Author: Mark Gavigan

Behavioral Biometrics vs. Identity Intelligence: What’s the Difference?

Hint: One is more reliable than the other

Mark Gavigan
April 20, 2022

Hint: One is more reliable than the other

Identity fraud, including account takeover attacks, affects 15 million Americans each year. In response, companies are looking for fraud prevention solutions that are easy to deploy, frictionless, and unlikely to trigger false positives.

Two popular methods of detecting fraud are behavioral biometrics and identity intelligence. In simple terms, the former analyzes how a user acts while the latter analyzes who a user is. Most behavioral biometrics and identity-based solutions can be deployed without impeding the user experience—a key prerequisite in the digital age—but they share little else in common.

Before breaking down the key differences between behavioral biometrics and identity intelligence, let’s look closer at each approach and why an identity-centric model is more reliable.

Behavioral biometrics

Behavioral biometrics measures a user’s physical and cognitive traits to differentiate between fraudsters and real customers. Unlike physical biometrics, behavioral biometrics doesn’t scan fingerprints or eyes; instead, it looks for patterns in how a user interacts online. For example, it might invoke keystroke dynamics to determine if someone (or something) is copy-and-pasting into a text form or typing.

Here are some other ways in which behavioral biometrics can examine a user:

  • Signature analysis
  • Gait analysis
  • Voice recognition
  • Lip movement

While behavioral biometrics is easy to integrate and improves the accuracy of fraud identification systems, it has its drawbacks. Being a nascent technology, assimilating it into your existing technology stack can be expensive. Once it is activated, stockpiling enough personal data to successfully analyze a user’s behavior will take some time. The aforementioned accuracy can also take a hit if a user strays from their typical behavioral patterns—a drunk or sick user might speak or type differently, an injured user might suddenly walk with a limp. Even a user’s setup can elicit false positives: consider someone who gets flagged erroneously, via keystroke analysis, because they use different keyboards at home, at work, and on the go.

The increased likelihood of false positives outlined above makes behavioral biometrics more suitable as a complementary fraud defense rather than a core solution.

Another flaw of behavioral biometrics is bias. Some solutions rely upon training data that skews toward one demographic. For instance, a 2018 study from MIT and Stanford discovered that the facial data used in at least one system was more than 77% white and more than 83% male.

Identity intelligence

Sophisticated anti-fraud tactics such as behavioral biometrics can be effective. But, in the era of synthetic identities, it’s not enough.

Detecting fake identities consisting of stolen passwords and other personal info requires robust security checks at point of entry, post-authentication tools that can zero in on inconsistent behaviors and preempt fraudulent transactions. Identity intelligence achieves precisely this.

Identity intelligence leverages massive datasets rife with insights on how legitimate users interact online. This knowledge helps neutralize fraudsters even if they possess a user’s login details. Contrary to behavioral biometrics’ need to ramp up its behavioral data for a given user, identity intelligence pulls from data that is ready to go from day one and, thanks to machine learning, constantly growing and up to date.

Identity intelligence hones in on both the person and their device. If George logs in, it finds out if it’s really George, and if the device in question belongs to him. Device usage offers identity-based solutions a plethora of behavioral insights: the types of mobile apps George uses during his morning commute, the wifi network he uses at work, the VPN he accesses on his home computer. Identity intelligence is the actionable, real-time, dynamic fraud prevention approach that closes the gaps left behind by behavioral biometrics.

Identity intelligence that can’t be faked

If a company needs identity intelligence to overcome the blindspots of their existing behavioral biometrics solution, or to remove the need for behavioral biometrics altogether, they’ll need as much identity data as they can muster. No one has more of this data than Deduce.

Deduce boasts the largest real-time identity graph for online fraud in the US. The brain behind our identity intelligence, the Deduce Identity Network, comprises more than 500 million anonymized user profiles and over 1.4 billion daily activities. This sizable (and fully compliant) data stack prevents the false positives that would hinder a behavioral biometrics solution.

Furthermore, given fraudsters’ proclivity with learning to hack new technologies (like behavioral biometrics), businesses can be assured that Deduce’s identity intelligence cannot be bamboozled. Fraudsters are too cheap to outwit our network. Circumventing such a vast arsenal of user profiles, website and activity data—over an extended period of time—requires money, time and effort they can’t afford.

Want to give our identity intelligence a spin? Even if you’ve already implemented a behavioral biometrics tool, Deduce can be layered right on top. Contact us today and get started in just a few hours.

