Weak identity authentication and verification protocols can result in compromised online accounts and diminished information security.
By Dominic Forrest
Accelerated by the global pandemic, the number of digital banking users has increased exponentially in recent years. In fact, research shows that the number of users is expected to exceed 3.6 billion by 2024, representing a 54 percent increase from 2020. Much of this growth can be attributed to online banking adoption by those who were previously unbanked.
This shift to more remote financial services has created a hurdle in the form of identity verification that must be overcome. When a remote user applies for an account, product, or service, how can a financial institution verify the user is the real owner of a genuine identity? How can a bank ensure that a remote customer is the same person each time they return rather than an imposter or a synthetic identity? Coupled with the sharp global growth of cyber-related financial crime and the result is a huge challenge.
In the digital landscape, voice biometrics technology has become the most common method for verifying identity through voice analysis. The technology was initially embraced for its potential to expedite and secure customer authentication within the financial sector, the premise behind it being that an individual’s voice is both ever-present and uniquely their own. In addition, customer service calls have traditionally been the main form of communication and using voice biometrics has meant that customer authentication could take place over the same channel. However, malicious actors have employed generative AI voice clips, known as ‘vishing’ or voice deepfakes, to infiltrate financial accounts. This unsettling trend has ignited concerns about the diminishing reliability of voice biometrics, earning it a reputation as one of the most vulnerable forms of biometric authentication.
This proliferation and widespread availability of generative AI tools has led to a substantial upswing in the development and accessibility of voice cloning technology, which can convincingly replicate authentic voices and is one of the key factors contributing to the frailties of voice biometrics. Studies from MIT and Google have demonstrated that merely one minute of voice data suffices to generate persuasive, human-quality audio. The apprehension regarding voice biometrics’ efficacy is so pronounced that earlier this year Senators questioned leading financial institutions about their strategies and planned actions to counter deepfake voice fraud.
While synthesized voice technology has a range of wider user applications, here our focus centers on its role in organizational security, with specific reference to remote authentication and identity verification. As mentioned, voice biometrics predominantly serves to authenticate returning customers by passively analyzing speech patterns as they speak. It is also deployed in applications where users are prompted to tap a button or utter a passphrase such as for step-up authentication. Further critical shortcomings of voice biometrics include issues relating to identity assurance, performance and user accessibility leading to further doubt being cast on its suitability for safeguarding large-scale transactions and critical operations.
Looking at biometrics more broadly it certainly offers a far more dependable means of identity assurance versus traditional methods such as one-time passcodes. But it does still face the ongoing challenge of an evolving threat landscape. Failure to confirm an individual’s real-time presence (liveness) and authentication will leave the technology vulnerable to spoofing or “biometric attacks.” There are several different liveness detection solutions available on the market today and careful attention should be given to selecting the most effective approach.
Facial biometric technology provides a robust and considerably more secure alternative to voice biometrics. It’s versatile and can facilitate the verification of unknown customer identities at onboarding, ongoing user verification and transaction authentication. Additionally, it can be cross-referenced with government-issued ID documents, a capability not available to voice biometrics. Another significant drawback of voice biometrics is its ineffectiveness in securing the most vulnerable point in the user journey: onboarding. Consequently, it provides no defense against the most pervasive and damaging identity fraud, such as synthetic identity fraud, thus failing to furnish both users and organizations with the requisite identity assurance.
Liveness detection is a crucial feature embedded in facial biometric solutions, which distinguishes between a genuine live user and presented artifacts, like photographs or masks, as well as generative AI created deepfakes. The proliferation of digitally injected synthetic media such as deepfake videos and images, generated by sophisticated AI software, depicting individuals engaging in actions they never undertook, is burgeoning. It’s an attack vector that is being used to defraud banks and their customers. Identifying these attacks or even more recent phenomena such as face swaps has become exceptionally difficult. They are almost impossible to spot by the naked eye and that’s why relying solely on human judgement alone is woefully insufficient.
Such technology enables bad actors to move beyond presentation attacks, circumventing face verification technology by digitally injecting synthetic media into the authentication process. This so-called crime-as-a-service economy is growing fast across the globe. In 2022 injection attacks occurred five times more frequently than persistent presentation attacks across the web. Detection is only possible with advanced tools and expert analysis. Considerable responsibility rests with technology companies, which must implement rigorous measures to monitor and counter the potential exploitation of this technology by criminals.
The issue of online identity verification carries profound implications and is a significant task for financial organizations to overcome in today’s digital economy. Weak authentication and verification protocols can result in compromised online accounts, diminished information security, and weakened defenses at digital borders.
Regrettably, voice biometrics falls short in providing the essential identity assurance measures to withstand the ever-evolving threat landscape. Similarly face-to-face video calls are also an inadequate defense against synthetic imagery, as the human eye can be spoofed. Specialized technology is required. The deployment of passive one-time face biometrics during verification and authentication sequences have proven to be the most effective, usable and inclusive way to safeguard against the threat of digital injection attacks. And while facial biometrics is still viewed by many as science fiction, it undeniably offers the most secure means of safeguarding online identities. Financial organizations should recognize its imperative role in today’s digital landscape, where identity assurance is more crucial than ever.
Dominic Forrest is chief technology officer for iProov.
