Voice Biometrics is Revolutionizing Online Transaction Security and Preventing OTP Fraud

Fraud data just released by UK Finance for the first half of 2024 contains both positive and negative news. Authorised Push Payment (APP) fraud fell both in value and number of cases compared to H1 2023, as did other forms of social engineering scams such as romance fraud.

However, on the negative side, there was an increase in traditional attack vectors against payment cards, remote banking, and cheques. This equated to an increase of 5% in value and 19% in recorded cases, with a 26% increase in card-not-present (CNP) cases.

Rise of Card-Not-Present Fraud Despite Strong Customer Authentication (SCA)

Given that the Revised Payment Services Directive (PSD2) introduced Strong Customer Authentication (SCA) for CNP transactions this is somewhat surprising given we would expect CNP fraud to decrease, not increase. But according to UK Finance, whilst SCA has helped to reduce fraud, “evidence has shown that criminals have been socially engineering victims to trick them into divulging one-time passcodes to authenticate online transactions”.

The Inherent Weakness of One-Time Passwords (OTPs)

How does this work? It means the criminals are responsible for initiating the online transaction, which in turn triggers the issuing bank to send a one-time password (OTP) to the true cardholder’s mobile phone, necessary to authorize the transaction. The criminals then contact the cardholder, purporting to be from the bank and trick them into providing the OTP, which the criminal then uses to authorize the fraudulent transaction.

And therein lies the inherent weakness of OTPs. An OTP is just a piece of knowledge, albeit supposedly secret only to its recipient, but like any secret, if you tell someone else then they too have that knowledge, and anyone with that knowledge can use it.

Whilst an OTP includes a possession factor, the mobile phone it is sent to, if hijacked or provided to someone else it is as weak as a static password. The rule of thumb is if something can be hijacked or stolen and then successfully used, it inevitably will be.

Enhancing Online Transaction Security: How Voice Biometrics Stops OTP Fraud

The key, therefore, is to use something that can’t be hijacked or stolen, or alternatively use something that if hijacked or stolen, can’t be used successfully by criminals. In the case of OTPs, it is the simple addition of voice biometrics that changes the game. Rather than type an OTP into a browser, which is precisely what the criminals do with the divulged OTPs they trick out of cardholders, speak the OTP into the browser. Now, not only is the OTP required to complete the transaction, but it must be spoken only by the person it was intended for and no one else. Hijacked, stolen, and divulged OTPs now become useless to criminals.

Turning Exploitable Identity into True Identity Assurance With ValidSoft

ValidSoft can overlay its leading voice biometric authentication on any multi-factor authentication solution using text-based OTPs and transform exploitable identity into true identity assurance. So, whilst your customers may not be able to keep a secret, they can keep the secret from being used.