Losing face

Access & Identity Management Handbook 2021 Information Security

The risk of identity theft and related fraud is a significant concern for consumers who have been embracing online services to overcome lockdown restrictions during 2020. Even prior to this, there has been a reported 33% increase in identity fraud last year from 2018 figures.

While the pandemic has been a boon to adoption of biometrics – particularly face biometrics in this contactless era – for digital identification, authentication, and authorisation services, this has also amplified the necessity of two-factor authentication (2FA) for users to better protect themselves.

Biometrics can either be biological measurements or physical characteristics that can be used to identify an individual. Some of the more popular modalities that are becoming mainstream today include fingerprint scans and facial recognition. The use cases for such solutions are vast, from identification and verification services to security and restricted access control – including at airports, stadiums, businesses, and various other settings. Additionally, many of the latest smartphones even feature biometrics as security options, used to unlock the device, sign into mobile apps and in payment verification.

According to Vic Esterhuizen, executive: Biometrics at Xpert Decision Systems (XDS), the largest locally owned credit information bureau in South Africa, biometrics can fulfil a critical fraud prevention function in the identification, authentication and authorisation sequence of events, including digital on-boarding services, and identification/account verification at the point of sale.

The value of biometrics

“Much about how we live, work and play changed due to the impacts of the COVID-19 pandemic, where lockdown restrictions coupled with social distancing protocols have pressed upon people to avoid use of shared surfaces and close, in-person interactions as much as possible. This is accelerating adoption trends in contactless identification including face biometrics systems – particularly as a complement to, and in support of, digital transactions,” says Esterhuizen.

Market research indicates that the global face biometrics market size was valued at $3,4 billion in 2019 and is projected to grow at a CAGR of 14,5% from 2020 to 2027.

Esterhuizen suggests that in a digitally driven world, the traditional username and password method can be enhanced with additional security factors. “Biometrics presents a massive opportunity to promote market inclusion through digital and remote access to products and services. And, by using something unique to an individual to confirm the person’s identity before any financial and other transactions can be done, this can support in significantly reducing the potential for identity theft and associated risks of third-party fraud.

“It should be noted, however, that not all technology is the same and products and service providers who are looking to capitalise on the digital and remote opportunities must undertake market research and consult with experts on solutions that offer built-in risk mitigation and high anti-spoof rates in identity verification,” says Esterhuizen.

Identification, authentication and authorisation

To realise the effectiveness of biometrics, Kaspersky believes that consumers first need to understand the difference between identification, authentication and authorisation.

“While it might not seem important at first to understand the role biometrics can play in these processes, given how everything from shopping to banking to entertainment and more of our daily activities are increasingly connected to the Internet and performed online, consumers need to better understand that collectively these online accounts form an imprint of their digital lives – and that their biometrics can be used to unlock this imprint if not used appropriately and safely,” says Lehan van den Heever, enterprise cybersecurity advisor for Kaspersky in Africa.

For instance, a banking app will request the user’s login details before the user may perform any transactions. The username will be the identification step, i.e., confirming identity of the user. The password or PIN will then be used to authenticate the login. The final step is that of authorisation. Once the identification and authentication have been done and confirmed, the app will give the user the right, i.e., authorise the user, to view their account balances, pay beneficiaries, etc.

“There are current services and use cases where biometrics have been integrated into these processes, for example a fingerprint or face scan may be used to supplement, or in addition to, any of these three steps. To do this, the provider is taking biometric data and storing it in the cloud, which is correlated with the user’s account and payment data. And while such data may well be encrypted, the potential risk is that should the data ever be stolen – and decrypted – from the cloud, the user’s identity could be spoofed, leading to financial losses and potential third-party fraud,” indicates Van Den Heever.

Two-factor authentication

This stresses the necessity of two-factor authentication. As is the case with the aforementioned example, many local banks continue to use two-factor authentication, which requires entering a password/PIN as well as confirming a one-time password (OTP) at the point of transaction, which is sent to a secondary device, for example.

“With the pandemic expected to be a part of our lives for some time to come, biometrics has an important role to play in the new normal. And the key to integrating biometrics safely, particularly where a user’s financial data is concerned, lies in how the data is being encrypted and stored. For example, where biometrics is used to identify the user and a PIN is used to verify that identity, anyone stealing the biometrics data wouldn’t have a complete set of information or enough to steal people’s money, or spoof their identity. It is much safer to keep the two things separate and integrate 2FA as a critical step to securing accounts and the data they hold,” concludes Van Den Heever.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

All aspects of data protection
Technews Publishing Editor's Choice Information Security Infrastructure AI & Data Analytics
SMART Security Solutions spoke to Kate Mollett, Senior Director, Commvault Africa, about the company and its evolution from a backup specialist to a full data protection specialist, as well as the latest announcements from the company.

The song remains the same
Sophos Information Security
Sophos report found that telemetry logs were missing in nearly 42% of the attack cases studied. In 82% of these cases, cybercriminals disabled or wiped out the telemetry to hide their tracks.

How hackers exploit our vulnerabilities
Information Security Risk Management & Resilience
Distractions, multi-tasking, and emotional responses increase individuals’ vulnerability to social engineering, manipulation, and various forms of digital attacks; 74% of all data breaches included a human element.

Projections for 2024’s Advanced Threats Landscape
News & Events Information Security
Kaspersky Global Research and Analysis Team (GReAT) experts offer insights and projections for 2024 in the Kaspersky Security Bulletin, with a focus on the evolution of Advanced Persistent Threats (APT).

Veeam and Sophos in strategic partnership
Information Security
Veeam and Sophos unite with a strategic partnership to advance the security of business-critical backups with managed detection and response for cyber resiliency, and to quickly recover impacted data by exchanging critical information.

Unmasking insider risks
Information Security
In today’s business landscape, insider risks can manifest in various forms, including data theft, fraud, sabotage, insider trading, espionage, whistleblowing, negligence, truck hijacking, goods robbery from warehouses, and more.

When technology is not enough
Information Security
[Sponsored] Garith Peck, Executive Head of Department for Security at Vodacom Business, writes about the importance of creating a cybersecurity strategy in a world where threats never sleep.

Identity verification and management trends
Technews Publishing Information Security
Insights into what we can expect from identity fraudsters and the industry next year, ranging from criminal exploitation of AI and digital IDs to multi-layer fraud protection and the need for more control over personal information sharing.

Reinforcing cyber defences in a world of evolving threats
Sophos Information Security
[Sponsored Content] In South Africa, the urgency to amplify cybersecurity measures is underscored by alarming statistics revealing the continued vulnerability of organisations to ransomware and other sophisticated cyberattacks.

Trellix detects collaboration by cybercriminals and nation states
News & Events Information Security
Trellix has released The CyberThreat Report: November 2023 from its Advanced Research Centre, highlighting new programming languages in malware development, adoption of malicious GenAI, and acceleration of geopolitical threat activity.