Biometrics: Better than your mother's maiden name. Good luck changing your body if your info is stolen
The eyes have it
Identity theft has hit record levels in the UK – the vast majority of incidents are online. The UK's largest cross-sector fraud sharing databases, Cifas recently logged 174,523 incidents finding eight out of 10 took place online.
Far from targeting the usual haunts of bank and credit card services, fraudsters have shifted to new targets – telecoms, online shopping and insurance. The thieves are harvesting information through phishing, malware attacks, social media, and other forms of social engineering.
In the US, 145 million Americans saw their Social Security numbers, birthdates, credit history, and other staples of online verification were pinched from credit-rating agency Equifax.
The primary driver behind financial fraud is impersonation and deception scams as well as online attacks to compromise data, according to Financial Fraud Action UK.
For all the achievements of the internet's builders, it would seem the issue of reliably proving identity has come to bedevil their extraordinary creation. This omission has left society juggling two incompatible worlds, that of the online and the offline, each with its own notion of human identity.
It’s put those providing online services in a seemingly impossible and irreconcilable position: to provide services while safeguarding entry, but using methodologies that employ techniques using credentials that are weak or compromised. There’s every chance the person logging on is not who they claim to be, because that individual has access to somebody else’s stolen details.
The internet was about connectivity and communication, ignoring the idea that a successful digital world would one day need a reliable concept of identity that didn’t rely on easily faked, lost, or stolen documents and information, or basic data such as your mother’s maiden name.
But here we are. Today’s online world is forced to default to one of two unsatisfactory options to safeguard services and users: one is to ask people to prove their identity through paper documentation, and the other is to resort to some form of knowledge-based authentication (KBA). The former requires the person to first visit said institution with paper documents in hand – this is hardly the stuff of the digital world. From that moment onwards, KBA is used to check that the person who made that visit is still who they claim to be.
KBA, however, has another problem: the problem of people’s memory. Google in 2015 found most people – 74 per cent – struggle to remember the answers to personal questions used in KBA systems, and in many cases, asking “what’s your favourite food,” hackers have a good chance of guessing the answer anyway. In the case of what’s your favourite food, pizza is the answer for 20 per cent of people.
KBA and MFA: failed gods
The ultimate identity crime of all is ID theft, where someone’s entire digital record is borrowed to commit not one illegal act of access but possibly multiple crimes over an extended period – hence the significance of that Equifax hack. KBA fails in the Equifax-hack world because the successful criminal has the fundamentals – financial credentials names, addresses, dates of birth, security questions and passwords – needed to pretend they are somebody else.
Engineers, regulators, and governments have patched up this problem by enforcing either more checks (making it more difficult to open financial accounts, say), or by extending KBA in novel ways. In the long-term, they simply spurred the evolution and organisation of criminals to find ways around them.
One perceived answer was two-factor or multi-factor authentication (2FA, MFA) – essentially a way of adding something the user has in their possession (a token or time-dependent code), to one or more things they know, usually a password and user name. Well-designed MFA can be effective – but brings with it trade-offs between complexity, expense, and effectiveness. MFA is annoying and confusing, too, if you’re forced to authenticate across services in different ways. 2FA has been compromised as hackers have hijacked texts that are used to deliver a temporary code.
To KBA’s credit, users understand what to do and are not challenged unnecessarily.
What’s the answer? What about the immutable aspects of identity – fingerprints, voice, iris, typing style, facial and selfie ID, and perhaps even DNA? Can these bear down on fraud in ways that are hard to bypass? Styled as advanced identity verification, many have now reached the mainstream thanks to the smartphone and mobile apps.
Broadly speaking, these can be divided into simple verification (for example, logging into an account), and onboarding verification (the process a user goes through when they originally created that account) as a way of stopping criminals from setting up fake accounts. Some examples:
- HSBC Bank deployed sophisticated Voice ID for customers in 2016
- Several UK banks, including – again – HSBC, have adopted Apple’s Face ID for verification, the latest incarnation of which is part of the iPhone X. This turns the iPhone into a sort of token underwritten by Apple’s security technology and the claim of low false positives. The disadvantage is that it’s tied to iPhones, an issue as facial recognition on Android lags.
- The UK’s Government’s GOV.UK Verify, developed by GDS, tries to create a sort of digital passport for accessing a range of services including paying taxes, renewing driving licenses, and benefits. HM Land Registry this year claimed to have completed its first digital mortgage for the UK, recording a transaction between a building society and conveyancing services, using the service to provide a digital signature. There’s a growing trend to validate identity by matching a government-issued identity, such as a passport or driver’s license, with a selfie where the faces are matched. This approach is being used to verify and onboard people by AirB2B among others.
Outwardly, these are all upgrades that make life harder for attackers – but, no, they do not provide immunity. The biggest challenge is simply that biometric systems rely on data that are in the public domain, such as faces, fingerprints, and even voices. Once an attacker has these, they can’t be changed as can a password. The data can also be stolen directly and in bulk, as happened, disastrously, to the US Office of Personnel Management, which in 2016 admitted hackers had breached its servers to steal the fingerprints of 5.6 million employees. The HSBC voice system, PR'd and lovingly reported widely, proceeded to get gamed by someone’s twin.
Users stuck in a web
It used to be that verification and authentication was just plain confusing. Now, thanks to the fact hacks like Equifax are becoming more commonplace, the technologies used to police fraud are falling.
How to identity people is an eternal problem so perhaps this was always destined to be so on the internet. Perhaps this was why internet engineers left identity off the list of things to do.
Perhaps that’s the reason why online fraud is not only growing but so, too, is theft of the elements and attributes that form the bedrock of many of the internet’s identity and verification systems. ®
Sponsored: Becoming a Pragmatic Security Leader