Biometrics is a great ally in the fight against financial fraud. In the following article you will learn in depth how this technology works, its main classifications, as well as its usefulness in improving the customer experience, for example, when opening an account remotely.

Biometría

What is biometric data?

Biometric data are physical or behavioral characteristics that are unique to each person and are used to authenticate an individual for access to applications and other network resources. Examples of biometric identifiers are fingerprints, facial patterns, unlocking patterns, handwriting dynamics or voice. Biometric authentication is a popular component of multi-factor authentication because it combines a strong authentication system with a low-friction user experience.

According to Wikipedia, “biometric identifiers are usually classified into physiological characteristics and behavioral characteristics. Physiological characteristics are related to body shape. Not being limited to fingerprint, some examples may include, but are not limited to, palm veins, facial recognition, DNA, palm print, hand geometry, iris recognition, retina and smell.” Behavioral biometrics is related to a pattern of behavior, such as a person’s typing rhythm or the way they hold the phone or slide their finger across the screen.

According to Wikipedia, “biometric identifiers are usually classified into physiological characteristics and behavioral characteristics. Physiological characteristics are related to body shape. Not being limited to fingerprint, some examples may include, but are not limited to, palm veins, facial recognition, DNA, palm print, hand geometry, iris recognition, retina and smell.” Behavioral biometrics is related to a pattern of behavior, such as a person’s typing rhythm or the way they hold the phone or slide their finger across the screen.

Biometrics are increasingly being used in mobile banking applications, helping customers log in easily and adding another layer of security. Biometric systems do not rely on biometric information, such as an image of your face, being a secret. Unlike passwords and PINs, biometric data cannot be forgotten or shared and are more difficult to copy or steal.

How does biometrics work?

A biometric system has three different components. There must be a sensor to record and read your biometric information, such as a fingerprint. When you use your biometric information to access your cell phone, there must also be a computer that securely stores the biometric information for comparison. The third component is software to connect the computer hardware to the sensor.

Static biometrics and behavioral biometrics: what is the difference?

Static biometrics

Static biometrics uses physical characteristics, such as fingerprint scanning or facial recognition, to unlock cell phones, log into bank accounts or perform transactions.

These are the main types of static biometric data used to verify your identity:

  • The facial recognition software analyzes the distance between your eyes and the distance between your chin and nose to create an encrypted digital model of your face. Upon authentication, the facial recognition software will scan your face in real time and compare it with the digital model stored securely in the system. Face recognition systems with “active life detection” require you to move your head, blink or make other movements. Life detection can also be passive. In the background, algorithms are used to analyze biometric samples for signs that prove that it is not a living person, allowing the detection of paper, digital screens or cutouts in a 3D printed mask. Robust liveness detection ensures that it is the actual client presenting its biometric sample to the system, and not an attacker attempting to impersonate the client. In the latter case, it would be a phishing attack.
  • Fingerprint recognition is one of the most popular, if not the most popular, form of biometric authentication used on mobile devices. It was originally popularized by Apple’s Touch ID. A fingerprint reader analyzes the ridges and patterns of your fingerprint and compares them with the stored digital model of your finger during authentication. Fingerprint recognition may change if your finger is wet or dirty. It poses a great difficulty for an attacker to replicate an individual’s fingerprint when a fingerprint recognition system has robust liveness detection to help prevent impersonation attacks, which could use a 3D model or a fake image.
  • Iris recognition: there are two methods of eye scanning to authenticate a person’s identity. In a retinal scan, a light is briefly shone into the eye to show the unique pattern of blood vessels in the eye. By mapping this pattern, the eye recognition tool can compare a user’s eyes with those of the original. In an iris scan, the colored rings found in the iris are scanned. In some uses, eye recognition can be as fast and accurate as facial recognition, but it can also be difficult to obtain a sample for comparison in sunlight when pupils are constricted. Iris recognition may also be less reliable when a customer wears glasses.
  • Speech recognition analyzes the unique sound of a person’s voice, which is determined by the length of their vocal tract and the shape of their nose, mouth and larynx. Analyzing a person’s voice is a strong method of authentication, but a cold, bronchitis, other illnesses or background noise can distort the voice and disrupt authentication.
  • Finger geometry recognition uses the 3D geometry of the finger to verify identity.

In general, static biometrics is considered a secure way to authenticate customers and should include liveness detection to combat fake fingerprints or photos in a phishing attack.

