Passive biometrics or active biometrics? People are spending more of their lives in the digital space than ever before. With the widespread adoption of mobile phones and computers, nearly everyone is able to surf the web, communicate with friends and family, and do a range of activities online.
Take digital commerce, for example. An estimated 96% of adults in the United States engage in online shopping, primarily using tablets, computers, and smartphones to do so. The draw is convenience; without leaving your house, you can order almost anything you want and have it delivered, in some cases that day.
However, as people begin to spend more of their lives in the digital space, so do fraudsters. Instead of stealing physical cards or merchandise, criminals are increasingly utilizing cyber channels to make fraudulent transactions, set up false accounts, and steal personal data.
Today’s environment forces organizations to confront a very difficult dilemma: how do you enhance security without compromising the user experience? The evolution of fraud attacks has made this issue increasingly difficult to solve for. With over 4 billion records stolen in the last decade, large scale data breaches have armed hackers with enough information to bypass security infrastructures.
For example, according to NuData, a Mastercard company, 28% of online interactions worldwide in 2018 were high risk of being attempted fraud.
Cyber fraud is, in part, driven by the vast amount of personal data that is compromised in data breaches and hacks. It’s also being fueled by the fact that interactions that were once physical are now done in the digital world, where verifying someone’s identity is harder.
As a result, authenticating a user is key to stopping cyber fraud. One company at the forefront of safeguarding the digital world through authentication is Mastercard Where does biometrics come in?.
In an approach termed connected intelligence, Mastercard leverages the data points consumers generate through their digital activity in conjunction with direct identity challenges to authenticate the user’s identity. The approach uses both active and passive biometric data, in addition to other information, such as location data, to determine whether a user is who they say they are.
In a previous PaymentsJournal article, we covered the passive biometric approach to fighting fraud. Today, we will cover the other side of the coin: active biometric authentication. However, before covering active biometric authentication and providing some use cases, a quick recap on the passive approach is needed.
Passive biometrics often precedes active biometric challenges
The passive biometric approach seeks to determine if the right person is interacting with a digital platform, be it an account creation, login attempt, or transaction initiation.
To do so, a product called NuDetect, by NuData, uses four layers of authentication where among others, it analyzes up to 300 distinct signals, ranging from how hard the screen is being pressed to how the person is navigating around their device. In addition to these biometric signals, other information such as device type or location are also assessed.
Based off of all these signals, Mastercard makes a probabilistic determination of whether the person is who they’re supposed to be. If there is a marked departure from established behavior, the merchant can decide to issue an identity challenge to the user.
That’s when active biometrics comes into the equation.
Actively challenging suspicious users
Once the user is deemed to be suspicious, Mastercard Identity Check Mobile will issue an active challenge, forcing the user to actually confirm whether they are legitimate or not. This can take different forms, including face, fingerprint, and voice recognition challenges.
Fingerprints tend to be the most common form of active biometric challenges, as many smartphones are now equipped with the requisite technology.
It’s important to note that these active challenges are not issued at random, nor at an unnecessary frequency. Since challenges introduce friction into the process, Mastercard works with the merchant to issue them only as much as necessary. Consumers want a seamless experience and if they encounter too much friction, they may abandon the order, quit trying to login, or stop whatever it is they’re doing, potentially costing the company business.
On the other hand, too little friction means that hackers can commit fraud unimpeded. Therefore, Mastercard’s connected intelligence approach utilizes AI, and hundreds of data points to introduce friction only when needed.
Passwords, the security of the past
Such high-tech biometric challenges are a significant upgrade from the previous bastion of online security: the static password.
The static password is inadequate for many reasons. For starters, it’s glaringly easy for sophisticated hackers to crack someone’s password. It only takes a hacker 31 minutes to crack an eight-character password that contains both letters and numbers, according to Thycotic.com.
Even if hackers don’t compromise a user’s password, there’s a good chance the user will simply forget what the password is. Data from the Identity Theft Resource Center reveals that 84% of consumers forget their password after two weeks. Resetting passwords can be tedious and lead customers to simply abandon the account.
For these reasons, active biometric challenges are clearly a better security solution.
Biometric security in action: Securing hospitals’ patient records:
One area where Mastercard’s biometric security approach can be brought to bear is in securing patient records at hospitals.
While this may seem like an obscure use case, it is actually of critical importance. Hackers are increasingly targeting hospital records. In 2018, 13.2 million records were compromised across 365 healthcare related data breaches, according to HIPAA Journal. And the problem is only getting worse; over 32 million patient records were compromised in the first half of 2019.
The reason why patient records are being stolen is that each record can fetch a high price on the dark web, with some estimates placing the value at $1,000 per record. And currently, many records are only being protected by static passwords, making easy for criminals to get in.
However, by utilizing Mastercard’s solutions, many of these breaches can be avoided. In a white paper, Mastercard points out that its biometric solutions could “mitigate data breaches from web applications and privilege misuse, which account for 49% of all healthcare data breaches.”
While Mastercard is primarily known as a financial services company, its cybersecurity capabilities are substantial. Beyond the healthcare industry, there are many use cases for Mastercard’s active biometrics technology. From securing e-commerce to making it easier to check-in at the airport via face scanning technology, Mastercard’s security solutions make the world a more seamlessly secure place.