December 2, 2016 by Robert Capps, Vice President of Business Development, NuData Security
That the trend towards online shopping continues to grow is no surprise. Three-quarters of the respondents to a survey from payment service provider Computop – issued in November and involving 1,900 consumers in the United States and the United Kingdom – reported they planned to shop online this holiday season. This is reflective of the shift in society towards more convenience when it comes to the shopping experience.
In a world that has more mobile devices than people, as reported by GSMA Intelligence in 2014, it is inevitable that consumers are driving merchants into the online world. Retailers face stiff competition for their dollars, and shoppers want to shop for goods and services on their own schedule, wherever they are, and using whatever payment options they choose.
CUSTOMER FRICTION = CUSTOMER LOSS
As part of the demand for better online shopping experiences, customers are increasingly fickle. Any friction in that experience will send customers to a competitor site, so retailers and service providers are challenged to provide great user experiences in the context of security risks and fraud. And the risks are high.
In all, 74% of respondents agreed and 45% strongly agreed they are concerned about security when disclosing their credit card and bank information online; 61% confirmed they have checked the liability policy of their preferred payment method provider or bank in the case of fraud, and 51% confirmed they did not have an insurance epolicy protecting them from liability in the case of credit card and/or banking fraud.
The survey found that when it comes to shopping at retailers that have recently experienced a data breach, 57% of respondents reported they would not shop with them, while 31% stated they strongly agree they would avoid that retailer.
Combine this with the fact that the value of false declines per year hit US$118 billion last year – more than 13 times the total amount lost annually to actual card fraud ($9 billion), notes research released in 2015 by Javelin.
Citing research from Javelin Advisory Services, MasterCard reported in early 2016 that “cardholders tend to change attitudes around the card and retailers; 39% abandon that card after a false decline, while a quarter decrease card usage. In addition, 32% say they plan to stop shopping at the retailer where they were declined.”
BALANCE RISK AND USER EXPERIENCE
The downside of online shopping is that where there is increased activity, there is also increased risk, as shown by NuData’s recently released Cyber Risk Intelligence Report. Analyzing data from 80 billion events, the report found high-risk transactions increased by 167% over the previous year, a statistic expected to continue to grow in the coming years.
All online organizations must balance the need to provide customers with good experiences that grow their bottom line, yet manage fraud costs in a threat-dense ecosystem where perpetrators have the advantages of time, adaptability and attack vectors. Organizations are increasingly targeted for cyber crime and theft, and left with the challenge of managing risk and resources simultaneously.
One of the ways organizations are seeking to strike this balance is to find more secure ways to determine the true identity of online users.
In past days, customers could present their identification to the insurance broker or bank in person, making identity verification relatively easy. Today’s online world, however, is saddled with an unsecure username and password technology that was never designed to be very secure. Add to this that a lot of risk has been layered on top of an already shaky structure.
Usernames and passwords unlock everything from Snapchat to online insurance accounts, bank accounts and other high-value sites. The vulnerability of these systems has been known for some time because customers tend to use weak passwords (like link and 1234) on low-value and high-value sites alike.
Once these credentials are compromised in a breach and sold across the underground (aka Dark Web), this so-called “identity” is a fake that can compromise user accounts and wreak havoc with new account applications or worse.
On the other hand, one could argue that customers steadfastly refuse to take charge of their own online security. While security engineers bemoan this fact, customers are not totally to blame for a security infrastructure that was not designed for customer experience and that is, essentially, a bolt-on relic from the past.
BETTER AUTHENTICATION TESTS
When asked which security authentication features respondents would consider setting up for online purchases in the next 12 months, 35% said they would set up fingerprint IDs, 12% selected retina scans, 7% chose voice recognition and 2% opted for pay-by-selfie, Computop data shows. However, 41% of respondents pointed out they would not choose any of those options.
Many organizations are now considering adopting physical biometric approaches to identify customers by selfies, fingerprints and facial and retinal scans. While these technologies have a place in the authentication stream – and are definitely an improvement over the old username and password – they do have some drawbacks to consider.
Physical biometric authentication is not always situationally or culturally appropriate. For example, using voice recognition while in a meeting, or facial scans while at the theatre. In addition, some biometric data can be socially engineered, for example, as when it was reported German Chancellor Angela Merkel’s photo was used to unlock an iris biometric test at a security conference.
Fingerprints can be stolen from doorknobs or glass, and high-resolution photos of faces can be taken from great distances and from high-definition video.
Additionally, customers will not be able to change their fingerprints, facial or retinal information should this data be stolen – and it is only a matter of time before these things are.
Once the data is stolen and sold on the Dark Web, the risk will persist over the person’s lifetime. This adds even more risk to consumers who are already on the hook for many types of identity fraud.
Given that biometrics are being deployed for the most stringent of authentication tests, such as immigration and banking, it will make this biometric data very desirable to hackers. Aggressive attempts by hackers to capture this data should be anticipated.
ADVANCE OF BEHAVIOURAL BIOMETRICS
Advanced authentication models use behavioural biometrics in a layered approach to verify that the person accessing or applying for an account is who he or she purports to be. Solutions such as passive biometrics and behavioural analytics exist on a transparent layer, meaning it is unseen by both the customer and fraudsters, and requires zero interaction from the customer, while ensuring no personally identifiable data is stored.
For organizations seeking that balance between security and customer experience, these solutions are clearing a new green path for any organization wanting to win the battle of experience over risk.
How someone holds his or her device, the weight of key strokes and hundreds of other behavioural data points are used for verification. This is achieved by analyzing the behaviours observed in the session, whether or not it is consistent with the user’s profile, and is consistent with how other well-intentioned humans behave in the same situation.
That means even if another person steals a device and tries to access an account with the valid credentials, or open a new one with a stolen identity, the technology will note that various biometric behaviours are not the same.
Combining behavioural analytics and passive biometrics with traditional verification solutions goes a long way towards ensuring fast and safe online interactions for customers, while fighting fraud and lowering risk for insurance companies online.
Robert Capps, Vice President of Business Development, NuData Security