5 reasons why passwords are no more safe - What’s next?

5 reasons why passwords are no more safe – What’s next?

Online platforms are using passwords to secure the privacy and data of their users – but are they secure?  

Passwords started with the Compatible Time-Sharing System (CTSS), an operating system introduced at MIT in 1961. It was the first computer system to implement a password login. We are in 2020 and the decades of passwords usage made it the major security protocol. Although the increase in data breaches, social engineering attacks, and cyber crimes has tarnished the reputation of passwords. But still, the masses are using it as a medium to ensure customer privacy and data security on their platforms. Even the banks are using passwords to allow online access to their customers. But the research and increasing cyber crimes hint that passwords are losing their value. Newer technologies such as two-factor authentication and AI-based biometric authentication are the trends slowly building up. 

A survey found that one out of five American consumers has experienced an online account compromise. And these frauds are possible due to a lack of efficiency in password security. 

Data breaches are a common way to get hold of someone else’s confidential data. 4.1 billion records were lost in the first half of 2019 (Forbes). And the data stolen in these data breaches are used to gain illegal access to online platforms, protected with inefficient passwords. But why are the passwords inefficient? 

Why passwords are losing value?

Passwords are in use for decades but gradually people are losing faith in the security provided by passwords. When it comes to actual impenetrable security, businesses prefer other security means such as biometrics and two-factor authentication along with passwords. Even cell phones now have biometric unlock feature to secure the device. So passwords are no more the favorite security tool.  

  • The traditional authentication checks 

Passwords are still limited to traditional binary and alphanumeric figures. The typical input for password-protected access is still username and password. Guessing someone’s username is not difficult. And people use the same email address to onboard several online platforms.  The research found that in the U.S the average email address is associated with 130 accounts. This leads to easy access to someone’s email ID. Next comes the password. It is also the same in most of the cases. Google found that 52% of the people use the same password for multiple accounts and 13% use the same password for all accounts. 

  • Changing passwords frequently is not enough 

The supporters of passwords always say that frequently changed passwords are the key to security. But let’s see how this frequent password changing mechanism works. The best practice is to change the password every month and the password created must be complex enough to make it difficult to crack. But does it actually works this way? No, it doesn’t. 

Users find this password changing thing very hectic and most of the time they don’t change their passwords frequently. Research on 1,000 U.S google users found that one-third of the users change their account passwords one to two times a year. 10.9% of respondents said that they never change their passwords. So it shows users, generally don’t bother sticking to the secure password policies. 

If we talk about the strength of passwords, people generally tend to create easy to remember passwords especially when they are directed to change passwords every month, they make easier passwords and save them somewhere (written and digital form) or shares with a colleague. 69% of users still share their password with a colleague. National Cyber Security Centre (NCSC) 

So the user behavior is key behind the inefficiency of password security. 57% of the people who have fallen for a phishing attack still haven’t changed their password in the UK. 

Hence the passwords security mechanism doesn’t have any concrete measures to make the people develop a habit to change their passwords or to develop strong passwords. The web portal could send reminders for password change and security alerts, but could not force them to do it. 

  • Complexity is not paying off

It is often considered that strong passwords are difficult to hack. But still, there is a risk of hacking or forgetting the password. People tend to forget difficult and complex passwords, so they frequently reset the passwords. It affects the user experience on your online platform. 

The hackers are well aware of the science of strong passwords, Brute force attacks are used to decode these passwords. A Brute force attack is conducted by trying all the machine-generated combinations for a password unless a match is found. So even strong passwords might fall for a brute force attack. 

  • Hackers are becoming smarter 

Hackers are becoming smarter and they know well how to use the technology. Social engineering (phishing attacks) is the commonly used technique that helps them get the required information from the people. 50% of internet users receive at least one phishing email a day and 97% of them can’t actually identify a phishing email. So it is very easy for a hacker to get into someone’s system and hack log in credentials of a user. 

Also, the hackers are aware of all the password protection techniques and know well how to surpass them.

