Bad Week for Biometrics

Last week was a bad week for biometrics. Two separate incidences that demonstrated the vulnerability of biometrics authentication occurred.

The first occurred at The Defcon event, Las Vegas where researchers were able to demonstrate that they could bypass the FaceID user authentication and access the iPhone of the victim in less than 120 seconds.

In a separate incident, investigators exposed biometrics data of more than a million people (23 gigabytes of data) left unprotected on a database owned by Suprema, a biometric security company. The data exposed included facial recognition and fingerprint information collected by the UK authorities.

The amount and type of data leaked were overwhelming. Note the examples below:

Fingerprint data
Facial recognition information and images of users
Unencrypted usernames, passwords, and user IDs
Records of entry and exit to secure areas
Employee records including start dates
Employee security levels and clearances
Personal details, including employee home address and emails
Businesses’ employee structures and hierarchies
Mobile device and OS information

The two incidents shed light to the concern of biometric authentication and emphasize the need for tighter more secure biometric security.

And the concern is clearly justified – once biometric data is hacked, the information pilfered is for life. Biometric data in the form of facial recognition and fingerprint data is not reversible. Unless you go to a plastic surgeon 😊

With the recent leak, fraudsters could easily attain complete access to admin accounts which they can use to take over accounts including user permissions and security clearances. Not only can they change user permissions and lock people out of certain areas, but they can also generate new user accounts making account takeover simple and easy.

The use of biometric authentication is prevalent in eCommerce, financial and mobile wallet sectors. Its invariable ease of use and convenience factor is significant, but as demonstrated last week its lack of security can be hazardous and irreversible.

Perhaps a coincidence, but the two incidences reflect the need for mobile authentication that is contextual based, relying on multiple forms of identity verification. Paygilant’s CMA based authentication and fraud prevention solution utilizes a multi-layered approach that combines device fingerprinting, behavioral biometrics and transaction analysis to provide a robust fraud prevention/detection offering.

What makes Paygilant unique is that it does not rely on any single fraud indicator as to the sole criteria for authentication, rather incorporates a layered that multi-checkpoint solution that reviews and validates the user throughout the users-journey. At every junction, including app. download, registration, and transaction Paygilant confirms the legitimacy of a user.

Device Attributes

Various attributes observed on the device can contribute to the detection of fraudulent behavior and to the derivation of a device ID. Device model, screen, memory, UUID, OS, IP, geolocation, app permissions, and more are observed. Geolocation is probably the best example for a device attribute used for detecting fraud - if a transaction is attempted from Moscow a short while after the preceding transaction was carried out in New York, then that is a strong indicator of fraud. Restricted app permissions is another indicator that the user might be hiding something. Another example is app permissions that are restricted by the user – that, in combination with other things, night suggest that the user might be hiding something.

Transaction Data

Paygilant employs propriety transaction behavioral maps. The Behavioral Maps represent the purchasing patterns/behavior of a specific customer and her nearest neighbors and are created using Paygilant's proprietary machine learning algorithms. The behavioral maps typically comprise a large amount of information but must be compact 9 enough since they are securely transmitted to the mobile device. To achieve this Paygilant utilizes its depth of field (DOF) approach from digital photography to compress the information so that complex calculations that do not require work intensive CPU and memory. A Behavioral Map shows a clear, high resolution picture of the different risk zones and is a key factor in determining the risk of a specific transaction and has the following key characteristics: - User specific: each map is unique, calculated and maintained on a per user basis, therefore representing a transaction risk level for each customer’s transaction. - Lightweight: Resolution variations enable maintaining only the necessary data, reducing the map's weight to a bare minimum. - Dynamic: As the purchase behavior changes, the map will be modified.

Device DNA

Bio Markers

Paygilant observes bio markers to passively identify the user behind the transaction. Common bio markers Paygilant observes include touch time, time between touches, size of touch inputs, finger velocity, scrolling pace and drag length, typing biometrics, and more. Paygilant’s robust bio markers are just one of the several intelligence sets that make up the broader solution and is designed to augment the fraud/no-fraud decision that precedes any step-up authentication request.

App Interactions

Paygilant looks at how the user interacts with the mobile application to determine if the interactions are consistent with a legitimate user. For example, if a user navigates directly to a high-ticket item and immediately proceeds to check-out, then that suggests something fraudulent might be happening. If a user inputs his name and address on the payment form in a manner that is not consistent with how normal users would do it (i.e. slower than expected because typing-in unfamiliar strings), then that provides another clue that something fraudulent might be happening.

User Data

Intelligent, privacy preserving analysis of user data on the mobile device provides valuable insights into fraudulent activities. User data analysis is especially helpful in hard-to-analyze scenarios like new account origination, where there is no established history for the user/account. Some examples for how device data can be used include comparing user accounts on the device with the payment cardholder identity, or the identity disclosed on a new account registration form – a mismatch provides a strong indicator for fraud. No media on the device, empty contacts list, and sparse call logs are also examples of fraud indicators that can be collected from user data on the device.

[contact-form-7 id="1746" title="Contact+PDF_new"]

[contact-form-7 id="1390" title="Contact+PDF_copy"]

[contact-form-7 id="1397" title="Contact_copy"]

Bad Week for Biometrics

Recent Posts

2022 and Digital Banking

6 Ways COVID19 Has Impacted Payments

Reducing Friction Without Compromising Security, is This Possible?

Can Mobile Banking Finally Serve the Underbanked?

Sign-Up Bonus Abuse