Related Content

Mixed Signals — Part Two: New Device

New device ID and its pesky false positive problem

Mark Gavigan
April 15, 2022

New device ID and its pesky false positive problem

Every day, supermarket and liquor store cashiers reject wannabe McLovins attempting to buy six-packs with a fake ID. Likewise, every hour—perhaps every minute—fraud prevention solutions reject online logins and transactions due to a new, unfamiliar device ID.

The problem? Only 2% of fraud is perpetrated by a new device. The new device ID risk signal, one of the most widely used by authentication platforms, is guaranteed to trigger a false positive fraud risk for the 98% of good customers—and trigger a deluge of rage along with it. Per PWC, one in three consumers ditches a brand following a negative user experience; it’s hard to get more negative than erroneous multi-factor authentication (MFA) or a wrongfully canceled purchase.

False positives cost US e-commerce merchants $2 billion per year. That’s nearly 3% of their revenue, not far behind fraud-related costs (7.6%)—a possible death knell for e-tailers with razor-thin margins. 

Part Two of our “Mixed Signals” series explores the flaws of the new device risk signal, and how to combine new device ID with real-time data to keep users (and bottom lines) intact.

False positives aren’t the only problem

Device-based authentication leads to a flurry of false positives, including a 30-50% false positive rate associated with geolocation sensitivity. But it doesn’t end there. To avoid flagging legitimate customers, solutions need to track a variety of real-time risk and trust signals.

Outside of false positives, here are other downsides of counting on the new device risk signal alone:

Device spoofing. Spoofing a user’s device is a cinch and ubiquitous enough to render device ID, by itself, unsuitable for verification.

Advanced attacks. Solutions reliant upon device ID won’t detect complex attacks involving social engineering and automation (man in the middle, remote access tool attacks, etc.).

Actionability. The amount of users logging into new devices at new locations overwhelms device-based anti-fraud solutions. Consequently, good users on unfamiliar devices will be burdened with friction and deemed high-risk.

Why device ID causes false positives

The chief failing of device ID authentication is that it doesn’t account for one simple fact: consumers are constantly toggling between devices or buying new ones altogether.

Cell phones are only one of the devices that users swap because they either dropped it in the toilet or desire the latest and greatest model. It’s also not uncommon for more than one person to use a device, such as a tablet or desktop computer, making the new device risk signal an inadequate means of verifying user identity.

The increasingly remote nature in which we work and interact presents new challenges for device ID authentication—even when paired with geolocation and behavioral biometric data (both can be spoofed). For instance, someone who’s temporarily telecommuting from a family member’s house might use that individual’s computer to buy goods. Or, someone might be in quarantine at a hotel and get flagged for using their mobile device at an unusual location. Sharing login credentials with friends and relatives across households and devices is another sure-fire way to set off the device authentication tripwires.

Silencing the false alarms

Similar to device fingerprinting—a way of positively identifying a device by recognizing its unique software and hardware characteristics—real-time data is the key piece missing from device-based authentication.

The Deduce Identity Network melds the new device risk signal with other data such as device, IP, geolocation, and activity (login, checkout, account creation, password reset, etc.) to generate comprehensive real-time behavioral intelligence that drives a calculated risk or trust signal. This prevents legitimate users from being flagged and the resultant friction that makes them jump ship. 

Deduce’s 500 million anonymized user profiles, 150 thousand websites and apps, and over 1.4 billion daily activities provide a rock-solid determination of user trust—or, conversely, flat-out fraud. Device spoofing is rampant, but the Deduce Identity Network won’t fall for the fakes. Fraudsters can’t afford to create a synthetic identity capable of fooling the largest real-time identity graph in the US.

The Cliff Notes: Don’t sink users in a quagmire of friction when they’re merely transacting from a new phone or shopping for clothes on their parents’ Macbook. Treat legitimate customers like distinguished guests, not criminals.

Ready to tap the collective intelligence of our Identity Network and experience the serenity of avoiding new device false positives? Click here to learn more.

Related Content

Mixed Signals — Part One: Geolocation

Wipe location spoofers and false positives off the map

Mark Gavigan
April 8, 2022

Wipe location spoofers and false positives off the map

Geolocation, geolocation, geolocation. It’s one of the common risk signals tracked by anti-fraud solutions and often the reason legitimate customers are thrown into account verification purgatory.