  • Readily available password reset options  

Due to phishing attacks, it is not difficult for hackers to enter the system of a person. It is quite easy to enter someone’s mailbox and get access to confidential emails of a person. Every login page allows the user to make several login attempts and an option to reset a password. Some take 24 hours to reset a password, others do it right away. If a hacker has access to someone’s account it can easily use the password reset link to invade an account. Given the practice of using the same passwords on all accounts, it becomes, even more, easier to hack an account. Because most of the online businesses are using passwords to protect an account. 

What does the future hold for user onboarding?

With the decrease in the value of passwords, businesses are looking for new ways to replace passwords. Biometric verification solutions and 2FA delivers high security that passwords lack. 

Biometric authentication

Biometric authentication is one of the fastly rising technologies used in this world. Biometric authentication solutions use face verification to allow access to an online account. It covers all that lacked in password systems. 

It is almost impossible to manipulate a biometric authentication system. It uses a liveness detection mechanism to identify paper backed images used for verification. A real-person must make the verification to get past the security checks. Minor facial movements are traced to check that a real person is behind the camera. Unique facial features and contour points are detected with a 3D depth perception technique to identify paper-backed and photoshopped images. 

The picture of the real user is saved in the database in the form of a mathematical formula and used to compare the facial image submitted for login. Artificial Intelligence is used in these solutions to perform verification on the user. 

Biometric login is quite easier to use for the end-users due to vast usage of selfie cameras in mobile phones. Also, these solutions deliver high accuracy (98.67%). So, due to all these perks, biometric signage is the next big thing and businesses are using it to increase security on their platforms. 

Two-factor authentication

It is often used in combination with passwords. 2FA sends a unique code to the mobile phone of the user, that is required to log in to his account. 

To wrap up, passwords are losing value due to high risk. This lack of efficiency of passwords requires businesses to explore new user security techniques. Strong security measures that allow fast logins enhances user experience. As the ultimate goal is user satisfaction, businesses must think of giving up the old security practices, to gain higher customer value.

protonmail

ProtonMail added an encrypted calendar to its encrypted Gmail competitor

Previous year Google faced a hefty fine of $170 million by the Federal Trade Commission following the investigations into Youtube over alleged violations of children’s privacy law. The scrutiny on Google is potentially increased that how it collects and utilizes the consumers’ data and information.

Many people are looking out for some alternative to Gmail because of privacy concerns. ProtonMail is efficiently utilizing this opportunity to grab the attention of users who want to wean themselves off Google. It has recently launched an encrypted calendar “ProtonCalendar” through which paid users can privately manage their schedules in a calendar.

ProtonMail is previously renowned for its encrypted mail services. Currently, the encrypted calendar is only available with a paid ProtonMail plan. But the company is planning to launch this calendar for all the users in the near future. The company wrote in its blog post

“We believe everyone has the right to plan dinner with friends without announcing to Google who will attend,”

Google has faced allegations from its own employees that it was using some browser extensions to spy on them; however, these accusations were declined by the company. In 2017, Google stopped scanning user’s emails for advertising, ProtonMail still claims that some parties use calendar data for target advertising.

Calendars are a lot more than just organizing tool as ProtonMail writes in their blog post

“For the longest time, to easily organize these events, you had to let large corporations monitor these special moments. These companies snoop on your calendar and use that information to inform their advertising. A calendar is more than just a tool. It’s a record of the moments that make up your life.”

ProtonMail is still in its basic beta version. The company ought to add more advanced features and then launch it in the future. The new features will enable the users to invite other users and share their calendars with other ProtonMail users.

 

4 Fraud Prevention Tips For Your E-commerce Business this Holiday Season

4 Fraud Prevention Tips For Your E-commerce Business this Holiday Season

With the holiday shopping season in full swing, e-commerce fraud risk is a glaring reality that needs to be accounted for before it translates into large business losses. By 2019, there will be an estimated 1.92 billion global digital buyers that need to be served, as well as authenticated. While this opens up countless business opportunities for vendors, it also indicates the need to single out bad actors that commit high-value identity fraud every year. 