Behavioral biometrics

Behavioral biometrics analyzes your unique habits and movements to create a pattern of behavior that can be recognized by the way you type or the way you hold your phone. Like static biometrics, behavioral biometrics adds another layer of security to verify your identity. FinancialIT.net says, “This cutting-edge technology uses motion sensors and artificial intelligence to identify unique gestures, such as the way you hold a phone. It is generally considered to be the last frontier in security.”

These are the main types of behavioral biometrics:

  • Handwriting dynamics analyzesthe form and speed of handwriting to determine distinctive patterns. The amount of finger pressure used when typing can also be set to a recognizable pattern.
  • The way you hold your phoneanalyzesthe angle at which you hold your phone and the dominant hand you use when using your phone. Behavioral biometrics also includes how you swipe your finger on your phone and with which hand.
  • Its gait, or how it walks, is also a behavioral trait that can be studied to determine a pattern. In addition, your usual time and location for logins and transactions can also be set in a behavioral pattern.

Behavioral biometrics is a safe experience for customers, but challenging for fraudsters, as each individual has a specific profile of their habits and movements. With behavioral biometrics, a user’s session is continuously monitored, so that if it is ever interrupted or hijacked, the system can recognize it and take appropriate action to prevent fraud before it occurs.

How biometrics protect against financial fraud

Financial institutions use biometrics for the following purposes:

  1. For digital identity verification when a customer opens a new account remotely
  2. For customer authentication (when logging in or for continuous authentication during the banking session)
  3. For transaction authentication (to ensure that the legitimate owner of the account is, in fact, the person initiating the transaction)

Consumers are becoming increasingly comfortable with biometrics and many are choosing to use a fingerprint or facial recognition, for example, as a means of authentication and identity verification with their financial institution. Biometrics adds another layer of security and helps raise the level of trust customers have in their financial institution. Apple’s Touch ID, introduced in 2013, has contributed to the rise of biometrics in mobile banking because it provides financial institutions with a device-based technology they can use to secure their mobile banking platform.

Similarly, Android Fingerprint ID allows users to verify their identity with a fingerprint on some Android devices. Javelin says consumers are demanding authentication options. For more than a third of users, the three authentication methods they most want their financial institutions to support are all biometric modalities. Javelin also notes that while consumers wanting a biometric option would be expected to be typically concentrated among younger customers, about 40% were over 55.

How biometrics provide strong customer authentication

Biometrics is part of a multi-factor authentication process, where multiple technologies can be used to authenticate someone’s identity when logging into a banking session or performing a financial transaction. To achieve multi-factor authentication, at least two different authentication factors must be used. Authentication factors include:

Something you know

It is usually a password, PIN, passphrase or questions with corresponding answers.

Something that has

This can be a one-time PIN, or an authentication application installed on your smartphone, which generates a one-time access code in the background.

Something that is

These can be anything from fingerprints, retina scans, facial recognition, voice recognition or a customer’s behavior (how hard or fast they type or swipe a screen), which can be used to verify a unique customer.

Therefore, using a PIN with facial recognition is multifactor authentication because it combines something you know and something you are, whereas using a PIN with a password would not be considered multifactor authentication because they are simply two things you know.

How biometrics help protect against financial fraud

The use of biometric data as part of strong customer authentication or multi-factor authentication can help mitigate different types of fraud attacks. When fraudsters digitally enter a bank account to monitor it, they often use tactics such as phishing to persuade people to unwittingly reveal their login credentials. The result is account takeover, which is a major threat to financial institutions and their customers due to the financial losses and mitigation efforts involved. Biometrics can help stop attackers at the point of access (login) by requesting a fingerprint scan or facial scan. The attacker will not be able to authenticate correctly and will not be able to access another person’s account. In addition, robust liveness detection and counterfeit detection make it more difficult for attackers. The attacker will not be able to mimic the biometric data of a legitimate customer or access the account.

How biometrics help prevent fraud during remote account opening

Biometrics also play a role in helping to prevent identity fraud during the process of opening an account remotely. Today, due to covid-19, many consumers are avoiding unnecessary visits to the bank branch. Even when a new applicant does not meet face-to-face with a bank representative, the bank must verify that the remote applicant is in fact the legitimate owner of an identity document, such as a passport or driver’s license. This is essential in the fight against application fraud.

Biometrics is part of this process. For example, facial matching is used to verify identity, to ensure that the remote applicant is who he or she claims to be. Once the authenticity of the applicant’s driver’s license, passport or other government-issued identification is verified, the applicant is asked to take a selfie with his or her mobile device. When a selfie is used for facial recognition, life detection can be applied to demonstrate a legitimate human presence.

