GRC World Forums looks at some of the identification and verification technologies currently being used to ensure privacy and security in an increasingly complex banking landscape while ensuring user experience remains positive.
In the modern world we are more connected than ever before. We can shop, socialise and conduct business in a myriad of different ways.
And the world of banking and finance is changing beyond recognition. People can bank on the move, sending funds from one side of the world to another at the click of a mouse.
So-called digital only ‘challenger banks’, aided by relaxed rules in the UK, have been on the march, using technology to provide a quicker, easier, more interactive service.
Demand for a better UX from the smartphone generation
Features such as faster sign-ups, real time push notifications, quicker mortgage applications, easier peer-to-peer transactions, personalisation of services and linking with other applications such as Apple Pay and accounting software are making the process of managing money much easier to do and all with only a few taps on a smartphone touch screen required.
An estimated 12 million people have made the switch to a challenger bank and an estimated 44% of people will have a digital-only bank within five years, according to a recent study. In just a couple of years names like Atom, Revolut, Starling Bank and Monzo have become well-known.
And traditional banks have responded by scrabbling to catch up with the fintechs, pouring resources into improving their own digital banking-by-smartphone offers. According to research by Deloitte, US banks are already spending 40% of their IT budget on new technology, while European banks are spending 29%. These figures are projected to rise to 48% and 33% respectively by 2022.
Not only are we seeing the rise of 24-7 digital banking platforms and virtual stores, we are also seeing the evolution of the Internet of Things and the rise of virtual assets and crypto-currencies, partly fuelled by a lingering distrust of distrust of traditional banking.
With all this connectivity also comes increased risks and new vulnerabilities, around data protection, cyber security and financial crime.
In the first half of last year alone, an estimated 4.1billion of records were exposed, with 71% of breaches financially motivated.
When it comes to identity fraud, around 10% of Americans have been victims, according to the Center for Victim Research, while the UK is in the grip of an “epidemic” of identify fraud, with an estimated 83% of frauds committed online.
In addition to this, jurisdictions across the globe are strengthening data protection legislation, along with anti-money laundering laws, with Know Your Customer requirements a key plank in efforts to combat money laundering and combating the finance of terrorism.
So banks have an unenviable challenge. They need to provide a great user experience through smartphone banking to a generation that expects swift and easy transactions and account sign-ups. Fail to do this adequately and they risk losing out on market share. But they also need to ensure they are doing all they can to prevent and monitor against identity fraud and money laundering risk.
How can banks be best placed to ensure they really know that customers and account users are actually who they say they are?
It also arguably isn’t enough to identify a customer at sign up, or verify their identity through documentation. In the modern world, institution need to be constantly checking the person using the service is the same person who registered the account, ie authenticating them.
It is to technology that banks are turning as customer identification, verification and authentication becomes of paramount importance and Regtech fall over themselves to offer the latest technological products.
PrivSec Report has a look at several of the technological methods and techniques being used by banks today. Most regtech providers use combinations of the below approaches.
Data-centric approaches rely on customers supplying personal details, such as name, address and date of birth, which are then checked against credit agency and other third-party data sources.
This approach alone is no longer (if it ever was) a sufficiently secure system as there is no guarantee that the person with the details is the person the bank thinks it is.
Criminals only need to obtain the personally identifiable information and they can impersonate another individual. Philipp Pointner, chief product officer, Jumio, says: “The identity assurance achieved with this capability used in isolation is relatively low, relying only on “something you-but-not-only-you know.”
Identity documentation has long been asked for by banks and this is still often the course during onboarding at least.
The challenge is coping with the sheer number of different types of documentation across the world that can be used to prove identity.
Bryn Saunders, senior product marketing manager at OneSpan, says: Identity verification providers typically face challenges in terms of coverage (e.g. types of identity documents supported, regions supported), pass rates, and accuracy.
“There are also numerous identity verification methods available in the market, all of which vary from provider-to-provider, making it difficult for financial institutions to select a solution that effectively balances the customer experience with their unique risk tolerance.”
OneSpan uses AI solutions. such as machine learning and deep learning algorithms, designed to detect fraudulent IDs in order to ensure it can verify documents operate across the globe.
Another regtech firm, Acuant, says it has a library of 600 different documents it can use for verification – which it claims is the largest anywhere- and also says it can verify 97% of the 1.128 billion e-Passports in the marketplace aided by chip authentication.
Mr Pointer of Jumio also points to the ability to verify a large number of documents as being important. He says: “Jumio supports ID cards, national ID cards and, just as importantly, supports all the possible versions and permutations of those ID documents.
“Most of the larger identity verification players can support multiple countries because they can read the MRZ on passports, but many of them cannot support other ID types (e.g. ID cards).” Jumio says it verifies over 3,500 variants of government-issued IDs issued by more than 200 countries and territories.