Cybercriminals and scammers are catching up growing digital buying trends and breaking their way into legitimate online transactions. The holiday season is the ideal time for hackers and identity thieves to commit identity fraud due to the large volume of sales that are processed in a small amount of time. 

According to data from ACI Worldwide, fraud attempts spiked by 30% over the previous holiday season, in millions of online transactions especially on Christmas Eve. Fraudsters are trying to get past busy sales representatives and burdened software that miss the smallest details required to a naughty holiday buyer. 

Here are 4 tips for your business to defend itself from E-commerce Fraud this holiday season: 

1- Understand holiday e-commerce fraud types

With every passing day, we’re looking at innovative forms of online buying options, such as P2P payment gateways and social media buying solutions. While it’s not fair to say that the digital buying economy is a new concept, it is also true that firms are still struggling to understand the types of risk they are faced with. 

Digital ID theft and fraud is the most common and well known type of online scam that has affected millions of people across the world, and caused consumers to lose up to $1.48 billion in 2018, according to the Insurance Information Institute. During the holiday season, the percentage of fraudulent transaction is expected to increase manifold, especially card-not-present fraud. 

Other types of fraud include: 

  • Account Takeover Fraud – Legitimate accounts are hacked by imposters to make purchases 
  • Phishing Scams – Fraudulent attempts to gain personal user information
  • Credit Card Fraud – Fraud committed using a credit card as illegal source of funds in a transaction 
  • Card-not-present Fraud – Absence of actual card when carrying out a transaction
  • Friendly Fraud – Actual transactions made by cardholders, later disputed by themselves to claim chargebacks

2- Upgrade fraud prevention tools and identity verification services

To find out if your holiday season customers are actually who they claim to be use authentic and reliable verification services. Security barriers in online environments are becoming easy to intercept, as technology lands in the hands of both good and bad actors. 

With the types of frauds listed above, hackers are learning to commit financial crimes without leaving a trace. This is where automated identity verification services with AI based features need to be utilised for strong risk prevention shield. Identifying users at source entails thorough KYC, AML and KYB checks with the following services: 

Specialised features such as liveness detection and consent verification provide users and businesses with a level of trust that is otherwise impossible to achieve with manual verifications for large sales volumes. In this respect, biometric verification is also gaining popularity due it its convenience, especially for mobile users, and can be employed to verify users in a matter of seconds. 

At the same time, it is important to note that automated fraud prevention and identity verification processes need to be used with caution due to the inevitable risk of accepting fraudulent orders, resulting in high chargebacks. Human intelligence is therefore an integral part of the verification process for complete accuracy. 

3- Monitor key e-commerce sales metrics

With fraud prevention software and human review of transactions, it is possible to identify red flags during peak season. Narrowing down geographical location through IP and browser information also helps preventing fraud well in time. Suspicious orders can be identified by looking at buying patterns and understanding how a sudden change in purchase activity can really be from a fraudulent source. 

Marketing and sales metrics such as click-through rates, conversion rates and chargebacks must be reported on an ongoing basis by business executives to stay on top of any irregular patterns in e-commerce sales. Sometimes, indicators as simple as unusual delivery addresses or inaccurate customer credentials can impact sales trends for a busy quarter. However, additional authentication methods must be placed to review such anomalies before taking stern action and blacklisting authentic customers erroneously. 

Read more about how you can prevent frauds by following AML and KYC regulations

4- Customise a fraud mitigation plan for the holidays

In 2018, holiday season retail e-commerce spending totalled almost $120 billion, and Cyber Monday in 2019 alone racked up close to $9.4 billion in online spending, the biggest ever recorded. This means greater handling of customers, sales and transactions by regular as well as temporary staff. A fool-proof plan to handle these both manually and digitally must be developed well in advance to ensure the security of successful deliveries. 