Geolocation locates users via a GPS signal, IP address mapped to geography, wifi network locations, or web browser location information on their device. Geolocation is helpful in combating fraud, that is, if it’s used properly. However, many fraud prevention companies erroneously depend on IP address alone, and don’t possess the data at scale to differentiate between a fraudster and someone who’s simply transacting in an unfamiliar area. This makes businesses susceptible to location spoofing—when fraudsters falsify their location by using a virtual private network (VPN) or IP spoofing techniques.

Ineffective use of geolocation also contributes to online payment fraud, which is expected to cost businesses 200 billion by 2024. Additionally, verifying location without the right intelligence leads to the much-maligned false positive, and from there metastasizes into a user experience nightmare.

How geolocation impacts users

Account takeover by way of location spoofing isn’t fun for businesses—particularly merchants who bemoan chargebacks—and neither is a false positive credit card decline, which unnecessarily annoys users and causes a churn reaction.

Imagine traveling to another state on vacation and needing to gas up your rental car. Easy enough. But the gas pump declines your credit card transaction, requiring you to call your bank and verify your identity, or, heaven forbid, actually have to go and talk to the member of staff in the office, which in turn throws off the timing of your family’s tightly packed itinerary. Even worse, what if you can’t buy a plane ticket because the airline triggered multi-factor authentication (MFA) and seats filled up by the time you verified your identity?

A recent fraud surge on the Nike SNKRS app exemplified the impact of location spoofing across verticals. The app released a special pair of sneakers only made available to customers within a certain region. Predictably, fraudsters manipulated their IP addresses in order to buy the sneakers, leaving a slew of unhappy SNKRS users in their wake.

Whether users are falsely identified as bad actors or locked out of buying a rare pair of shoes, relying on IP addresses alone to stop fraud is damaging to a brand’s user base and reputation.

IP address isn’t spoof-proof

IP addresses are easily exploited by fraudsters. Tapping a VPN or other proxy to conceal their location requires minimal sophistication. As such, businesses need to supplement IP data with additional location intelligence to accurately identify trustworthy users (and keep bad ones out). Conversely, they need to be able to identify when a legitimate, privacy-concerned user accesses online services and apps via a VPN. 

The question remains, then: What is the best (read: only) way to successfully outwit location spoofers and avoid geolocation-triggered false positives?

Relieving geolocation irritation

If location-spoofing fraudsters have your compass spinning out of control, Deduce’s identity intelligence data can provide a sense of direction. Deduce combines real-time and historical data to eliminate false positives, discerning if a user is fraudulent or if they’re simply a good, tax-paying citizen who’s on the move. 

Powered by the Deduce Identity Network—500 million anonymized user profiles, 150 thousand websites and apps, over 1.4 billion daily activities—Deduce’s algorithms analyze multiple trust signals, in addition to IP, for a given user (device, network, time of day, and a lot more) to determine if a user is legitimate.

By tracking online activity related to time of day, day of week, and specific activities such as logins, account creation, checkout, forgotten password, etc. over time, Deduce is able to discern “normal” behavior from fraudulent behavior. (After all, you’d be suspicious if your neighbor started mowing his lawn at 10:00pm, right?) As an identity’s activity is tracked over the course of two weeks, a month, six months, and so on, a more accurate picture of an identity’s behavior is established and the confidence factor increases. In fact, Deduce is likely the first to know when an ATO has occurred, usually well before the victim themselves.

In rare cases in which Deduce is not able to determine fraud via geolocation, our Customer Alerts feature quickly notifies consumers to confirm their identity and location. This feedback only strengthens Deduce’s algorithms to ensure such verification measures aren’t necessary in the future.

User experience isn’t the only incentive for companies to fortify their geolocation authentication. In some industries, such as online gaming, Deduce’s intelligence layer could prevent enormous fines related to regional gambling laws and/or the collapse of a company altogether. All the more reason to ditch an IP-only approach.

Ready to jump-start geolocation in your fraud prevention efforts? Contact us today and try Deduce for free.

Related Content

Synthetic Identity Fraud: How to Foil the Fakers

Synthetic fraudsters can’t fake it anymore

Mark Gavigan
March 28, 2022

Synthetic fraudsters can’t fake it anymore

No one embraces the aphorism “fake it till you make it” more than a synthetic fraudster.

This burgeoning variety of bad actor combines stolen info, such as a phone number and address, with fake info to create an entirely new (and bogus) identity.

A recent study from Aite-Novarica Group predicted that synthetic identity fraud will jump from $1.8B in 2021 to $2.42B by 2023. It also surveyed a group of top fraud executives who pegged “synthetic identities resulting from application fraud” as one of their most worrisome threats. And, as if the alarm bells weren’t already loud enough, the Federal Reserve put out a video in February to raise awareness about synthetic identity fraud.

