always want to be able to select from at least two of those, and at least one of them should be secret,” maintained Ritter.
But he cautioned against assuming that private information such as a Social Security number is, in fact, secret. A password is vulnerable — especially when consumers are lured into sharing that private information through phishing scams that spur them to reset passwords (click this handy link, prompt the fraudsters).
“I’m a security guy,” said Ritter. “So, I just assume that stuff’s been compromised. The question is: How can we create a secure environment with the assumption that private information is actually public and that other things have been compromised?”
Moving Toward Low Friction
Against that backdrop, password resets, for example, should introduce a measure of “low friction” over and above clicking on links to verify identity. A user could be prompted to show proof of a government-issued identity document, for example.
“There’s a lot of technology we can use to make sure we’re applying just the right amount of force at just the right time,” said Ritter, who pointed to behavioral analysis of user accounts as one method to conduct robust, risk-based decisions on identity.
There’s no one-size-fits-all approach, but end users tend to appreciate those efforts to take verification to the next level, he added.
“If someone’s making a $1 payment, that’s one thing in terms of risk and the level of assurance that we need,” he said. “If someone’s making a $2,000 Zelle transfer, that’s something else. It’s all about the specific use case.”
With the coronavirus as background, the conversation touched on other use cases where data is private and precious — outside the realm of payments. Healthcare information, maintained Webster, has value and is in need of high-level security, particularly in the age of telemedicine.
“This is an incredibly important area — not just for us to be talking about here or as an industry, but as a society,” said Ritter.
There’s tremendous benefit in machine learning and neural networks being deployed in the bid to, say, battle cancer. But that means, too, that there are reams of data being created, accessed and stored in various locations.
“This is exactly where we need our governments to step in,” said Ritter. “I don’t believe our governments have provided enough guidance or given our industries, medical researchers, hospitals or machine learning scientists what they need to provide value in a safe way.”
Medical groups and providers have mountains of information that can be useful if shared but are perhaps leery of the legal liability. For healthcare verticals and for most other verticals, Ritter said that depersonalized data — stripped of names, addresses and other markers — can be useful in medical research.
Elsewhere, “distributed identities” (also known as sovereign identity) can be of value, using multifactor authentication that doesn’t require users to enter or create passwords.
“We all need to prove our identity in a digital channel, in a way that is low-friction, very convenient and very secure,” said Ritter.
The identity information typically stays on a mobile device (or in a digital wallet). There will also be a collective of companies that can “vouch” for a person’s ID through digital signatures and an established trust level.
“The architectures around distributed identity platforms can help us solve some of those problems,” Ritter told Webster. “It doesn’t have to be a single company, and it doesn’t have to be a government that delivers the solution.”