To process more orders than usual, sales reps will have to think about the numerous queries that new and returning customers will have. Moreover, process to approve and decline orders also need to be streamlined in order to check for inconsistent personal details such as delivery address and credit card details. 

Well coordinated marketing and sales team are always able to maximise returns from promotions, deals, coupons and website traffic. Any miscommunication at this stage can lead to large financial losses as well as tangible damage to brand reputation. Examining historical patterns in consumer history are also helpful indicators for discerning fraudulent transactions and saving both time and money. 

All in all, e-commerce vendors must steer clear of impending online fraud schemes by employing strict safeguards, as well as becoming aware of newer types of threats that may hurt them, especially in busy holiday season. 

lifelabs hit

LifeLabs Hit By a Data Breach Affecting Personal Information of 15 Million People

Canadian laboratory testing company, LifeLabs, disclosed on Tuesday that it had been a victim of a cyberattack that may have compromised the personal information of approximately 15 million people, mainly in British Columbia and Ontario. 

LifeLabs is the country’s largest private provider of diagnostic testing for health care. In October, it was hit by the attack and it had to pay a ransom to retrieve the stolen data. 

Charles Brown, CEO of LifeLabs told Postmedia said, 

“This is still under police investigation. I just can’t talk about actual details of who did what, (or) how we got contacted (about the ransom demand).”

Privacy agents in Ontario and British Columbia said the company had notified them of the breach on Nov. 1.

According to LifeLabs, the compromised information could contain customers’ names, addresses, email, login, passwords, date of birth, health card number and lab test results. 

The company said it has fixed the system issues and added safeguards to protect customer information. The breach is being jointly investigated by privacy commissioners in British Columbia and Ontario. 

“LifeLabs advised our offices that cybercriminals penetrated the company’s systems, extracting data and demanding a ransom,” the joint statement by the commissioners said. 

The data breach of lab test results affected 85,000 customers from 2016 or earlier located in Ontario. 

The company and its security providers are confident that the information will not be further compromised. 

“I want to emphasize that at this time, our cybersecurity firms have advised that the risk to our customers in connection with this cyber-attack is low and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations, Brown said in a letter to customers that the company released publicly.

 

New Jersey Hospital System Hit By a Ransomware Attack

New Jersey Hospital System Hit By a Ransomware Attack

One of the largest hospital systems of New Jersey has reported that it was hit by a ransomware attack this month. According to the hospital, the attack disrupted care across its clinics, nursing homes, outpatient centers, psychiatric facility, and 17 hospitals. 

Hackensack Meridian Health said on Friday that the attack began on December 2 and forced it to cancel some surgical and other procedures. It is to be noted that no patients were harmed and the emergency rooms kept treating patients. 

The attack stopped only after the hospital paid a ransom to stop it but the Hackensack Meridian Health didn’t tell how much it paid to regain control over its systems. The system does hold insurance coverage for such emergencies. 

In the statement, Hackensack Meridian Health said,

“Our network’s primary clinical systems are operational, and our IT teams continue working diligently to bring all applications back online safely. Based on our investigation to date, we have no indication that any patient or team member information has been subject to unauthorized access or disclosure.”

Due to the ransomware attack, the hospital rescheduled nonemergency surgeries and doctors and nurses had to deliver care without access to electronic records. The system also said that it was advised by experts not to disclose about the ransomware attack until Friday. The hospitals’ primary clinical systems are back to being operational and the information technology (IT) specialists are working to bring all of its applications back online.

Comparitech Report Ranks Biometric Data Use: China Tops the List

Comparitech Report Ranks Biometric Data Use: China Tops the List

Comparitech, a pro-consumer technology website, conducted a study including 50 countries and their use of biometric data. The study ranks China at the top for its extensive and invasive use of biometric data. 

Malaysia and Pakistan came in second and third while the countries rated best at protecting the biometric data were Ireland and Portugal. The biometric data includes fingerprint scans, facial recognition, iris recognition, palm prints, DNA and other methods of identification or access control. 

