For a great example of an attempt at security that does much more to annoy legitimate consumers than to actually fend off fraudsters, look no further than CAPTCHA. Though not quite as ubiquitous as it was a few years ago, the challenge-based verification tool asks users to prove their non-bot status by identifying every photograph with a crosswalk, or pinpointing a number drawn crudely in crayon, or completing any number of familiar visual puzzles that are theoretically easy for a human to solve, but that go beyond what a bot can be programmed to do.
Theoretically – but not actually. As any consumer who has ever cursed their way through a series of CAPTCHA tests can attest, they aren’t always that easy to solve. And, as DataVisor’s CEO and Co-founder Yinglian Xie told PYMNTS, they aren’t actually all that hard for computers to beat.
“When we put these detection mechanisms in the space, we have to take a holistic view of what is going to drive security, but also reduce friction,” Xie said. “So before we add another layer of authentication, we should ask, is this actually going to serve a purpose or solve our problem?”
And while CAPTCHA is a glaring example of a “security” step that mostly succeeds in locking out valid customers, the same logic applies to all of the little stutter steps a user must clear during an experience – making and maintaining a list of distinct but memorable passwords and usernames for their dozens of accounts, choosing their secondary authentication channel for two-factor authentication (2FA) or stopping to scan a fingerprint or their face. None of these things are necessarily deal-breakers on a digital journey, Xie noted, but they are certainly an annoyance – and in many cases, they don’t do nearly as much to protect commerce as they do to impede it.
What is necessary, said Xie, is a different, more holistic paradigm for fighting fraud – with a broad goal of not adding more authentication steps, but fewer.
“The dream, the vision we have for the long term, is zero-factor authentication from a user’s point of view,” she noted.
Learning to Spot the Good Customers
In the past, said Xie, authentication has been rooted in an idea that must change in order to build a more secure future. When we talk about fighting fraud, she said, we are talking about spotting the cybercriminal as they are trying to do something wrong – infiltrate a system or make a fraudulent purchase, for example – and bouncing them at that moment.
But ultimately, she said, this leads the industry to base most of its efforts on defining and identifying "bad customers," and then trying to consistently root them out while keeping false positives to an absolute minimum.
“We need to start taking specific measurements to detect what good users look like – which sounds counterintuitive, because we always think first about detecting the bad guys,” said Xie. “But I want to broaden the scope of real-time account monitoring and start understanding the customer over the course of their lifecycle.”
Because, Xie noted, the state of cybersecurity in 2020 seems to demand this more holistic approach. Though there is much that individual firms and the industry as a whole can do to stem the hemorrhage of sensitive data into the hands of cybercriminals – via better encryption, storage and anonymization of data – there is a staggering amount of data already out there from previous breaches that is useful to fraudsters. And there is no technological innovation coming down the pipeline that will put that information back in the box.
Between synthetic ID fraud and good old-fashioned identity theft, buttressed by the reams of available consumer data, said Xie, cybercriminals have gotten better at looking like real consumers – making it all the more imperative for the security industry to realign its paradigm with the lifecycle habits of legitimate users.
The Zero-Authentication Future
Transforming the idea of consumer authentication from something that happens at the moment of choice in a transaction to something that happens in real time, all the time, is a very tall order, Xie noted. "Fortunately, advances in big data computation now allow us to actually do more with less, by allowing us to draw inferences from relevant data in ways that mitigate concerns associated with privacy," she said.
But, she added, a heavy lift is not necessarily impossible.
“I do believe that technology, data analysis, AI and machine learning have evolved to a stage where most of our services can move toward evaluating customers constantly to mitigate risk and make their experiences better across the board,” said Xie.
Ultimately, she said, as that capability for content analysis and evaluation expands to the point that customers will be recognizable to merchants, the idea of stopping to authenticate will be a relic of the past. On the front end, the consumer will simply do what they want – while on the back end, the technology that has become so adept at recognizing their comings and goings will make sure they can shop where they want, and that no one can borrow their identity to shop where they don’t.