The Simility Blog
No Silver Bullet: Biometrics Alone Cannot Predict Identity Fraud
Jayan TharayilFebruary 27, 2019
Europe’s new banking laws are set to profoundly change the way online businesses are required to authenticate their customers. This is good news in that it should help reduce headline fraud numbers, but retailers are rightly concerned that it may also increase user friction.
To many, biometric-based authentication represents an increasingly attractive option for reducing friction and fraud. But it’s no silver bullet. Merchants should be wary of relying on any single approach.
The Second Payment Services Directive (PSD2) officially came into force in early 2018. The overarching mission is to create a more competitive, open banking sector within the EU. But as part of these efforts, regulators have been careful to also focus on fraud prevention: with new provisions on Strong Customer Authentication (SCA) set to debut on September 14, 2019.
The SCA rules mean that for many transactions, online merchants will need to authenticate their customers with two-factor authentication, by selecting two of the following sources of identity validation:
* Something the customer knows (PIN)
* Something they have (smartphone/card)
* Something they are (biometrics, such as a fingerprint or face scan)
Starting mid-September, these rules will apply for most transactions over €30, and it will become increasingly important to get SCA right.
The Biometrics Difference
Many experts believe that PSD2 will drive uptake of biometric authentication in e-commerce. It’s seen as a neat way for merchants to conform to SCA rules while minimizing user friction and reducing cart abandonment. After all, it’s arguably easier to pay by a simple fingerprint swipe or “selfie” scan than trying to remember to type in a strong, unique password.
Another selling point is that biometrics is gaining increasing popularity among consumers thanks to the role of smartphone ecosystems like Apple and Android. There will be over 2.6 billion biometric payment users and 579 million biometric payment cards in use by 2023, as per the ‘Biometrics for Payments’ report published by Goode Intelligence in October 2018.1
However, merchants should approach the technology with caution. For years, researchers have detailed ways that biometric authentication systems can be circumvented. These include techniques using machine learning to generate artificial fingerprints, while less high-tech alternatives include using glue to create fake fingerprints that are able to trick scanners.
Voice recordings and even impersonators could be used in a similar way to trick voice recognition systems. And high-quality photos remain a major threat to the security and reliability of facial recognition tools. Plus, there’s a risk that biometric data itself could be hacked, stolen and used to impersonate users.
The worry is that as biometrics become more popular, the cybercriminal underground will plough more resources into cracking current authentication methods. The stakes couldn’t be higher: unlike passwords and PINs, biometric data cannot be replaced or reset by the individual.
A Holistic Approach
There’s no doubt that biometrics have a part to play in helping merchants, banks and others identify and stop fraudulent behavior online. But it’s not the holy grail of fraud prevention.
A better approach would be to focus on adaptable, multi-layered solutions that can evolve to reveal changing patterns of fraud. The adaptive fraud prevention solution from Similty, a PayPal service, does exactly this, applying smart algorithms to the variety of structured and unstructured data in its data lake, which includes device, network intelligence, historical and third-party data, and session and behavioral information. Simility’s fraud prevention platform applies advanced analytics to analyze the identity data from multiple angles to provide a 360-degree view of each user.
These are the kinds of capabilities that will help to safeguard businesses from increasingly sophisticated fraud attempts. It amounts to enterprise-grade protection for every business. Plus, Simility’s detailed analysis and reporting on each transaction — including type and amount, location and behavior of the user, and device — enables merchants to minimize the number of transactions they need to apply SCA rules under PSD2. That’s the best way to maximize fraud prevention and minimize friction.
To find out how Simility can help you deliver frictionless fraud protection for your customers, please download our whitepaper on Adaptive Decisioning Platform, read our solution brief to fight new account fraud, or email us at firstname.lastname@example.org.