The Comparitech report, released last week, revolved around the collection, use, and storage of biometric data. The study used a 25-point system to calculate its predominance of biometric usage in areas such as passports, banks, voting systems, identity cards, etc. The study also analyzed whether there were laws in place to protect biometric data of the citizens. 

The Comparitech report, released last week, revolved around the collection, use, and storage of biometric data.

(Source: Comparitech)

According to the method of the study, the higher the score, of a country the more comprehensive and invasive a country’s use of biometric data is. China came at the top with 24 points, losing just one point for its absence of a biometric voting system.

Malaysia and Pakistan each scored 21, while the United States came in at 20 points. Contrary to this, Ireland and Portugal had the lowest scores of 11 points which were followed by Britain, Romania, and Cyprus which all scored 12 points each. 

China had maximum points across the categories except for the voting systems mainly because the voting system of China is already heavily controlled. The report focused on China’s extensive nationwide biometric database, which according to Comparitech was being extended to include DNA.

According to the study, there is a lack of a specific law in China to protect citizen’s biometric data. Biometric usage has expanded exponentially in China which is affecting people’s daily lives. Fingerprint scans or facial recognition are employed to pay bills, apply for social security and even for loans. There is also limited protection against abusive use of data or privacy leaks.

ukraine passes anti money

Ukraine Passes Anti-Money Laundering Law based on FATF

The Government of Ukraine has passed the final version of a money laundering law based on the guidelines provided by the Financial Action Task Force (FATF). The law will handle virtual assets and virtual asset service providers (VASPs). 

The Rada, Ukraine’s legislative body published the final version of the law on December 6 that counts virtual assets as a symbol of wealth while also considering its potential use in financial crimes like money laundering, frauds, terrorist financing, tax evasion, etc. 

The new law contains guidelines on the ways the government intends to monitor and control the trading of cryptocurrencies. The guidelines center on unique crypto transactions worth less than 30,000 hryvni ($1300) from which the government will only collect the public key of the sender for the purpose of financial monitoring. 

If the transaction exceeds that amount, verification will be applied to both the sender and the receiver. The verification process will include identity verification as well as the verification of the nature and business of the relationship. 

For virtual asset service providers, the limit is 40,000 hryvni ($1600). In which case, the VASPs should present information to the authorities whenever such traders are registered in the jurisdiction that do not comply with anti-money laundering regulations. 

Binance, a major global crypto exchange, is reportedly collaborating with Ukrainian officials to build cryptocurrency-related legislation in the country. The Ministry of Digital Transformation of Ukraine and Binance signed a memorandum of understanding to jointly work on the legal status of cryptocurrencies. The CEO of Binance, Changpeng Zhao (CZ), said in November that in order to bring positive growth in the economy and to attract additional investments, legalization of cryptocurrencies and the adoption of progressive legislation can play a key role. 

The Ministry and Binance intend to form a working group as part of the agreement which will be focused on the strategy of blockchain implementations as well as the production of “new virtual assets and virtual currencies market in Ukraine.”

EU to Investigate Google and Facebook’s Data Collection Practices

EU to Investigate Google and Facebook’s Data Collection Practices

The European Union has begun preliminary investigations into the data collection practices of Google and Facebook. The investigations are done to evaluate whether the two US tech firms are complying with the EU rules in the region.  

A spokesperson for the European Commission, the EU’s executive arm, told CNBC via email on Monday that ‘The Commission has sent out questionnaires as part of a preliminary investigation into Google’s and Facebook’s data practices. These investigations concern the way data is gathered, processed, used and monetized, including for advertising purposes.’

According to the spokesperson, the preliminary investigations are on-going. EU has previously investigated Google which has resulted in more than €8bn (£6.8bn) of fines. Google Shopping was investigated in 2017 which resulted in a fine of €2.4bn. In 2018, Google’s Android smartphone operating system involved anticompetitive practices and it resulted in a fine of €4.3bn. In 2019, due to advertising violations, Google was charged with a €1.5bn fine. These new investigations show that the EU isn’t done probing into Google. 