There are two types of life detection to identify whether a biometric feature is of a real person or is a digital or fabricated representation. Active liveness detection requires a person to blink or turn their head, and passive liveness detection runs behind the scenes and uses algorithms to detect signs of potential impersonation. Facial matching technologies use advanced algorithms to look at biometric data of a person’s features. For example, the position and size of one person’s eyes in relation to another can be used to determine whether the selfie and the government-issued ID represent the same person.

How biometrics improves customer experience

The use of biometrics makes it faster and easier for customers to interact with their financial institution. Biometrics is a more secure means of authentication than passwords, which are often stolen or forgotten. Biometrics can increase customer confidence in your financial institution because it is much more difficult for fraudsters to succeed with the use of a fake fingerprint or selfie. Positive experiences with biometrics for identity verification during remote account opening and customer authentication during login can also increase customer loyalty and trust in your financial institution.
It is worth noting that biometric models can learn over time so that changes in a person’s characteristics due to aging are taken into account and do not invalidate the match. When a user authenticates regularly, small changes in appearance will not be significant enough to invalidate the match. Instead, the mathematical model of a person will be updated as changes in their physical appearance are recognized.

What analysts say about biometrics

According to Gartner, “biometric authentication cannot and does not rely on the secrecy of biometric traits, but relies on the difficulty of impersonating a real person to image capture (“sensor”) devices, in other words, a spoofing attack.” Gartner adds that this aspect is not widely known, which has led to some misconceptions, reinforced by the detection of rare cases of phishing attacks on consumer devices and publicity about successful attacks against Apple Touch ID, Samsung swipe sensors, Android facial recognition, etc. The customer benefits of biometric authentication, says Gartner, have led to an increase in mobile banking applications in recent years.

Juniper Research has estimated that facial recognition hardware, such as Face ID on the latest iPhones, will be the fastest growing form of smartphone biometric hardware. It is expected to reach more than 800 million in 2024, up from an estimated 96 million in 2019. However, new research, Mobile Payment Authentication: biometrics, regulation and predictions 2019-2024, notes that the majority of facial recognition on smartphones will be software-based, with more than 1.3 billion devices with that capability by 2024.

MarketResearch.com notes that the fight against bank fraud in the digital world needs more foolproof technologies. “Biometrics is a powerful weapon to combat the growing threat of financial fraud. Therefore, the technology is grabbing the limelight, backed by benefits such as simple, foolproof authentication based on unique physical characters that are difficult to replicate or duplicate, i.e. voice recognition, iris scanning, fingerprint and facial recognition; elimination of the need to remember passwords and manage one-time passwords (OTP); enhanced security immune to cyber-attacks; unparalleled convenience; significantly reduced risk of identity theft; higher quality user experience; minimal or no user intervention; time savings and reduced authentication workloads from back office, among others. MarketResearch.com says the global biometrics market for banking and financial services is forecast to reach $10.8 trillion by 2025.

Javelin claims that storing biometric templates locally on an individual’s device reduces the risks associated with data being compromised, either in transit or by attack against centralized biometric data stores. “When combined with authentication standards, such as those developed by the FIDO Alliance, phishing is almost impossible. or misuse the data intercepted in local biometric authentication.” Javelin also points out that, “If a malicious individual is able to successfully enroll their own characteristics into a biometric authenticator, even the most sophisticated authentication method will allow them to overcome security challenges. As a result, many vendors offer additional risk assessment tools integrated into their platform, such as fingerprinting and device geolocation. Other tools, such as document scanning, offer natural complements to biometric scanning, allowing a degree of comparison between the biometric input captured by the user and the image on an ID document.”

Regulatory and biometric compliance

Biometrics help organizations comply with the Enhanced Customer Authentication (ARC) requirements of the European Union’s Second Payment Services Directive (PSD2), which are regulations for electronic payment services. According to ARC requirements, authentication must be based on two or more of the following factors: knowledge (such as passwords or PINs), possession (such as tokens or mobile devices) or inherence (biometrics).

According to the EU’s General Data Protection Regulation (GDPR), two-factor authentication is required for compliance. This means that a simple username and password combination no longer provides sufficient security for data protection, as passwords can be easily stolen, shared or cracked. In contrast, two-factor authentication is used to identify a person when two of the three possible authentication factors combine to grant access to a website or application: something the person knows, something the person has, or something the person is, which involves the use of biometric data such as a fingerprint or facial scan.

In the U.S., the largest state regulator, the New York Department of Financial Services, issued a regulation titled Cybersecurity Requirements for Financial Services Companies. It requires the use of multi-factor authentication, including biometrics, “to protect against unauthorized access to non-public information or information systems”. Non-public information is the individual’s private information.