Account Takeover Fraud (ATO) attacks have doubled in the past 2 years. Fraudulent logins account for more than 65% of fraudulent activities in the Nigerian financial ecosystem (Nibbs, 2019). Credential stuffing attacks are at all-time highs, costing the banking industry well over N15.5 billion over the past 4 years (StearsBusiness, March 2022).
A majority of the financial servicing industry has fallen victim to these attacks over the past years. Between passwords, multi-factor authentication, security tokens, and biometrics, internet users have more ways than ever before to secure their digital identity. And yet, these statistics tell a story of a digital identity problem that worsens every year.
THE PAST;
Passwords are the oldest single-factor authentication system in the world, Fernando Corbató first presented the idea of passwords at MIT in 1960, without any idea of the huge societal and security impact it would have. At the time, the Compatible Time-Sharing System (CTSS) had recently been developed and was available for research use, but lacked a way to secure private files by user. The problem the password was solving was to ensure that these early pioneers of computer engineering were able to log onto “multiple” terminals to ensure they access their own records.
For years, the password was something only used in research and academic circles, without any major real-world applications, but as computers became more accessible, hackers attacking operating systems became more prolific, frequent, and targeted. When computers began to make their way into homes and offices, the true weakness of passwords was discovered. Even Beyond Identity founder, Jim Clark recognized his role in making the password a commonplace form of authentication.
Fast forward to 2019 and much of the world is still dependent on a 50-year-old technology for securing access to online services and IT resources, in 2014, the inventor of the computer password, Fernando J. Corbató, went on record to say that his invention has become “kind of a nightmare.” Stronger 2-Factor Authentication solutions are widely available but they are not widely adopted — with estimates suggesting deployment to less than 10 per cent of internet users. In fact, the 2019 Internet Trends Report by Mary Meeker estimated that global adoption of 2FA has actually stalled in the low 50% range. With so many authentication methods you would think that Account Takeover stats would be getting better, not worse.
THE PRESENT;
If you interact with today’s financial institution applications, you’ve undoubtedly used multi-factor authentication (MFA) to protect one or more of your accounts by now. You input your password, the site or app requests a second form of authentication (such as a code texted to your phone or created on your phone using an authenticator app or hand-held device such as a token), and you provide that second form of authentication, and the site or app grants you access to your account.
This process is known as Multi-Factor Authentication (MFA). MFA may appear to be new, yet it has been around for quite some time. MFA operates on these three authentication factors; something you know, something you have, and something you are. Something you know would be a password, a PIN, or some other personal information, something you have, such as a smart card, token id, or something you are would be your biometric identity like a fingerprint or a speech pattern.
MFA and its predecessor, two-factor authentication (2FA), have been around for over two decades in various versions. Despite the fact that the origins of 2FA are disputed (AT&T claims to have invented it in the 1990s), the technology did not take off until the mid-2000s. This is due in a large part to users finding the system inconvenient, which led them to stick to the familiar single form of authentication — passwords — that would suffice to keep their accounts secure.
The adoption of multi-factor authentication picked up speed in the mid-2000s, as cellphones became popular. Businesses quickly adopted smartphones as well, as they were a great tool for enhancing corporate productivity. Some organizations even started implementing bring your own device (BYOD) programs, allowing employees to use their own personal gadgets for work. Large numbers of consumers suddenly got access to easier 2FA methods for securing their internet accounts. As cellphones became prevalent at home and at work, users could readily obtain authentication credentials by SMS or email, which made the concept of two-factor authentication much more appealing.
A QUICK RECAP;
THE FUTURE;
A true passwordless authentication architecture eliminates the use of shared secrets such as passwords, PINs, SMS codes, and OTPs, and is replaced with public-key cryptography.
Private keys are generated by the user on their device and remain on the device at all times. Biometric sensors such as Apple’s Touch ID, Face ID, and their Android & Windows counterparts are often used to unlock these credentials that are verified against an authentication server using public-key cryptography.