A spokesperson for Google told CNBC, “We use data to make our services more useful and to show relevant advertising, and we give people controls to manage, delete or transfer their data. We will continue to engage with the Commission and others on this important discussion for our industry.”

A Facebook spokesperson told CNBC via email on Tuesday, “Data helps us tailor our apps and services so each person’s experience is unique and personalized.” The spokesperson also added that Facebook is fully cooperating with the EU and are happy to answer any questions they might have.  

EU has previously investigated Amazon to figure out whether the e-retailer was complying with European rules on handling data from independent retailers. 

Margrethe Vestager, who is the EU’s competition chief, has led a wider crackdown on how tech giants operate across the 28 EU member states. She has urged Ireland to collect 13 billion euros ($14.34 billion) in unpaid taxes from Apple, fined Google in a number of cases and accused Facebook of misleading EU regulators over its takeover of WhatsApp. 

bank of ghana

Bank of Ghana to Introduce Digital Currency in ‘Near Future’

The Governor of the West African nation’s central bank, Ernest Addison, announced the news of Ghana’s plans of digital currency at an annual banking conference last week. Addison said that the central bank is in discussion with ‘key stakeholders’ to explore a digital currency pilot project ‘with the possibility of issuing an e-cedi in the near future’. 

The CBDC pilot initiative is in accordance with the country’s efforts to digitize the financial and banking sector. Through this effort, the electronic payment systems in Ghana such as mobile banking can grow and enhance. Mobile money transaction statistics, for instance, increased to 1.4 billion last year as compared to 982 million in 2017 according to Addison. He added, 

“The digital age provides enormous potential for the financial sector to re-orient itself to satisfy the new consumer and business demands for financial services.”

Addison also announced that the country’s largest bank in terms of total operating assets, Ghana Commercial Bank (GCB Bank) has been authorized to issue e-money. 

Africa is seeing a surge in cryptocurrency with 64 blockchain and cryptocurrency firms available across the continent. These include 11 sub-categories including exchanges, wallets according to research from The Block Crypto. 

Understanding Digital Identity

Understanding Digital Identity

What is Digital Identity?

In the digital world, your identity is made up of your personal information as it exists on the web (in digital form). Your personal characteristics, such as your name, address, date of birth, bank details, email ID, biometrics and login credentials all make up your digital attributes. 

Similarly, digital activities such as likes, comments, buying patterns, search histories, forum posts, and cellphone apps make up your online preferences. These are stored and tracked to maintain a record of online activity related to your identity.  

In short, it is an amalgamation of all personal attributes and characteristics that link the physical existence of a person to his or her digital presence. In this respect, the term digital identity can refer to all types of online platforms and computer systems that contain information about individuals linked to their national or official identities. 

This is similar to the collection of data in the real world, based on which an individual is identified and allowed to take certain actions. Official identification documents, proof of address, driver’s licenses, and other personal documents are required for transactions such as account opening or buying a property. 

Verification of persons online entails matching these two forms of identities to onboard people for digital services and to confirm their presence online. Signing up for an online account, making a purchase in an e-store, accessing medical records and accepting remote jobs becomes possible with a single click and a verified digital identity. 

This is known as digital authentication and is linked to the act of validating one’s identity at the time of sign up. The use of biometric technologies such as fingerprint and retina scans, as well as facial recognition, are all part of the process of cross-checking identities to validate if an individual is really who they say they are.

Establishing Trust Online

As businesses and services make a move to the digital world, crimes related to identity have also shifted platforms. Cybercriminals are learning to intercept digital accounts and steal identity to make fraudulent transactions. In the recent past, businesses and individuals have lost large amounts in losses as bad actors find innovative ways to stay ahead of tech experts and regulators at organisations and carry out online crimes. 

