A Webinar Recap, Presented by Finopotamus Events and Nuance
By Finn O’Potamus
To watch the full interview, including a more in-depth discussion of voice, conversational and behavioral biometrics, click here.
On March 15, 2022, Finopotamus hosted a live video conversation between co-founder John San Filippo and Simon Marchand, CFE, C.Adm., the chief fraud prevention officer and director of the Gatekeeper product for Nuance. Nuance is a pioneer and leader in conversational artificial intelligence (AI) innovations for everyday work and life. The company delivers solutions that understand, analyze and respond to human language. With decades of domain and artificial intelligence expertise, Nuance works with organizations of all sizes in a wide range of industries, including, of course, financial services, to create stronger relationships and better experiences for their customers.
Challenges With Knowledge-Based Authentication
The conversation opened with a discussion of more traditional forms of member authentication, starting with knowledge-based authentication (KBA). San Filippo pointed out that knowledge-based authentication has two major deficiencies. First, fraudsters can gain access to that knowledge. Second, sometimes that “knowledge” can be forgotten by the actual user, leading to considerable user frustration.
“You're right to point out that there are two issues here,” responded Marchand, “the first being the availability of that information. Today more than ever, it's information you can obtain very easily.” He added that 10 years ago, fraudsters operated mostly independent of each other.
“Now we have groups of hackers that specialize only in breaching organizations and stealing personal information that they put up for sale in the dark web,” he noted. This puts a premium on the “knowledge” used for authentication.
“Every single consumer has their information leaked somewhere,” insisted Marchand. “All of these questions that we might ask, fraudsters can purchase the answers to them.”
Marchand further noted that as organizations seek to bolster knowledge-based authentication with more highly specific questions, the likelihood increases that a user will forget the answer. “What's your biweekly payment on your car loan? Whose bank do you have it with? Fraudsters will have the answers to these. Real customers might not have the answers. So, you're basically introducing more friction. The more questions you ask, the more friction you introduce for legitimate customers while not being a real deterrent to experienced, professional fraudsters.”
Challenges With Device-Based Authentication
The two then discussed various forms of device-based authentication.
“We’ve moved from knowledge-based and we added two-factor authentication, hoping that by sending a message to someone's device, we could make sure the person trying to log into an account or asking to make a specific change would receive that notification, approve it and confirm that our customers were making that transaction,” said Marchand, adding that this presents myriad issues.
“The text message might never come for all sorts of reasons,” he noted. “The second issue is fraudsters can intercept that information. The ones we hear about the most are SIM swaps and port-out schemes, where basically they take control of your phone number either by changing the SIM card that's associated with your phone number or literally porting it to a brand-new account that they have created.”
Beyond the shortcomings of device-based authentication, credit unions can’t ignore the fact that some members and prospective members simply don’t have access to the latest mobile devices. Among them are older members, as well as members from traditionally underserved segments.
“Even if you send your two-factor authentication to an email address,” said Marchand, “you always have to ask yourself the question, which segment of my population am I excluding from that security measure? It turns out it's usually the most vulnerable part.”
The Power of Biometrics
According to Marchand, there are three ways to authenticate a user: by what they know (knowledge-based authentication), what they own (a device), or by what/who they are (biometrics). While biometrics offer the most bullet-proof forms of authentication, traditional biometrics like fingerprints and facial recognition still require a device.
“Plus anyone can enroll their biometric factors with the device because it's kept on the device itself, which brings an additional level of risk,” said Marchand. “Ideally that validation is made against a server-side piece of information. When you decide that a person can use their biometric information, it's information you have verified and that you control and can reuse across multiple channels.”
Moving on to voice biometrics, Marchand said, “Voice biometrics are what makes you sound unique. And when I say sound unique, it's not the words that you use. It's really the unique sound of your voice regardless of the language, regardless of the device, regardless even of the channel that you use to communicate.” Marchand, a native French speaker, said he can switch between French and English and the biometric recognition of his voice won’t change.
“The question of deep voice fakes has been widely covered in the media for some very striking cases of fraud,” said Marchand. “But when you actually look into it, there isn't quite the evidence or substantial evidence that fake voices were used. But we're still always thinking, what can fraudsters do once they get the right technology to try to break into a system? We're always making that technology evolve.”