Facial Recognition Authentication: Is It Good Enough to Fight Financial Fraud?by Fintechnews Singapore July 15, 2019
More than 2800 branches were closed in the UK between 2015 and the end of 2018, and a similar trajectory can be seen across the globe. This trend is driving traditional banks to switch to expand their businesses digital channels, thanks to changing customer demands, and to answer the growing threat from disruptive challenger banks.
With a more collaborative and open ecosystem brewing within the finance industry, concerns of security have risen in equal fervour.
In their mad dash towards digitisation, financial institutions today seem to have two opposing forces demanding equal attention when it comes to security.
These are some of the trade-offs covered in Jumio’s recent podcast, with Frederic Ho, vice president of Asia Pacific, located in Singapore. Founded in 2010, Jumio provides a variety of online identity verification, authentication and KYC/AML regulatory services for a variety of industries. The following is a summary of some of the points discussed by Frederic.
When it comes to security, one cannot undersell the concern for identity theft, account takeover and online fraud. The news cycles are inundated with data breaches , which invariably is leaked to the dark web. According to Frederic, there’s big concern that this data will be used to register and open fraudulent accounts for money laundering purposes, movement of illegally obtained funds, and other criminal activity.
Then, there is the concern of user experience. Customers want their data and identity safeguarded, but digital consumers are also expecting banking processes to take minutes, not hours or days completion times for onboarding processes. The days of expecting customers to visit a local brand office and wait days to open an account are over. Consumers expect everything to happen instantly, easily and securely.
“I have noticed that different regions have different perspectives. In Asia, there is a higher level of concern towards online identity fraud. We have encountered a larger percentage of such occurrences compared [to the] clients we have in the Americas and Europe. In these other markets, the Americas and Europe, the emphasis is really on user experience.”
“Financial institutions and other industries need the ability to handle account takeover situations. Today, technology used in this area are SMS passcodes and OTP. There are serious gaps in these approaches. [For example, let’s look at someone] in the middle of attacks. They may have limited usability to prevent the new types of fraud and fraudulent behaviors that we face.”
Frederic Thinks That AI and Biometrics Can Help
We believe as an industry, that the combination of biometrics, your selfie, your 3D profile is one of the most secure approaches to prevent identity fraud in the area of repeat transactions where authentication is necessary.”
For Frederic, “the use of technology and AI to deal with this space really is to have a platform that makes it very difficult for a fraudster to create a fraudulent identity when he opens an account with an organization.”
One method is via biometric technology, which allows for KYC checks to be done without the need for physical interaction. Instead, selfie-based authentication can be done during login to prevent account takeover. The technology will compare a users’ unique 3d face map (captured during the selfie-taking process) to the 3d face map captured during enrollment, or to any of their identity documents like ID cards and driver’s licenses.
Cybercriminals are increasingly using spoofing attacks by using a photo, video or a different substitute for an authorized person’s face to acquire someone else’s privileges or access rights. That’s why Frederic thinks that certified liveness detection is so vital for modern biometric-based authentication solutions.
Jumio’s upgraded liveness detection functionality provides a more seamless experience that helps convert more legitimate customers and better flags suspicious accounts who attempt to spoof the liveness detection process. These advanced liveness detection technologies provide Jumio a significant competitive advantage in terms of speed, accuracy, and anti-spoofing capabilities.
Behind the scenes, Jumio is leveraging AI to help automate processes that would otherwise depend on slower human efforts, and thus, allow for quicker processing, better fraud detection and higher scalability in services rendered.
“We rely mainly on the face biometrics,” Frederic said about Jumio. “Of course in the industry there could be a combination of voice and other aspects including fingerprints that complement each other.”
Then, there is merit in ensuring that eKYC (Know Your Customer) checks are conducted throughout a customer’s interactions with your brand, particularly with higher risk transactions. Asking for selfies before high-stakes transactions can help prevent “a lot of account takeover scenarios where accounts are already hacked with data that was perhaps gleaned from the dark web, but they would not be able to transact or perform some of these risky activities since we have a layer of authentication that would challenge them,” said Frederic.
