How can scammers use biometric data?

Covery Blog / Antifraud, Covery, Fraud prevention, Fraud types / How can scammers use biometric data?

How can scammers use biometric data?

We provide more and more data online with each passing day. Most of it is lost, but the most important data should be stored. Biometric data is one of the most sensitive types of PII (Personally-Identifying Information), as its misuse generates immense amounts of problems on many levels. At the same time, biometric data like face imagery, voice stanzas, eye iris scans, or fingerprints are among the most secure user verification methods possible.

While using more exotic methods of customer authentication like voice checks or iris scans is not so widespread in eCommerce and Fintech, many companies use face recognition during user validation and onboarding. antifraud system helps minimize the risks related to online fraud and prevents scammers from using forged or stolen biometric data. As more and more companies from the USA, EU at large, and Germany, in particular, start using biometric data more, it’s good to be prepared. Here is how Covery can help.

What are 4 examples of biometrics currently being used?

The most popular biometric data types are as follows:

  • Facial recognition. When customers provide photo-quality scans of their government-issued IDs, they are also asked to undergo live video verification to check if their facial details match the ones on the documents. They can be asked to tilt their heads, blink, open and close their mouths, etc. The facial recognition algorithm then compares the movements of different facial points and ensures there are no glasses, hats, fake mustaches on the face, and no Photoshop signs on the IDs.

    Covery enables this through the integration with Ondato and ShuftiPro, which ensures reliable real-time user verification by face for our customers.
  • Iris scans. While not so widespread yet, this technology is gaining popularity on par with facial recognition. Iris scans are unique and serve as great personal verification details, but the equipment for such scans costs a lot as of now and can’t be expected to be available to every customer, unlike a smartphone selfy.
  • Voice stanzas. A user can be requested to pronounce a certain code phrase, and the stanzas will be recorded. In the future, reciting this phrase will be verification enough for user authentication. However, even simple flu or cold can alter our voice parameters significantly, which makes this biometric validation method less reliable than the previous ones.
  • Fingerprints. Many smartphones and laptops already have fingerprint scanners, making fingerprint verification quite viable. While used widely in various security systems, this method is not as ubiquitous in the digital business domain.

There is yet another method — biometric behavior, which involves analyzing the way a person scrolls their touchscreen, but it is not very popular as of yet. The aforementioned 4 are quite widespread, however — they are actively collected, stored… and can be stolen.

What happens if biometric data is stolen?

While biometric data is any individual’s most valuable digital asset, the measures used to ensure its security are not yet sufficient. Biometric hackers and scammers are regularly breaching various data storages in search of this highly valuable information. For example, back in 2019, Suprema, a global powerhouse in biometric scanning, was breached

Aside from removing their own fingerprints from international databases, the criminals gained illicit access to a database of 2+ billion biometric records to be sold on the Dark web. 

Some sources even stated that this exposure of fingerprints spoke an end to biometric security efforts, as once your biometric data is stolen, your identity is compromised forever and your PII can be used in synthetic identity fraud. While passwords can be reset quite easily, you can’t change your fingerprints, iris scans, or voice chords — costly surgery left aside.

How can biometric data be misused?

From leaving bogus evidence on crime scenes to fooling biometric scanners in high-value locations, to creating fake identities for online platforms — this data breach went a long way. While gaining theoretical access to high-security installations was one of the most perilous threat vectors, selling credentials to scammers to create fake identities was the most widespread one. This data can be used for account takeover and compromising your operations.

As an online merchant relying on biometric data for user verification, you must now take an extra step to secure your business and enable 2-Factor Authentication as a part of Strong Customer Authentication under PSD2 demands. Most importantly, you should combine biometric verification with other user validation methods to ensure reliable fraud prevention on your platform.

What can Covery do to help?

As Covery is enterprise-grade risk mitigation, fraud prevention, and chargeback management platform, it provides a wide range of capabilities for detecting online fraud (even committed using biometric data). To enable this, we combine device fingerprintingTrustchain user reputation checks, behavioral analysis, and an AI-empowered rule-based risk logic engine. 

  • Device fingerprinting is a complex device intelligence technology that forms digital profiles of all devices used to access your site, formed of a wide range of hardware and software markers. Those markers are always publically transmitted by every device to enable crash handling, so capturing them does not violate GDPR and other legislation. By tracking those markers, Covery can easily identify every device and alert you when an account takeover is in progress — or launch an automated response scenario configured in the risk logic engine.
  • Trustchain is a global database of reputation records maintained by Covery, which contains information about every user session that ever happened within the Covery community. Trustchain tracks 13 unique identifiers of every user account across your website, one of 23+ industries or globally. Through it, you can look up the history of logins from every device and make informed decisions regarding every customer based on their trust record.
  • AI-empowered risk logic rule engine. Covery uses a Supervised Machine Learning algorithm to apply a myriad of risk response scenarios configured through a flexible editor. The platform comes with preconfigured 15 scenarios, users can form their unique rules, and Covery can lend risk analysts to help you ensure watertight fraud detection and prevention.

By combining this wide selection of anti-fraud tools, Covery can provide reliable fraud mitigation measures for every step of the customer journey, from registration to payouts, including account takeover committed using stolen biometric data. Through our partners, we ensure reliable face recognition and closely monitor advances in other areas to add them to our portfolio.

To learn the full extent of how Covery can help your business — schedule a free demo and see the full functionality of our antifraud system firsthand.