User behavioural biometrics authentication is an implementation of the true passwordless authentication concept and provides a new generation of user security solutions with the ability to identify individuals based on the unique way they interact with smart devices such as smartphones, tablets, or notebooks.
The technology creates a unique profile for each user by tracking various metrics that are likely unique to the individual. These include things like: the angle a smartphone is held at, swipe/scroll patterns, keyboard/gestural shortcuts pattern, walking style/speed, typing style (speed, keypad pressure, finger positioning), and other keystroke dynamics. It uses software algorithms to build a unique user profile, which can be used to confirm the user’s identity in subsequent interactions.
A major pioneer of this future of authentication technology in the financial fraud prevention space is Paygilant; they do this by delivering a fraudless, frictionless, and effortless security solution.
Paygilant is a revolutionary frictionless enterprise fraud prevention solution for fintech, designed to protect Neo/challenger/digital banks, e-Wallets, Crypto, and more. It eliminates the trade-off between fraud prevention, frictionless user experience, and user privacy.
Paygilant seamlessly validates the legitimate customers and protects against all fraud types including money laundering that impact the fintech ecosystem. These include — New Account Opening Fraud, Account Takeover, Transaction & Card Fraud, Cross Banking Fraud, Coupon Fraud, Synthetic Identity Fraud, and more.
Paygilant as a solution is able to deliver this fraudless, frictionless, and effortless security with a technology they call; Paygilant’s Six Intelligence Sets.
Paygilant’s six intelligence sets are dynamic layers that analyze and correlate relevant information throughout the user’s journey, determining whether a transaction is safe or risky. Throughout this process, Paygilant observes various attributes related to the user, device, application, and transaction. This is used to weave an identity representation of the user, providing a risk score that indicates the risk level of each transaction. Paygilant’s Checkpoints monitor each action of the user and assess the risk at each stage (Registration, Login, add a payment method, transaction, and more), to ensure that the genuine user is performing the transaction. The operation is performed continuously throughout the entire user’s journey (Login-Logout).
Device DNA: This intelligence element is the next generation of device fingerprinting, overcoming the weaknesses of traditional device IDs as a result of the constant policy hardening applied by Google and Apple. Paygilant creates a unique ID for each device using a blended method of device attributes and a proprietary algorithm. Using the Device DNA, the identification of a returning device, either by the legitimate customer or fraudster is accurately determined. Fraudsters’ attempts to use emulators, bots, and other factory reset techniques to clone or replicate the device become ineffective.
User Space: A unique representation of the user’s operating environment, used to frictionlessly validate the user while detecting fraudsters’ activities. Each user owns a unique set of information points that do not exist elsewhere. This is called the “User Space”. Paygilant creates a virtual signature used to validate the authenticity of the user when using the app. Since the user space is unique, Paygilant detects any attempt by fraudsters to take over an account. In addition, Paygilant’s intelligence distinguishes between legitimate users and fraudsters user spaces, preventing any transaction to be performed from a fraudulent device in advance. Moreover, the User Space roams with the legitimate users when switching devices, allowing them to connect and operate without friction (OTP, SMS, passwords, etc.).
Activity Map: As each user interacts with the app in a unique manner, the flow of the user’s navigation is mapped and profiled. The activity map validates the user’s consistent interaction with the app, to observe whether the actions taken are aligned with those of the legitimate user and not a fraudster.
Bio Markers: Paygilant’s behavioural biometric layer observes various physiological attributes making each profile unique and easy to identify, while also distinguishing between humans and machines (Emulators, bots, malware). Such attributes include touch velocity, intervals, finger size, scrolling pace, gestures, and more.
App Insights: By correlating internal and external information Paygilant validates that the profile of the user matches the connected device.
Transaction View: Paygilant’s patented transaction monitoring behavioural maps analyze the transaction behaviour/spending habit of each user, to detect possible fraud/illegal transfers and protect legitimate users. These maps are high-resolution images representing different steps in the transaction journey, viewing unique details of each habit and how it relates to the user’s personal patterns and compared to their demographic group, allowing us to have a deep understanding of whether a certain action is risky or safe.