Facial biometrics and liveness detection
Using identity documentation during remote onboarding is all very well but how do you ensure that it is the genuine user continuing to use the account?
Angel Grant, director at Digital Risk Solutions says banks are now starting to realise they have to think about identify verification across all channels and over time if they are to successfully combat the fraudsters.
Grant says: “Just because you verified a new customer at account set-up, does not guarantee that transactions are actually coming from that person.”
Banks are increasingly looking to do this through the use of facial recognition algorithms and biometrics.
Phillippe Pointer, chief product officer at Jumio, says: “The increasing focus on document-centric identity proofing in remote use cases is resulting in increased dependence on facial recognition algorithms to govern the identity-proofing process.”
The fact that manufacturers such as Apple and Samsung now offer facial recognition unlocking features on their smartphones means that people are getting used to using ‘selfies’ as a form of identification.
“This familiarity has helped lessen concerns of using a selfie as a biometric form of security to prove one’s identity,” says Mr Pointer. “Requiring a selfie also serves as a strong means of deterrence for would-be fraudsters since they generally do not want to share their own likeness with the organisation that they’re looking to defraud.”
There are some challenges to overcome however. Fraudsters may attempt to spoof someone’s identity by obtaining a photo of a customer’s face (or a photo of a photo)
For this reason, banks increasingly look to detect “liveness”, namely that it is the actual verified person in the moment looking to access their account from their smartphone.
Banks therefore can do this using “active” methods, such as setting people a challenge to prove they are really there, by for instance, asking them to blink or move their eyes. Sometimes multimodal methods are used, combining facial recognition with audio or other actions.
However this can have the drawback of reducing the quality of the user experience and customer satisfaction.
Some banks use “passive” methods which use anti-spoofing AI technology to detect liveness. In Jumio’s case, customers are asked to move closer to the camera while a 3D map of their face is created.
One problem with using algorithms to verify facial identification is that the technology may incorporate demographic biases. For instance in 2018 a study by the Massachusetts Institute of Technology showed higher error rates in identifying darker-skinned people and women through facial recognition software by major companies. P
ointer says Jumio combats this by using large datasets, verification expertise to check the AI models, and making sure its models are based on real world data not purchased data sets which may have been tagged in way that can lead to bias.
Another thing to point out is that using facial biometrics every time somebody logs in to their account may prove to be expensive for a bank.
So some banks may take the view that selfies and facial recognition scanning are requiring during onboarding and when changes to account details are made, but that passwords, or two-factor authentication, will suffice for routine logging in and conducting of transactions.
Behavioural biometrics and machine learning/AI
While banks can use physical biometrics such as facial or voice recognition or fingerprint scanning, a more dynamic method concerns the use of behavioural biometrics.
Banks have traditionally used rules-based indicators to look for suspicious activity, for instance if somebody makes a larger than normal purchase or withdrawal it may trigger some investigation. But the sheer amount of data now available and advanced technology means this can be taken to the next level.
“By dynamically analysing each user’s interactions with the bank during an online banking session and using deep learning technology to compare it against their typical behaviour during their entire online history, banks can discover the smallest of anomalies that might point to fraud, such as the user not being who they say they are, or having been manipulated mid-session” wrote Tim Ayling, vice president, Europe, Middle East & Africa, at Buguroo in a piece last month for FinCrime Report.
The idea is that lots of different interactions are brought together to create a digital behavioural footprint, or what Ayling refers to as a “bionic ID”.
Grant agrees that banks are beginning to combine physical biometrics with this kind of behavioural biometric analysis to improve identity assurance. She says: “By collecting, correlating and monitoring multiple elements of an individual’s digital footprint, they can vastly improve their ability to understand whether that person or their account is involved in fraud.”
Machine learning tools can then be used to construct an evolving model that learns from a user’s behaviour, meaning more subtle signs that an account has been compromised can be detected.
And this, for Becky Marriott, vice president of risk and compliance at banking services provider Tide, is where the really innovative possibilities lie.
She said: “The stuff I think is very interesting is for instance, providers looking at the way I use my phone, where I put my weight on the buttons and seeing whether that is different to the way I would normally do it.”
Marriott suggests that behavioural biometrics can then be used in this way to challenge the user to confirm that they are who they say they are by again taking a selfie to gain access to their account. Marriott even speculates that technology could be used to tell if somebody is under duress, if for example their heart is beating faster.
Although as discussed, AI algorithms are used in many different ways to detect fraudulent activity and verify customers, few banks rely on them completely.
Pointer of Jumio stresses that artificial intelligence must be used to enhance human intelligence, rather than replace it. Human beings need to review the findings from the AI and do their own checks.
He says Jumio “also relies on human review, augmented intelligence with its built-in feedback loop.”