Let’s take a closer look at the synthetic fraud landscape thus far in 2022. Then, we’ll show you how Deduce is outflanking the fakers.

Chasing ghosts

Our initial primer on synthetic identity fraud in February cited experts who foresaw an uptick in synthetic attacks in 2022. Three months in, it seems these experts lived up to their reputation as synthetic identities continue to negatively impact myriad industries and the consumer victims it leaves in shambles.

In 2020, financial institutions suffered $20 billion in losses due to synthetic identity fraud. The use cases keep piling up: suspicious auto loan applications (260% increase); Buy Now, Pay Later fraud (66% increase from 2020 to 2021); and synthetic refund fraud, to name a few.

Financial harm to businesses isn’t the only concern. Profits from synthetic identity fraud are also linked to terrorism and human trafficking. Parents even have to protect the financial futures of their young children who may not realize their identity was stolen until after applying for a credit card as an adult. Hacked school databases and social media accounts led to 1.25 million stolen child identities in 2020.

The most frustrating element of synthetic identity fraud for consumers, businesses, and law enforcement is the elusiveness of the perpetrator. Pinpointing the real human behind a “Frankenstein identity” is like chasing a ghost. A mishmash of, say, a random person’s address, another individual’s stolen social security number, and a made-up name, is more than enough to throw investigator’s off the scent. Complicating matters is the patience of synthetic fraudsters who often prefer playing the long game by taking out smaller loans, paying bills on time, and otherwise keeping a low profile

Fraud prevention solutions are tasked with a different set of challenges, namely: how do you stop a synthetic fraudster early, before an attack can take place, and is that even possible?

You can’t fake it

Preemptively stopping synthetic fraudsters in their tracks is indeed possible—if the largest real-time identity graph in the US is at your disposal.

Deduce’s Identity Network is just that. We’re a relatively young company, but our data is clever beyond its years, powered by more than 450 million anonymized US user profiles (many US residents have more than one email) and 1.4 billion daily activities. 

Think of Deduce as the wise old owl who’s seen every fraudster scheme in the book. Our vast database of user profiles and activity successfully prevents synthetic identity fraud for one key reason: it’s too expensive for synthetic fraudsters to fake us out. The amount of websites, diversity of activity, and length of time needed to circumvent our defenses—all using the same device and identity—would be too costly. (Fraudsters are a thrifty bunch.)

Given the patience of synthetic fraudsters and their efforts to legitimize fake identities by opening bank accounts, paying utility bills, etc., the static data traditionally used to prevent breaches isn’t sufficient. Real-time user activity, on the contrary, gives the Deduce intelligence layer the upper hand no matter how many real and fake details they’ve cobbled together.

And, because the Deduce Identity Network offers both risk and trust signals, you’ll combat synthetic bad actors while making sure legitimate users aren’t mistaken as false positives.
If you’re looking for a synthetic antiseptic, contact us today.

Related Content

Howdy, Partner: Deduce Hits the Auth0 Marketplace

Auth0 adds Deduce to its partner integrations

Mark Gavigan
March 23, 2022

Auth0 adds Deduce to its partner integrations

Time flies when you’re fighting fraud. 

It’s already been a week since Fast Company named Deduce the most innovative security solution of 2022. Now, our intelligent MFA technology is available on the Auth0 Marketplace, delivering increased security and an outstanding user experience to a huge swath of customers.

A no-code collaboration for the ages

Teaming up with Auth0 isn’t peanuts. The leading identity platform, acquired by Okta in 2021, secures access for some of the world’s biggest companies, including 1-800 Flowers, Pfizer, Sharp, and Subaru. Thanks to Deduce’s no-code integration, Auth0 customers can deploy our Intelligent MFA solution without breaking a sweat. Simple drag and drop tools enable users to add Deduce to any Auth0 workflow and choose the appropriate risk signals for their needs.

Deduce’s Intelligent MFA is especially impactful for risk-averse, regulated industries such as banking, fintech, insurance, gaming, and others. E-commerce companies that don’t employ such a solution can also be negatively affected, stung by false positives that result in abandoned shopping carts and lost customers.

Deduce’s Intelligent MFA adds just that—intelligence—to create an exemplary user experience. Our real-time intelligence layer analyzes 75 risk and trust signals for each privacy-compliant identity so only real account takeover (ATO) threats are flagged.

