Many companies no longer rely on static passwords alone, and use two-factor authentication to protect consumer accounts. The problem is they're using the same second factor: text messages sent to mobile devices.
The drawback of sending a single-use code via SMS is phone numbers can be spoofed, and cellular accounts can be taken over by savvy scammers. In one recent example, a U.K. woman lost over £8,000, or about $10,600, from her bank account after fraudsters visited a branch of Three, her mobile provider, and persuaded it to
There are multiple ways to address this problem. One is to rely on the carriers themselves to shore up their defenses.
"SMS was primarily built as a communication tool, but it became de facto for second-factor authentication," said Pavan Challa, director of product management at Verizon.
Verizon is working with other carriers on Project Verify, which is designed to "not just use SMS but use your device, use the signals that have been sent to the network … customer information, AI, machine learning and blockchain technology," he said. "We want to build this multifactor authentication into the solution that's going to eliminate most of the fraud that's going to happen today."
Challa spoke during a panel discussion at SourceMedia's annual PayThink conference, taking place this week in Austin. Project Verify, which also includes AT&T, T-Mobile and Sprint, was announced earlier in the month and is expected to go live in March 2019 as an app that the carriers preload onto customers' phones.
On the banks' side, other options can complement what the carriers are doing. These methods will become increasingly important as more banks join real-time payment networks.
"Real-time payments comes with real-time fraud," said Eric Woodward, group president of risk solutions for Early Warning, which operates the Zelle payments network.
Since Zelle is meant to be used within a bank's app, it benefits from the security that's built into those apps, including biometric authentication, PIN codes and more. But Zelle's role doesn't stop there.
"We see our customers use everything from voice to fingerprint to facial [to] eyeprints," Woodward said. "We also think it's critically important to have passive authentication behind it. If you're on a cell phone, is this SIM card the one that I'm used to seeing … what Wi-Fi signal [are you] on, at home or at the gym?"
When all of these elements are taken together, "the active authentication of the biometric — the facial scan or fingerprint — is almost like ‘security theater’ because you've got so much beneath it," he said.
That approach may work for newer payment methods that occur on a computer or mobile device, but conventional card payments don't have the benefit of built-in fingerprint readers or recognizable Wi-Fi signals.
To improve security for card transactions,
"It's a completely different approach to solving fraud," said Dave Excell, founder and CTO of Featurespace, in an interview at PayThink. "Rather than chasing around the fraudster, we're chasing around the good customers."
Featurespace began working with U.S.-based
The system takes in a number of factors including passive habits, such as how a person holds a mobile device or which lane they prefer to shop in at a grocery store.
Featurespace places very little value on SMS passcodes.
"Text is completely broken; you can't rely on that," Excell said. "It's really easy for a fraudster to compromise your mobile number."
An EMV card being used at a magstripe terminal in a far-off city may be a sign the card has been cloned, but there are other factors to consider, such as whether the card was used at a chip-enabled terminal in the same city the same day. If that's the case, the card's owner is likely on a trip and still has possession of the card, Excell said.
This is useful insight for high-net-worth consumers, whose ordinary transactions — such as buying pricey jewelry — would look suspicious on the account of an average consumer.
A potential drawback of this approach is that the better it is at stopping fraud, the less fraud data the system can observe going forward.
"A fraud that you had there to learn from no longer exists because you actually stopped it, so you've actually got to be careful in terms of how you construct the system," Excell said.
Featurespace's model is designed to keep that in mind, and not let its guard down when fraud starts to disappear. "When you actually start deploying these machine learning solutions, you have to think about the practicalities of once they're live, do they start to bias your data?" Excell said.
