Companies Lean on Biometrics, Machine Learning to Stay ‘One Step Ahead’ of Fraudsters

Wessel Matthee, information security compliance manager at Entersekt, told PYMNTS that through the past few years, there’s been a shift in the ways in which fraudsters try to steal personally identifiable information (PII).

Phishing scams were the lure of choice before the pandemic, he said. “But fraudsters are always going to try to stay one step ahead” of efforts to keep PII safe.



The best way to defend against malevolent forces is to think about how a hacker might target an individual or company — and take an approach driven by advanced technologies that keeps us all one step ahead of the fraudsters. Over the past two years, as so much activity has shifted online, the attacks have become more targeted in nature. The data that bad actors obtain can be used to eventually lead them to card- and account-specific information.

Right now, many of those attacks are focused on the healthcare industry, given all the sensitive data collected in this vertical.

“Many of those healthcare companies are storing that information because they need it in order to assist with vaccinations” and other public health initiatives, Matthee said. Once the cyber thieves have winnowed their way into the healthcare providers’ data troves, they’re able to pick and choose information that, in turn, can be used in a lateral way to eventually get to card-level info. There’s also the ability to sell that data on the dark web.

Fraud constantly evolves with the aid of social engineering and data scraping. Criminals have advanced tech at their disposal in the quest for PII.

“Instead of doing it manually, they can just run a tool, run a script, find the information, put that into the tool, and then find out what would be the best method and highest ‘risk location’ to access,” he said.

Matthee contended that fraudsters also are likely to pivot increasingly to targeting mobile network operators so that authentication processes themselves wind up being compromised. One-time passwords (OTPs) can be compromised, and if the network operator is breached, those passwords can be redirected. And because consumers have an inherent trust in their mobile providers and OTP as a method of authentication, the vulnerabilities are significant.

To mount the best defense, he said, there’s some education that’s needed at the consumer level — with explicit consent in the mix — to make sure that the data that companies do collect isn’t just used to craft marketing campaigns.

“Customers need to know that the information is only being used to provide a service and the data is being monitored and is secured and encrypted,” he said.

Such reassurance is reinforced when providers, enterprises and processors work together to protect that data and convey that collaboration to individuals.

Consumers “want a seamless process in order to make a payment quickly, and they don’t want to go through a login process every time they want to make a transaction,” Matthee said.

Authentication methods driven by advanced analytics can leverage biometrics or other personalized ways in which users can feel secure as they transact, he said.

On the provider side of the equation, machine learning and artificial intelligence (AI) via platforms such as Entersekt’s can help track — in real time — denial of service attacks and other fraud schemes, he said.

“You can see the patterns” that can help guard against attacks in the future, he told PYMNTS, “as the hackers are always going to try to find new ways to ‘get through.’”