Here are some of the risk signals Deduce accounts for:

  • New IP Found (Is this IP new to this identity?)
  • New Device Found (Is this a new device for this identity?)
  • Suspicious Activity—Time of Day (Is this time of day not normal or suspicious for this identity?)
  • Impossible Travel Detected (Would it be impossible for a user to travel to a new location from the last known location in the given timeframe?)
  • IP / Account Cycling Detected (Has this IP frequently cycled over many different accounts?)
  • Malicious IP Detected (What malicious activity was observed for this IP across our network?)
  • Network Proxy (Is this identity using a malicious proxy?)
  • Network Hosting (Is this identity using a hosted network?)

Powering these risk signals is the Deduce Identity Network: the largest real-time identity graph for online fraud in the US. With over 450 million anonymized user profiles and upwards of 1.4 billion daily activities at its disposal, the Deduce Identity Network and its Intelligent MFA application provide a critical layer of identity fraud defense to your Auth0 Identity Platform.

A cooler way to MFA

At Deduce, we believe there’s a cooler way to MFA, which, let’s face it, can sometimes feel like “More Frustrating Authentication,”

Most MFA solutions trigger far too many false positives and burden legitimate users with circuitous verification processes. This often leads to churn, and potentially a costly hit to company reputation. A recent CMO Council report hammered this point home, indicating that 81 percent of users preferred companies that enabled easy and secure account verification, with more than 60 percent having canceled a transaction due to an inefficient authentication process.

Easy setup

Check out our solution brief to see how integrating Intelligent MFA into Auth0 can help you reduce friction, improve conversions, combat fraud, and keep customers happy. Additionally, this guide walks Auth0 users through the Intelligent MFA activation process (it’s a cinch!).

The video below shows just how easy it is to set up.

As for prerequisites, there aren’t many: an Auth0 account and tenant (sign up for free here); an API Key and a Site ID (reach out to [email protected]); and a tenant with MFA enabled.

To learn more about our partnership with Auth0, read the official press release.

Related Content

Fast Company Names Deduce the Most Innovative Security Solution of 2022

Our software won some serious hardware

Mark Gavigan
March 11, 2022

Our software won some serious hardware

Deduce is closing out the winter season with a flurry of exciting announcements. First up: Fast Company included us on its list of The World’s (50) Most Innovative Companies, joining the likes of Microsoft, Stripe, and SpaceX. 

Even better (catches breath), Fast Company awarded us the number one spot in the security category.

We can’t think of a better way to punctuate the growth of our Deduce Identity Network, which recently surpassed 450 million anonymized profiles and 1.4 billion daily activities across 150,000+ websites and apps—all fully privacy-compliant. These big numbers spell big-time problems for fraudsters, and we’re humbled that Fast Company named us the top innovator alongside other impressive cybersecurity solutions.

In response to the Fast Company honor, our founder/CEO Ari Jacoby highlighted Deduce’s momentum over the past year, including 500% year-over-year growth. Jacoby emphasized how Deduce is “providing a critical yet previously unavailable capability” that prevents fraud while delivering a trusted user experience.

The trusted user experience piece is crucial. Deduce’s dynamic data adds an intelligence layer on top of friction-laden approaches like MFA, significantly curtailing account takeover, account creation fraud, and false positives. Less fraud and churn translates to happier customers, and mitigates reputational damage caused by data breaches.

The Fast Company news follows a momentous 2021 campaign in which we raised our Series A, moved the Deduce HQ from Philly to New York, bolstered our executive team, and received numerous accolades (AI Fintech 100, Stratus Awards, Fortress Cybersecurity Awards, and more). 2022 is shaping up to be our biggest year yet, and we still have more to celebrate before Q1 draws to a close—stay tuned!
For more on this announcement, check out Fast Company’s write-up on Deduce and the official press release.

Related Content

Metaverse: The Next Fraudtier

Fraudsters are a virtual nightmare for metaverse users (and companies)

Mark Gavigan
March 9, 2022

Fraudsters are a virtual nightmare for metaverse users (and companies)

Skepticism aside, the metaverse is primed to be the next phase of the internet.

You may not enlist a metaverse real estate agent to buy virtual property next to Snoop Dogg, but there’s a fair chance you’ll have your own 3D avatar within the next few years. After all, the metaverse market could be worth $800 billion by 2024.

As with any new technology, the danger of fraud increases as more users and brands hop aboard the metaverse wagon. It behooves companies to hatch a plan of defense against bad actors in the metaverse while it’s still early.

