Avoiding “Catphishing” and Similar Online Scams With Layered Identification
The relative anonymity of the internet has given rise to a slew of new types of fraud by consumers including the deceptive practice of “catphishing”.
Catphishing (or catfishing) is the act of pretending online to be someone different from who you really are. Catphishing goes beyond simply giving a false name. It entails creating a completely fake or borrowed identity, often with a backstory, fake friends, stolen pictures, and anything else that might better help sell the lie.
Those who catphish do so to play cruel jokes or to carry on romantic relationships, the latter of which being the premise of the MTV program Catfish: The TV Show and is seen in several story lines of TLC’s hit series 90 Day Fiancé.
Yet catphishing is not only used for social deception. It is often incorporated into financial scams for the purposes of protecting the scammer’s true identity and making the scam appear believable. As the purpose of catphishing is to avoid cursory investigation, this can make it a nightmare for online companies that rely on customer verification.
One of the most frustrating aspects of cybersecurity is the fact that given how connected the internet makes most facets of our everyday lives there are so many ways for creative hackers to get what they need.
When a company must know that their customers are who they say they are, various options can be employed with varying levels of success. Examining the pros and cons of each option will help you decide which methods would best serve your online business and customers.
Even better, businesses should consider combining or “layering” several different verification methods together. This can be done easily, and without comprising too much usability in the customer experience.
Two-Factor Authentication, or 2FA, is a popular method of customer verification that requires two methods of authentication usually consisting of the standard username and password, as well as something that ostensibly only the customer would have access to.
If you’ve ever tried to access banking information from a different computer than you normally use, you’ve probably been prompted to enter a numeric sequence sent via the phone, email, or by text, that’s 2FA. The extra level of security comes from the fact that the secondary piece of authentication is sent to a device that only the customer is expected to have access to.
The problem is that more adept hackers can simply intercept the codes as has been the case of malware developed by a hacking group nicknamed Rampant Kitten. They can also make use of account-recovery systems to effectively bypass the issue altogether.
Some industrious hackers have even been known to adjust their target’s phone carrier plans to transfer or port the number to a new account and thus gaining access to the customers’ authentication codes.
If you’ve ever been asked a security question, you’re familiar with Knowledge-Based Authentication, or KBA. The idea behind KBA is that if you choose an answer to a question that only you would know, it would theoretically mean you are indeed you. Examples of KBA questions include “What was your elementary school?” and “Where did you spend your honeymoon?”.
Unfortunately, on its own, this method is far from foolproof. For one thing, this method may be a reasonable deterrent for strangers, but perhaps not for those who know your customer such as a friend or family member.
Additionally, data breaches beyond a customer’s control have disseminated a deluge of private information ripe for fraudsters. Twenty years ago, Social Security numbers were closely guarded secrets, yet with numerous banking and lending institutions becoming the victims of cyberattacks, millions of Social Security numbers, credit card numbers, birthdays, addresses, etc. are on conveniently cataloged lists available for purchase in the seedier sections of the web.
Moreover, questions about your customers’ pets’ names or hometowns that may have been more secure before the advent of social media lose all security value when you can type a person’s name into Facebook and get what effectively amounts to an outline of someone’s life.
Credit Bureau-Based Options
The big three credit bureaus (TransUnion, Experian, and Equifax) maintain sensitive information on nearly everyone in America.
This makes them a prime point of reference for customer identity verification. If the information supplied by the customer matches the consumer credit data on file with the credit bureau, it serves as authentication.
The problem with this method of authentication is that, as previously discussed, just because someone has personal information about the customer, it doesn’t mean that they are in fact the customer. It also has the major downfall of not being useful for your customers who don’t have any credit history.
Additionally, these credit bureaus are targets of attacks themselves with the notable 2017 Equifax data breach affecting nearly 147 million people.
These significant drawbacks make credit bureau-based solutions better as a supplemental verification method and only for certain customer bases.
Data/Social Media Authentication
Data and social media authentication will ask customers to authenticate themselves by signing into another account (an account to which only the customer supposedly has access) as proof that the customer is who they say they are.
It works by attaching one’s online ID to find a match on a website like Facebook or Twitter, or a database of offline information, or even behavioral patterns.
Where this method falls short is that it is much more adept at detecting bots than it is at detecting fraudsters. It is not difficult for fraudsters to fake a social media background, which only adds to the fact that it also doesn’t have a reliable way to verify the fact that the person inputting the information is the person the information belongs to.
Additionally, customers without social media access (think Facebook in China) are cut off from this form of authorization, resulting in your potentially abandoning a large segment of customers.
Digital Image and ID Verification
All of these methods have pieces of strong cybersecurity but are bogged down by exploitable flaws that can render them almost useless against dedicated hackers.
Online businesses need something more. They need ways to verify the person inputting the information is legitimately the customer to whom the information belongs.
This can be done using video ID selfies and selfie ID photos. There are verification protocols that require a potential customer to take a photo of themselves holding their government-issued ID to prove it is them trying to access their information.
As most people are unlikely to have a photo of themselves holding their ID on a social media platform, it becomes that much harder for a fraudster to fake. These pictures can also be cross-referenced with photos in trusted databases to provide even further verification.
Combining or “Layering” Verification Methods
One the best methods to account for all the pros and cons of various verification methods is to combine or “layer” one or more verification methods together.
For example, you could combine “Knowledge Based Authentication” (KBA) with “Two Factor Authentication” (2FA).
With this combination, your business would be able to check multiple commercial data providers, each with well over a billion unique customer records, to verify information about almost anyone — including in various countries around the world. If the information provided by the customer matches the commercial database information, the customer would pass your KBA check.
As part of the KBA check, you would also verify the customer’s cell phone number or email address. Then, you would send a code by text/SMS or email to the same verified number or email address.
Combining or “layering” verification methods would be easy and familiar for your customers to use, but very hard for fraudsters to spoof. Konfirmi provides exactly such a solution to quickly and easily add multiple “layered” verification methods to any website or app.
There will always be a balancing act between vigilant protection of your services against identity theft and fraud, and the ease of use for legitimate customers. Falling too far in either direction can be disastrous for a business.
You must choose the right customer verification methodology to maximize security and minimize obstacles in the onboarding process.
Making use of the latest technology is one of the best ways to provide customers with an experience they can feel secure about. These solutions exist right now.