Further verification and authentication options
While using facial biometrics every time a user logs in might be costly and cumbersome, banks do sometimes use further methods of authenticating customers.
Sometimes this takes the form of knowledge-based authentication, where questions are generated based on information in a customer’s personal credit file. Other times multi-factor authentication, in which knowledge is combined with possession and inherence is used, while one-time passcodes can be generated via SMS or email to provide additional security
The ubiquituous blockchain is in simple terms a digital ledger of transactions distributed across an entire network of computer systems.
The key points are that the transactions are immuteable, ie, they cannot be changed, and that there is consensus about the validity of transactions.
The consensus is achieved through a proof of work algorithm, in which “miners” compete to complete transactions on the network. This mining work is difficult and time-consuming to do but easy to verify. Blockchain relies heavily on cryptography to provide data security.
Blockchain transactions are publicly recorded, but usually in a pseudonymous way.
So for instance, owners of Bitcoin addresses are not explicitly identified but all the transactions on the Bitcoin blockchain ledger are public. So wallet addresses are effectively like a pseudonym, and if your address is linked to your personal information a detailed record of an individual’s transactions can be traced,
As Bitcoin itself says: “Bitcoin is designed to allow its users to send and receive payments with an acceptable level of privacy as well as any other form of money. However, Bitcoin is not anonymous and cannot offer the same level of privacy as cash. The use of Bitcoin leaves extensive public records.”
Zero knowledge proof
But what if there is a data leak? Information that is stored about an individual, in whatever capacity, always has a chance of leaking, even if the probability of it doing so is very small.
Information that is obtained by fraudsters can be used to create parallel identities in order to conduct fraudulent transactions or make purchases.
But what if there is a way of proving your identity without sharing your information?
Zero-knowledge proof is a method by which one party can prove that they know a piece of information to a verifying party without communicating any other information other than the fact that they know the information.
Zero-knowledge proof mechanisms vary but they use mathematical models to create a probabilistic assessment of whether something is true. They provide small pieces of unlinkable information that when put together shows the verifier’s assertion to be overwhelming probable. Because personal data itself is not revealed, the method eliminates the data leak threat and is positive for data protection compliance.
Benjamin Whitby, head of regulatory affairs at cross-chain liquidity protocol Qredo, says: “Use of zero knowledge proofs should be embraced by banks and financial institutions. We need our trusted partner to know about our business and provide evidence to others that the appropriate checks have proved clear, we don’t want our partners sharing data freely that can be used to apply for loans and credit in our name.
“Banks and financial institutions should embrace this technology with a hunger, it will protect everyone in the long run.”
Homomorphic encryption and other privacy enhancing computation methods
Gartner this week outlined privacy-enhancing computation as one of its top strategic technology trends for 2021.
Privacy-enhancing computation protects data in use, while maintaining secrecy and privacy. and includes zero knowledge proof (mentioned above).
Gartner predicts that within five years half of large organisations will implement privacy-enhancing computation methods for processing data, as privacy regulations become more widespread.
One such method is homomorphic encryption, which uses cryptography to enable third parties to process encrypted data and return an encrypted result to the data owner while providing no knowledge about the data or the results. Gartner nots this technology is maturing. It said: “In practice today, fully homomorphic encryption is not fast enough for most business implementations.”
According to Grant, of RSA Security some banks are looking towards using decentralised digital identities.
These replace identifiers such as usernames with digital IDs that are self-owned and independent and use blockchain and other distributed ledger technology to protect privacy and secure transactions.
Rather than provide personally identifiable data to different organisations, the digital ID sits in one place. The user is free to control what data makes up the digital identity, which has the added bonus of being more likely to be GDPR complaint.
Grant says: “As banks move towards a more modern, real-time account opening process, some have started to explore the concept of decentralised identities to improve omni-channel fraud detection capabilities.
“They are looking to combine physical and virtual identity attributes of the customer to help streamline the amount of time it takes to open a new account. This can improve customer experience, while still combatting ID theft and fraud.”
Centralised systems – bringing it all together
While there are many different technologies and techniques for identifying and verifying identity, most banks will use a combination of various techniques.
Grant, of RSA Security, says: “Banks are realising that customer verification must be an ongoing process.
“This often means building a centralised decisioning platform, connecting together internal and external anti-fraud and ID and verification tools, such as biometrics, machine learning-powered fraud detection and multi-factor authentication.
“By combining traditional identity proofing techniques with biometrics, behavioural analytics and anti-fraud technologies such as machine learning risk models, banks can continuously monitor for suspicious behaviour and continuously verify identities.”
For Fraud.net, a cloud-based fraud detection system, combining data together from different sources in to one view is the key to combating fraud.
A spokesperson for Fraud.net says “Only a consolidated view that can be delivered in real-time is acceptable to counter ever-changing fraud vectors.”