Enterprises of any type providing digital engagement options operate in a world of constant and costly risk. Constant because efforts to defraud connected enterprises are organized, persistent and often effective. Costly, as exemplified most recently by Australian Health Insurance provider – Medibank Private – where a recent ransomware attack gave rise to an estimated $640+ million in expenses and loss of 30% of its market cap due to a security breach that compromised the highly sensitive personal data of some 10 million customers, including the medical information of half a million of those affected. Given the organized nature of the hacker community, such large-scale ransomware attacks are becoming more frequent.
Hackers are able to steal the credentials of super-admins (among others) and gain access to “absolutely everything.” In the case of Medibank, it included financial records, health records and other personal information that was held for ransom. When the company refused to pay the ransom, the fraudsters began to systematically release damaging info (what they called a “naughty list”) making public the records of individuals in drug and alcohol rehabilitation or those that had abortions or had been diagnosed with HIV.
Yet, according to Pat Carroll, Co-Founder and Executive Chairman of ValidSoft, a long-standing provider of anti-fraud and authentication solutions, such incidents are avoidable. Stealing credentials often amounts to attacking known weaknesses in “knowledge-based” authentication. The most common forms are guessing or buying passwords, social engineering, collecting publicly available data in order to provide correct responses to so-called ‘challenge’ questions or taking a man-in-the-middle approach to intercept the six-digit code provided in the SMS-based one-time-password (OTP) routine.
The problem is that current authentication methods don’t provide identity assurance. As Carroll explains, “only a biometric can provide strong, non-repudiable identity assertion.”
To that end, ValidSoft is introducing See-Say® Voice Identity the latest offering in the company’s family of Guaranteed Identity products. It employs a combination of voice biometrics and speech recognition in conjunction with encrypted delivery of a cryptographically generated set of digits in order to provide a low-friction, speedy, identity verification system. The advantages over alternative authentication systems are manifold. Speaking, rather than typing digits provides the opportunity to employ voice biometrics-based authentication. The delivery of digits uniquely generated for each transaction or access request means that transaction or access request is irrevocably tied to the individual and enables non-repudiation. The speed at which authentication takes place makes “man-in-the-middle” tactics ineffective. No passwords or other credentials are used. Dynamic delivery of (seemingly) random digits thwarts replay attacks as well as much publicized “Deep Fake” approaches to overcome biometric-based authentication.
Filling a Void for Digital Banks, E-Commerce Providers and Enterprises
See-Say® Voice Identity’s introduction is very timely and has found many immediate use cases. For online banks it represents a pronounced improvement over SMS-delivered one-time passwords. For payment service platforms like Zelle, Venmo or PayPal, its support of non-repudiation will prove invaluable in reducing consumer fraud losses, as well as so-called ‘friendly-fraud’. It also strengthens the Identity & Access Management (IAM) and Privileged Access Management (PAM) offerings from players like Okta, Cisco Duo, Ping Identity, ForgeRock and others. Ultimately, See-Say® is destined to have a positive impact in fighting fraudulent transactions across all e-commerce platforms, as well as bulletproofing the growing number of “card not present” transactions offered through websites and mobile apps. Opus Research sees very strong potential for See-Say and its value in thwarting large-scale fraud.
Categories: Intelligent Authentication, Articles