{"id":761,"date":"2018-05-18T00:32:02","date_gmt":"2018-05-18T00:32:02","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/biometrics-better-than-your-mothers-maiden-name-good-luck-changing-your-body-if-your-info-is-stolen-2\/"},"modified":"2018-05-18T00:32:02","modified_gmt":"2018-05-18T00:32:02","slug":"biometrics-better-than-your-mothers-maiden-name-good-luck-changing-your-body-if-your-info-is-stolen-2","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/biometrics-better-than-your-mothers-maiden-name-good-luck-changing-your-body-if-your-info-is-stolen-2\/","title":{"rendered":"Biometrics: Better than your mother’s maiden name. Good luck changing your body if your info is stolen"},"content":{"rendered":"
<\/div>\n

Identity theft has hit record levels in the UK \u2013 the vast majority of incidents are online. The UK’s largest cross-sector fraud sharing databases, Cifas recently logged 174,523 incidents finding eight out of 10 took place online.<\/p>\n

Far from targeting the usual haunts of bank and credit card services, fraudsters have shifted to new targets \u2013 telecoms, online shopping and insurance. The thieves are harvesting information through phishing, malware attacks, social media, and other forms of social engineering.<\/p>\n

In the US, 145 million Americans saw their Social Security numbers, birthdates, credit history, and other staples of online verification were pinched from credit-rating agency Equifax.<\/p>\n

The primary driver behind financial fraud is impersonation and deception scams as well as online attacks to compromise data, according to Financial Fraud Action UK.<\/p>\n

For all the achievements of the internet’s builders, it would seem the issue of reliably proving identity has come to bedevil their extraordinary creation. This omission has left society juggling two incompatible worlds, that of the online and the offline, each with its own notion of human identity.<\/p>\n

It\u2019s put those providing online services in a seemingly impossible and irreconcilable position: to provide services while safeguarding entry, but using methodologies that employ techniques using credentials that are weak or compromised. There\u2019s every chance the person logging on is not who they claim to be, because that individual has access to somebody else\u2019s stolen details.<\/p>\n

The internet was about connectivity and communication, ignoring the idea that a successful digital world would one day need a reliable concept of identity that didn\u2019t rely on easily faked, lost, or stolen documents and information, or basic data such as your mother\u2019s maiden name.<\/p>\n

But here we are. Today\u2019s online world is forced to default to one of two unsatisfactory options to safeguard services and users: one is to ask people to prove their identity through paper documentation, and the other is to resort to some form of knowledge-based authentication (KBA). The former requires the person to first visit said institution with paper documents in hand \u2013 this is hardly the stuff of the digital world. From that moment onwards, KBA is used to check that the person who made that visit is still who they claim to be.<\/p>\n

KBA, however, has another problem: the problem of people\u2019s memory. Google in 2015 found most people \u2013 74 per cent \u2013 struggle to remember the answers to personal questions used in KBA systems, and in many cases, asking \u201cwhat\u2019s your favourite food,\u201d hackers have a good chance of guessing the answer anyway. In the case of what\u2019s your favourite food, pizza is the answer for 20 per cent of people.<\/p>\n

KBA and MFA: failed gods<\/span><\/h3>\n

The ultimate identity crime of all is ID theft, where someone\u2019s entire digital record is borrowed to commit not one illegal act of access but possibly multiple crimes over an extended period \u2013 hence the significance of that Equifax hack. KBA fails in the Equifax-hack world because the successful criminal has the fundamentals \u2013 financial credentials names, addresses, dates of birth, security questions and passwords \u2013 needed to pretend they are somebody else.<\/p>\n

Engineers, regulators, and governments have patched up this problem by enforcing either more checks (making it more difficult to open financial accounts, say), or by extending KBA in novel ways. In the long-term, they simply spurred the evolution and organisation of criminals to find ways around them.<\/p>\n

One perceived answer was two-factor or multi-factor authentication (2FA, MFA) \u2013 essentially a way of adding something the user has in their possession (a token or time-dependent code), to one or more things they know, usually a password and user name. Well-designed MFA can be effective \u2013 but brings with it trade-offs between complexity, expense, and effectiveness. MFA is annoying and confusing, too, if you\u2019re forced to authenticate across services in different ways. 2FA has been compromised as hackers have hijacked texts that are used to deliver a temporary code.<\/p>\n

To KBA\u2019s credit, users understand what to do and are not challenged unnecessarily.<\/p>\n

Biometric hope<\/span><\/h3>\n

What\u2019s the answer? What about the immutable aspects of identity \u2013 fingerprints, voice, iris, typing style, facial and selfie ID, and perhaps even DNA? Can these bear down on fraud in ways that are hard to bypass? Styled as advanced identity verification, many have now reached the mainstream thanks to the smartphone and mobile apps.<\/p>\n

Broadly speaking, these can be divided into simple verification (for example, logging into an account), and onboarding verification (the process a user goes through when they originally created that account) as a way of stopping criminals from setting up fake accounts. Some examples:<\/p>\n