Preventing Fraud with Facial ID

Identity theft can often have a domino effect, where taking control of one of the victim’s primary accounts can help the fraudster gain access to others.

For example, if a fraudster breaches a victim’s Gmail account, they may then be able to use the password reset function on other sites to gain access to other accounts belonging to the victim.

As consumers shift more and more of their vital information and assets to the safekeeping of online platforms, it becomes imperative that the companies entrusted with this data employ the strongest, most state-of-the-art defenses against cybercrime.

Passwords can be cracked and devices can be spoofed, but copying another person’s fingerprints or retinal patterns is another matter entirely. That’s why biometrics are now being widely used to bolster device and account security.

While any unique physical trait can be used as the basis for biometric identification, facial recognition has taken off because of its accuracy and ease of use.

Small merchants may not see themselves as the target market for facial ID technology, but businesses of all sizes stand to benefit from the shift away from low-security authentication methods like passwords and toward biometrics.

A successful account takeover can allow a fraudster to make multiple unauthorized credit card transactions that are extremely difficult to detect, each one resulting in a costly chargeback. Wouldn’t it be nice to shut them down simply by asking them to take a selfie?

How Does Facial ID Work?

Facial recognition technology works by using a camera to capture an image of a person’s face. The unique topography of the subject’s face—the angles, sizes, and distances between various features—is then converted into data. This data is used to create a unique digital profile of the subject’s face, which will match the data from future scans even if superficial details like the lighting or hairstyle are different.

There are many potential uses for facial ID, some more innocuous than others. Facebook uses facial ID to suggest who to tag in your uploaded photos; law enforcement agencies use it to identify suspects. In a cybersecurity context, facial ID profiles may be captured when a user first signs up for an account.

When the user needs to authenticate themselves in the future, they just show their face to the camera on their smartphone or laptop. The facial ID software will compare the newly captured image to the original profile and determine whether or not it’s the same person. 

How Can Facial ID Be Used to Prevent Fraud?

Facial ID can be an effective way to prevent account takeover attacks. When an account is secured with a password, the fraudster simply needs to know the password in order to gain access.

There are various ways they can achieve this—through brute force attacks like credential stuffing, by buying already-compromised login credentials on the dark web, or by using phishing attacks to trick the victim into giving up their password voluntarily.

Faces, as it turns out, are much more difficult to steal or falsify. In fact, many fraudsters will give up on trying to attack an account as soon as the site asks them to provide a live photo—not just because they know they’re unlikely to pass authentication, but because they don’t want any images from their own device captured as evidence.

Requiring facial ID for every login might make sense if you’re talking about a locked smartphone or an online banking account. However, merchants may find that demanding authentication through a camera-equipped device causes too much friction for customers who simply want to make a quick purchase.

Finding the right balance between convenience and security is always a challenge, but don’t write off facial ID. Consider the example above of using a hacked Gmail account to take over associated accounts via password reset, a classic security weak point. Using facial ID to authenticate the reset request is much more secure than sending a message to the email address on file. 

Does Facial ID Technology Have Any Vulnerabilities?

When Apple first started using facial ID to unlock the iPhone X back in 2017, it didn’t take long for users to find some clever workarounds. It turned out that a close relative’s face would often do the job, and if you didn’t have a close relative handy, you could always try making a creepy 3D mask of the user’s face.

The good news is that facial recognition technology has gotten much better at catching these deceptions.

Facial ID systems now routinely use liveness detection to tell whether or not the camera is pointed at an actual human face, greatly reducing the efficacy of 3D models and deepfakes.

Twins and close relatives may still be able to confuse facial ID systems at times, but this isn’t a solution the average fraudster can avail themselves of. As for two-dimensional trickery—using a still photograph to fool the camera—this isn’t possible on platforms like the iPhone where the camera is able to capture a detailed 3D image, but it may pose a risk on low-end systems designed to work with a variety of webcams.

Conclusion

Facial ID is a high-tech solution to a relatively simple problem: making sure a person is who they say they are. Deciding whether to adopt biometrics and other strong authentication methods is never an easy question for merchants, who have to determine whether the reduction in fraud will be worth the added friction and possible loss of sales.

Fortunately, consumers are getting more accustomed to taking a quick selfie to unlock a device or app, and we expect to see more affordable and friction-free biometric solutions becoming available to merchants in the near future.

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com.