However, Thoughtful AI Deployment is Key
When it comes to the biometrics industry, the conversation often goes to whether the AI correctly matched a face against a profile. However, the business around online identity extends beyond that, said Frederic. To him, the terms false reject rate (FRR) and false acceptance rate (FAR) have become common when companies measure if they are providing a good enough service during onboarding.
FRR is the measure of the likelihood that a system will incorrectly reject an attempt to access by a real user, while FAR is how likely the biometric security system will incorrectly allow access to an unauthorised user.
Yet, companies should also concern themselves with whether an identity document has been manipulated.
“When [thinking] about online identity verification, we think about the big companies in identity management, access management, cyber security. A big caveat is that these companies aren’t really front-facing solutions dealing with identity verification.”
Frederic warns that the result can be dangerous. Fraudsters could stick a different photo over a stolen ID, submit it during registration, and these facial matching software would return that this is a match with the photo in the document. There is no work behind it to prove that the document itself was not manipulated.
“Ultimately, it is a lot of work to be done. There is the need to check the ID, there’s data extraction to be done, there is comparison of the selfie and photo ID, there is a need to establish the person is present, and you need to perform all of these processes in a very small window of time. We’re talking about minutes, because the user is there waiting for his account to be opened.”
“So FRR and FAR are as good as the facial comparisons to establish identity but a lot of other processes are necessary to do the due diligence check that the document presented was indeed authentic.”
Meanwhile, regulators are also asking vendors and companies to prove that they have done due diligence in this area — which is when problems arise.
Companies start to look for different ways to achieve greater security and due diligence during onboarding. Some fintechs and financial institutions are looking to deploy optical character recognition (OCR) and facial recognition solutions and integrating them with their own manual processes, but that causes its own host of issues.
“Enterprises experimenting with providing these systems themselves struggle between pushing everything very quickly, which will cause a problem with their false reject rates, or they’re pulling things too tight, and then you have a terrible false acceptance rate. Drawing a balance between the two has been a nightmare and is no easy work.”
As they attempt to figure all of this out, financial institutions may find themselves bleeding customers. If a biometric security system is too complicated to use or too unreliable and incorrectly rejects legitimate users, then not only will they lose new users, but also be abandoned by existing ones to a more user-friendly service.
Then there’s the question of whether existing facial recognition technology is sufficient.
Facial recognition systems are one-to-many — they capture a photo of a person and then compare it to a database of online photos to make a definitive match. Face-based biometrics and authentication, on the other hand, are one-to-one and provide high levels of security to a user while letting them seamlessly access their own accounts or devices. These systems are designed to protect the business and the user by ensuring that only legitimate users are creating and accessing their online accounts — not some fraudster who has stolen the credentials or ID documents of identity theft victims off the dark web.
“We see a lot of technologies today that require a certain quality before it progresses to the next stage. This means the user has to repeat these steps until the expected picture quality is achieved. Now that kills a lot of conversion. After the second attempt, a user may not even want to complete the enrollment.”
This is when a level of expertise to complement the technology becomes critical.
In 5 Years, Identity As a Service Will be On The Cloud
Frederic predicts that in three to five years, identification as a service will finally be what companies expect.
“A lot of the effort today occurs when we first provide online onboarding, we think about options where customers would invest to set up an on-premise system and bring in teams to manage the verification work.”
“In three to five years, I believe everyone would expect that this is an API service, where I would just make a call to a provider and I would be able to deliver this within minutes or even faster. The future of identity verification services is really moving toward the cloud as an outsourced service.”
The approach is maturing, opines Frederic, and technology is advancing to secure the identity of users behind online applications. These will become learnt experiences for the fintech market as a whole, especially now that many nations are looking at virtual banking, and when telecommunications industries too are looking to launch fintech services.
Neo-Banks are Knocking On Our Doors
“I believe it would be the de facto mode of business. We want to reduce the number of branches and investment in physical offices and really move customer business over to digital channels for account opening. This is where we get scale and can better plan in terms of enrolments and to really grow the business.”
In fact, between neo-banks, digital banking services and Asia’s vast interest in the space, that future is already knocking on our doors. Asia is chock full of unbanked markets, and having a mobile-focused eKYC process has become crucial in offering better services at lower costs to these previously underserved markets. Now, it is up to financial institutions whether their security is ready to answer that knock.
Featured image via Eden, Janine and Jim on Flickr