Online fraud has experienced a significant growth since the early 2020s pandemic accelerated the digital transformation of businesses and citizens. This is evidenced by the latest report from the Spanish Anti-Fraud Association, in which 71% of respondents say that in recent months there have been more fraud attempts than last year, with customer identity fraud being the most recurrent in companies according to 58% of respondents
What is customer identity fraud?
The type of fraud whereby fraudsters use legitimate customer data to impersonate a customer, both at the time of opening an account or registering for a service (Onboarding), and at the time of accessing the account or previously contracted services (Authentication).
Account Opening Fraud
Attackers try to circumvent the identity and fraud prevention controls in the onboarding process by using stolen real identities, or synthetic/simulated identities that do not belong to any real citizen and are created by Artificial Intelligence.
Account Takeover Fraud
Attackers attempt to bypass identity and fraud prevention controls in the authentication process by stealing user credentials, essentially passwords exposed on the dark web as a result of the countless data breaches in recent years.
How can companies prevent customer identity fraud?
Incorporating Digital Onboarding (account opening) and Biometric Authentication (passwordless access) processes into their business and operational flows).
- Digital Onboarding mechanisms verify the real identity of a citizen who has no previous relationship with the company, by comparing their biometric facial features against the photograph of their national identity card (issued by an authorised or trusted source).
- Biometric Authentication mechanisms corroborate that the person trying to access a digital service corresponds to a previously registered user or customer whose real identity has been verified. To do so, they validate the identity of the user by comparing the biometric features presented at the time of access against the biometric pattern registered and stored at the time of registration/onboarding.
Phases in the Digital Onboarding process
Onboarding can be broken down into two main blocks: Identity Proofing techniques and Identity Affirmation techniques.
The Identity Proofing process has the following phases or stages:
- Verification of the validity of the national identity document presented
- Through OCR (Optical Character Recognition) technology)
- Through NFC (Near-Field Communication) technology if the presented document and the device on which the Onboarding is performed support this technology
- Selfie capture and proof of life.
- Proof of life is about validating that the person who is Onboarding is a real person and not an impostor impersonating through stolen or synthetic identities. It is currently the most critical factor in the whole process. There are ISO/IEC 30107 industry certifications that accredit that a supplier complies with the necessary standards to carry out this process with guarantees.
- Biometric verification between the selfie and the photograph of the national identity card presented.
- NIST (National Institute of Standards and Technology) scores the effectiveness of biometric algorithms through its “Face Recognition Vendor Test”.
- Manual” checking of the process by specialised agents (only for use cases where compliance with anti-money laundering regulations is required)
In addition to the Identity Proofing process, there are processes aimed at detecting fraud in Onboarding, which, as opposed to focusing on checking or validating the national identity document, carry out checks against other user data or parameters.
These techniques are known as “Identity Affirmation Tools“. Examples include:
- Checking the user’s identity data (name, postal address, telephone number, date of birth) against official databases; census/electoral data, credit bureau or financial registers or databases. It is also possible to connect directly to state databases with the prior authorisation of the authorities (in Spain, the national police is the owner and responsible for the custody of the DNI databases).
- Checking the user’s digital attributes; email, IP address, or social networks. For example, comparing the geolocation of the IP address against the postal address that appears on the ID card provided.
- Checking parameters of the user’s device. The information collected about the operating system, the browser and its plug-ins, and about the hardware and its characteristics, is used to create what is known as a “Device Fingerprint“.
- Behaviour-Analytics. Analysis of typing cadence, mouse movements, or the speed at which forms are filled in can indicate that the person behind the screen is not a real person but a robot trying to automate the process.
Onboarding and Biometric Authentication Challenges
Onboarding and Biometric Authentication mechanisms help prevent online fraud while improving the user/customer experience in their interaction with the identity and access management systems of digital platforms. Among the main challenges faced by the industry are issues related to privacy management and compliance with various data protection regulations. Biometric data are highly sensitive data that, unlike passwords, for example, which can be reset and changed as many times as you want, refer to physiological traits that are impossible to change.