Identity theft or misappropriation is one of the cybercrimes that has most risen in recent years, causing not only considerable economic losses but also undermining one of the benefits that most major companies have been reaping from the Internet, to be a space for the commercial transactions of the future.
Cybercriminals no longer engage solely in accessing users’ identities to then commit fraud but, nowadays, trading with these stolen identities has in itself become a very profitable business for isolated cyberdelinquents as well as for perfectly organized groups.
Protecting and authenticating identities has become one of Cybersecurity’s hobby-horses and an enormous challenge in innovation terms for any companies that use digital identity to interact with their customers.
The most obvious case is online banking, the context that is most susceptible to these types of crimes, where obtaining users’ identities is relatively easy and where money is more accessible. Simplicity, opportunity, vulnerability and profit are characteristics that always define a prolific, crime-conducive context.
As suggested by one of thieves and fraudsters’ governing maxims, “One man’s loss is another man’s gain”.
At the outset, personal identification strategies were based on a simple rule: “Something the person knows”. That “something” was usually a password or a pin, which users entered to log in to their service.
For some time now, this element of security has received a good deal of criticism with respect to its effectiveness, since it is primarily related to several of human beings’ handicaps, such as their limited-capacity memory and a tendency to simplify and act in accordance with the Law of Least Effort.
Every year, several surveys are published revealing Internet users’ most common passwords and we are always astonished on seeing the now notorious “12345”, “qwerty”, “password” and the like.
Systems currently force users to improve security via stronger passwords, making them, as it happens, more difficult to remember and more complex to build, which is a bit like being forced to stay underwater for longer to overcome a penchant for breathing through your lungs!
As a way of conquering this shortcoming, digital identification strategies round out authentication with another rule: using “Something the person has”, something that might be a coordinates card or a message sent to the customer’s mobile containing data (usually numerical), which he or she must enter as the final step to access the service.
Without a shadow of a doubt, this two-factor authentication strengthens security, as it introduces elements of possession and proximity with the real user. Nevertheless, sabotaging this system does not represent much of a problem nowadays either; all you have to do is to control the possession element. Copying a coordinates card or obtaining a code sent by SMS are ways of “sharing” this possession with cyberdelinquents.
It is at this point where biometrics appears on the scene as a decisive element in authentication security, an identification strategy that entails adding a final rule: “Something the person is”. Biometrics consists of the study, identification and measurement of an individual’s physical and behavioral traits that allow them to be unequivocally recognized.
Do you want to know more? Download the full Whitepaper on behavioral biometrics and the cyberprofiling of attackers.