More data, more problems

If you thought the flat-screen world collected an extreme amount of data from its users, the metaverse would like a word. Thanks to wearable NFTs, virtual avatars and headsets, an online AR/VR playground gathers behavioral data that goes beyond location and search engine queries. Even eye movement can be tracked and analyzed.

More data going in means more data going out — to marketers, and to fraudsters. Brands can tailor customer experiences like never before and perfect their go-to-market strategies; meanwhile, bad actors can attack the metaverse from an inordinate number of touchpoints.

The metaversal landscape and types of data extracted from users may be new (and subject to privacy and compliance concerns), but the fraudster schemes are all too familiar.

What does metaverse fraud look like?

Because the metaverse incorporates online gaming elements into its user experience — digital avatars, achievements, in-game currency — both share similar cybersecurity concerns.

Like other verticals, account takeover (ATO) remains the biggest threat. Hijacking an account allows fraudsters to drain crypto funds, but they can also assume that person’s identity — to the chagrin of the victim who may have spent countless hours building up their metaverse cachet — or sell the account on a third-party marketplace.

The trafficking of crypto in the metaverse opens it up to scams like rug pulls and innovative phishing attacks. There is also the danger of account creation fraud, which leads to money laundering and promotional abuse, as well as friendly fraud and chargebacks that can arise from metaverse transactions.

Bundle up!

Preventing fraud in the metaverse isn’t all that different from surviving a blizzard: both require layering up. This is especially true at the account creation and login stages, where credential stuffing is a breeze thanks to fleets of automated bots.

The essential part of any layered anti-fraud approach, reality or virtual reality, is dynamic data — real-time insights that plug the holes in account verification tactics such as 2FA, MFA, and device fingerprinting. The Deduce Identity Network does just that, tapping more than 500 million anonymized user profiles and 1.4 billion daily user activities to verify accounts faster and more securely. Device fingerprinting, for example, will produce false positives as the metaverse is accessible on multiple devices. Add the intelligence of a Deduce platform, and more legitimate users will get in, stress- and friction-free.

The metaverse may be a relatively new phenomenon, but fraudsters are already a step ahead. Last year, metaverse companies saw an 80% increase in bot attacks and 40% increase in human-driven attacks. The best way to catch up and preempt these attacks is to fortify defenses at registration and login, which significantly improves user experience, curbs churn and reputational damage. Neglect to install a real-time intelligence layer, though, and it could cause a virtual nightmare.

Related Content

A Tangled Web3: Crypto Wallets Aren’t Impervious to Fraud

Decentralization doesn’t equal invulnerability

Mark Gavigan
March 9, 2022

Decentralization doesn’t equal invulnerability

It seems like every day there’s a new kid on the blockchain, a new cryptocurrency, a new crop of crypto-curious consumers hankering for a taste.

Trafficking in crypto requires choosing from a plethora of crypto wallets — what consumers use to buy crypto and store their private keys — but those, even with the decentralization of Web3, have proven vulnerable to fraud.

We took a closer look at five crypto wallets to study these limitations ourselves, as well as their impact on the user experience. Here is what we found.

Seed phrase malaise

A common way in which users gain access to their wallets is the almighty seed phrase. This randomized combination of 12–24 words, automatically generated by the wallet, acts as a master password that unlocks the private keys used to buy and sell crypto.

We were assigned seed phrases of our own on wallets imToken and Trust (the latter offers the option to use a passcode instead and only utilize your seed phrase as a backup). Your seed phrase is sacred; if someone else knows it, they can steal all of your crypto. Screenshotting it or storing it in the cloud is a no-no. That only leaves one option: writing it down.

A seed phrase example from the Trust wallet

Some people go the extra mile to protect their seed phrase — storing it across multiple safety deposit boxes, engraving it in steel — and for good reason: if they lose it, or if it’s compromised, game over. Given the added friction of both storing and entering a seed phrase upon each transaction, and the potentially life-altering ramifications of losing it, it behooves wallets to find a safer and more secure alternative.

The problem with biometrics

ArgentMyCrypto, and MyEtherWallet all enabled us to log in via Touch ID. From a friction perspective, this is preferable to 2FA solutions texting users a one-time passcode that can be hacked through sim-swapping. But, while the passwordless convenience is nice, Touch ID and similar biometric tools aren’t as secure as you think.

Per a 2021 report from Kraken, it costs bad actors no more than $5 to spoof a fingerprint. Sure, Touch ID will soon give way to Face ID, but facial recognition can be bypassed just as easily. Silicone masks, pulling pictures from social media, and other workarounds aren’t tall tasks for fraudsters eyeing hundreds, thousands, millions of dollars worth of crypto.

