The identity fraud detection game is evolving. Fast.
Online fraud is now 81% more likely than fraud at the point of sale, and account takeover fraud (ATO) made up a significant and growing chunk of total online fraud in 2017, according to a new report. In its 2018 Identity Fraud Report, Javelin Strategy and Research revealed that 16.7 million people had their identities stolen and used fraudulently last year, the most since it began tracking the data in 2003.
The surge in stolen identities contributed to a 120% year-over-year increase in losses attributed to ATO fraud. Javelin reported that total ATO losses reached $5.1 billion last year. Account takeover fraud is being fueled by a change in the information that hackers are stealing and selling.
Translation: Trust in the online world is becoming a quickly vanishing commodity.
This new reality makes the onboarding of new customers a riskier affair. Sure, you want to convert as many users as you can, but it’s increasingly important to vet new users right at the outset — at the beginning of the relationship between the customer and the brand — with more reliable methods of authentication.
As we’ve explained in the blog post Are You Being Catfished by Your Customers?, traditional methods of identity verification, such as knowledge-based authentication and two-factor authentication are no longer reliable methods. Many KBA questions are based on information that criminals can easily find on social media sites or through other sources of publicly available information that they can then use to pass these security tests and access consumers’ accounts. Meanwhile, NIST (U.S. National Institute for Standards and Technology) is no longer recommending two-factor authentication systems that use SMS, because of their many insecurities — guidance they recommended dating back to July 2016.
That’s why many modern companies have adopted online identity verification solutions that require the user to capture a picture of their government-issued ID document (e.g., driver’s license or passport). But, if the ID was lost or stolen, then fraudsters can still create bogus accounts using perfectly legitimate IDs. This means companies must go further to definitely establish the identity of new users.
Enter Online Identity Verification
With identity verification, our approach is to start with ID verification to ensure the driver’s license, passport or ID card is authentic and has not been doctored. But, then we go further, requiring a selfie which enables us to compare the person in the selfie to the person pictured in the ID document.
This has proven to have a chilling effect on fraudsters who would prefer not to have their likeness captured by the company they’re attempting to defraud. But, fraudsters evolve. We soon discovered that fraudsters started using high-resolution printouts, close up pictures from the ID document and even pre-recorded videos (in lieu of taking a real selfie).
Enter Liveness Detection
In order to ensure that the user is physically present and that the selfie is legitimate, Jumio has created two flavors of liveness detection: Liveness Detection for Mobile and Liveness Detection for Web. This new functionality has helped online companies minimize fraud and the resulting costs associated with unauthorized transactions, without significantly impacting the customer experience.
Liveness Detection for Mobile: It is estimated that by 2020 more than half of the world’s population will use their smart mobile devices as their primary form of ID and method of accessing confidential information. With Jumio’s award-winning mobile SDK, new users are required to follow a small dot on the mobile device screen with their eyes as it moves in a random pattern. As the object is moving on a random basis, this allows us to disqualify photos, printouts and pre-recorded videos from being substituted for a live camera photo.
Liveness Detection for Web: if your business wants to also enable identity verification from desktops, enabling your users to take and upload pictures using their webcam, we’ve introduced Liveness Detection for Web. How do you know that they are same person pictured on the government-issued ID? This new functionality requires the user to take a picture of themself holding a handwritten note to ensure a real person is performing the transaction. End-users are asked to hold up a note with a custom phrase (e.g. company name) and the current date and then take a picture of themselves with the note during the selfie capturing process.
Jumio also offers Liveness Detection for API-based implementations. If an API is used, our business customers can control the capture of the handwritten notes and guide the end user through the entire user experience (including ensuring that the user has included the proper text and date on the note).
To learn more about Jumio’s Liveness Detection functionality that is baked into our Identity Verification solutions, download our Liveness Detection data sheet today.
In light of the emerging online fraud and account takeover landscape, businesses need to stay at the forefront of fraud detection and deterrence. Online identity verification that leverages biometrics and liveness detection significantly reduces fraud and cyber attacks and provides a powerful disincentive to fraudsters.
Remember, fraudster focus on soft targets. The more hurdles, the more risk, the greater the likelihood they will move on to other, less defended web properties.