Creating a pin on MyEtherWallet

Argent and MyEtherWallet provide a six-digit passcode alternative to Touch ID. This is problematic as well. What if you forget your pin code and (gulp) the seed phrase needed to reset it? Not to mention the credential-stuffing risk posed by folks who reuse pin codes across different wallets and/or websites.

No time like the present

A recent survey from NordVPN found that 32% of respondents who were aware of cryptocurrency hardly knew about the dangers of crypto-related fraud. As the popularity of crypto and decentralized apps on Web3 continue to rise, this could lead to lots of friction-averse users and compromised wallets if the existing verification methods aren’t tweaked to create an experience that is both seamless and secure.

A new wave of phishing attacks hit the Web3 landscape just last week. If fraudsters aren’t stealing users’ pin codes by impersonating wallets or deploying malware, they’re typosquatting to attract users to dummy websites and seizing their tokens via misleading smart contracts.

If there’s one silver lining, it’s that the transparent nature of Web3 allows for measuring financial impact and identifying opportunities for improvement. Nevertheless, the time to beef up Web3’s security is now, while still early in its development.

Related Content

The Deduce 2022 Fraud Forecast

Sunny, with a chance of ATO

Mark Gavigan
February 25, 2022

Sunny, with a chance of ATO

New year, new resolutions. For some, that means a Planet Fitness membership or Dry January; for us, it means continuing to neutralize bad actors and innovate for a fraud prevention industry saddled by hindered data access and outmoded tactics.

What changes does the Deduce team want to see happen in 2022? Here are a few predictions from our resident soothsayers.

Ari Jacoby, Founder/CEO

Ari believes “coopetition” among cybersecurity firms will help close the data poverty gap in 2022.

From 2019 to 2020, we saw a 300 percent jump in (ATO) account takeover fraud alone. This year, unfortunately, that figure is likely to get worse. Most will attribute this to the uptick in online usage amid the pandemic, which is certainly valid, but data poverty plays a role as well.

Data is the new currency. Most of the valuable data — specifically real-time behavioral data — is confined within the walled gardens of the MANGA Gang. This makes ‘coopetition’ between cybersecurity firms imperative.

Competing companies in the financial, adtech, and healthcare industries often exchange actionable data without any problems. Until fraud prevention companies follow suit, predictive algorithms won’t reach their full potential and ATO will continue to keep execs up at night. I’d love to see the data poverty gap close in 2022, but I’m afraid the worst possible outcome from this issue — another massive data breach — could happen again this year if cybersecurity leaders don’t put their heads together.

Robert Panasiuk, CTO

Robert anticipates a growing, albeit insufficient, number of legacy software solutions changing the way in which they deploy their apps.

This year, we’ll see more companies shift to a devops deployment model that gets new customers up and running in hours instead of months. However, even with the devops model’s ability to fasttrack go-to-market and deployment — an absolute must in today’s landscape — some enterprise businesses will stick to their legacy guns.

Other legacy holdouts will struggle to pass up the efficiency of the devops model, particularly those needing a fraud prevention solution that outraces fleet-footed fraudsters. Rapid deployment, unshackled by the months of development and testing required by legacy systems, delivers a first-class customer experience. The devops approach also enables best-of-breed solutions to be easily integrated. Case in point: the Deduce MFA Intelligence solution will be available in the Auth0 marketplace, which will reduce false positive MFA challenges by more than 50%.

A mass migration to the devops model? Probably not in 2022. But I’m guessing more execs at the C-suite level will finally part ways with unmaintained, outdated legacy technology and prioritize devops-style fraud tools that update seamlessly and can keep up with fraudsters and user demands. Similar to last year’s Okta-Auth0 acquisition, we may see another major legacy company buy a devops-based solution outright.

Adish Kasi — VP Sales

Adish expects to see a significant jump in passwordless adoption this year.

Passwordless login solutions are already on the rise. In 2022, I believe we’ll see a significant jump in passwordless adoption and user buy-in.

Modern app users are growing more and more tired of keying in username/password combos upon each visit, and companies loathe the friction — and subsequent churn — this causes. In 2021, Experian’s Global Identity & Fraud Report polled more than 2,700 businesses and 9,000 consumers about their preferred login approach. Passwords landed outside the top three, beat out by physical and behavioral biometrics and SMS pin codes.

This year, I see a larger contingent of users (and companies) prioritizing a seamless customer journey accompanied by a transition to passwordless solutions. However, the barrier to entry, and the achilles heel, for mass adoption in this space entails designing an intelligent solution for device enrollment and account recovery. What happens if your primary device is lost or stolen? How does an organization curtail risk at the moment of device enrollment?

Identity intelligence, as a new categorical solution, will emerge as a vehicle for helping organizations through the transition to passwordless solutions.

That concludes our resolutions. If your resolutions have fallen by the wayside, here’s a free one from Deduce: leverage real-time insights to protect your users (and user experience) from identity fraud.

The Deduce Identity Network is just the ticket. Learn how our coalition of 150,000 websites and apps and over 450 million anonymized profiles can mitigate account takeover, account creation fraud, and other cyberthreats.

Related Content

(Virtual) Reality Check: How to Stop Online Gaming Fraud

Online gaming fraud is soaring. Here’s what to do about it.

Mark Gavigan
February 24, 2022

Online gaming fraud is soaring. Here’s what to do about it.

The global gaming market is expected to reach $287 billion by 2026, a significant jump from $168 billion in 2020.

More gamers click-clacking their controllers and keyboards means more fraudsters gnawing at the bit, taking advantage of vulnerable online gaming platforms with exploitable security defenses. In fact, bad actors accounted for more than a third of gaming traffic in 2020.

Perhaps more than any other vertical, the schemes cooked up by fraudsters in the gaming sphere are both multitudinous and exceptionally cunning. The end result, however, is the same for gaming companies: defrauded users, lost revenue, and churn.

Here is a closer look at why online gaming fraud isn’t a game, and how video game publishers and services can hit the reset button and protect players from malicious (and costly) online attacks.

A formidable ATO arsenal

As we speak, gaming fraudsters are running a variety of account takeover (ATO) scams targeting naive players. Much of this is happening in the PC gaming world, specifically on gaming distribution service Steam, which controls about 75% of the PC market.

One scam that’s made the rounds as of late starts off like many others do: with a seemingly innocuous DM. “I accidentally reported your Steam account,” says the bad actor, intimating to the unsuspecting user that they should contact a Steam admin to avoid getting banned. The problem is that said “Steam admin” is in on the heist, so once the player sends screenshots and other sensitive information to the fake admin, it’s game over for their account.

Other common Steam schemes hack players through legitimate-looking third-party websites or item inventory pages. One fraudster, messaging from a compromised friend’s account, might ask a player to visit a website and vote for them to participate in an upcoming tournament. Another fraudster will share a link to a bogus marketplace selling skins (visual enhancements to a character’s appearance or weapon). Login credentials are entered and subsequently phished; accounts are taken over and drained, then used to bait the next batch of players.

When you factor in the classic forms of online fraud — transaction fraud, promotion abuse, friendly fraud — the bag of tricks for gaming fraudsters runs quite deep. And the in-game assets they’re stealing are more valuable than one might think.

No time to play around

For consumers, in this case video game players, having their accounts seized is costly and painful. Aside from losing the money in their digital wallets, players can be stripped of in-game assets (collectively valued at $50 billion) they either purchased or earned through hours and hours of gameplay. Imagine spending potentially weeks or months stacking achievements and stats only to lose it all in a few minutes.

For gaming companies, ATO fraud represents the worst possible version of Space Invaders: measly defense lasers outmanned by endless rows of fraudsters and fake accounts. Revenue is lost; in-game economies are thrown out of whack; users churn away due to a lack of trust; and don’t forget the possibility of a large-scale breach.

Beefing up security at the account creation and verification stages is the right idea, but more friction won’t help matters. Gaming companies must protect their players — and their revenue — but avoid scaring them away with sluggish MFA solutions.

Game on, fraudsters

Protecting online gamers from ATO is comparable to fighting fraud in any other vertical that requires account creation and logging in. Authentication methods like 2FA and MFA can help, but they add unnecessary friction and rely on flawed static data. The panacea lies in real-time insights, dynamic data that can effectively combat ATO schemes like credential stuffing and synthetic identity fraud.

Deduce realizes that ATO is not a game. Our real-time Identity Network taps more than 450 million anonymized user profiles and 1.4 billion daily user activities across participating 150,000 websites and apps to prevent account creation fraud that leads to ATO downstream. Faster and more accurate authentication makes for happier players and robust revenue.

Want to make your user experience seamless and secure? Give us a shout today and see how our Collective Intelligence Platform can keep the good people in and the bad people out.

Related Content