Digital Identity information is exposed through phishing attempts, irresponsible use of login details, location sharing, public wi-fi networks, and exposure to social media malpractices. Opening up access to accounts and online services, an online identity serves as a virtual currency that is exposed to data breaches. Additionally, digital identities are also sold and used against individuals in what is known as the ‘dark web’. A well functioning online system, therefore, needs efficient processes for maintaining reliable digital identities and mitigating accompanying risks. 

With impending threats of money laundering and terrorist financing, regulatory compliance in the form of KYC, AML and KYB requirements will help companies maintain trustworthy business ties online. Compliance regulations rolled out by GDPR, AMLD6 or CCPA make it mandatory for companies to opt for reliable means of verification. Strict identity checks and screening processes that verify who an individual is, and authenticate his/her access to an online portal are therefore the cornerstones  of good business practice. 

Unlocking Access to Financial Services 

The advantage of establishing a digital identity network is perhaps most evident in the banking and financial institution sector. Low cost and high accuracy than traditional vetting processes, digital identities offer faster ways of complying with regulations and attributing trust to financial brokers.

KYC checks ensure that customers are genuine entities as far as their existence, personal characteristics and documentation is concerned. For AML and ongoing background checks, identities must be traceable and accessible by verification solutions. This is easily facilitated by digital identity frameworks that consolidate pieces of information based on their accuracy and validity. For banks, this saves huge amounts of money otherwise at risk of being lost due to compromised identities. 

As observed, account takeover fraud is one of the most popular forms of fraud in the banking sector, with large corporate losses noted due to fraudulent transactions. Using traditional methods of identification, therefore, puts institutions at a higher risk of loss than digital identities, which can be consolidated and secured through advanced technologies such as blockchain. 

As a useful proof of verification, digital identities also open up new avenues for people who have limited or no access to traditional means of identification in the real world. Close to 1 billion do not have an official identity. This has grave implications in the form of barriers to basic social services such as education, health and economic opportunities. In this respect, a consolidated digital identity has the potential to act as a safety cover for people with no access to formal financial services. 

Modern organisations are upgrading to digital infrastructures and investing rapidly in safer technologies. Digital identity verification is one of the many important areas of security that require effective solutions for safer experiences online. The eventual goal is to tie the digital identity to a real person and to ensure that people are who they say they are. 

Digital KYC to Trace and Tackle High-Risk Customers

Digital KYC to Trace and Tackle High-Risk Customers

Customers are the assets and building blocks of any business. Customers are responsible for taking businesses to the next level or destroying it to rubble. That is why it very crucial to know who you are dealing with. Know your customer is the procedure to identify and verify customers to check if they are real and not fraudsters or indulged in any illicit activity that can cause a threat to business. It is a process to check the background of customers and analyze the risk factors associated with them. 

The fundamental idea behind the introduction of KYC in organizations was to find a way that can protect the organizations from fraudsters and criminals and doesn’t involve penalizing the innocents at the same time. The KYC process is a standard procedure to verify the customers at the time of onboarding. However, with strict regulations coming into the light, KYC isn’t limited to the verification of the customers, instead, it is now to continuously analyze the customer behavior to look out for suspicious activities and illicit transactions. It is used for the following purposes:

  • To curb fraud schemes
  • To mitigate scam scandals
  • To put a halt on money laundering
  • To hinder illicit fraud transfer and
  • To identify high-risk customers by enhanced due diligence 

Need for KYC to Identify High-Risk Customers:

The KYC laws were introduced as the section of the Patriot Act passed in 2001 after the incident of 9/11 to deter terrorist activities and criminal funding. The section of this act concerned with the financial transactions inserted some new policies in addition to those of “The Bank of Secrecy Act of 1970.” These requirements regulated the banks and other financial institutions. As per the Patriot Act, the organizations dealing with finance are required to meet three main requirements in order to comply with KYC regulations:

  • Customer Identification Program (CIP)
  • Customer Due Diligence (CDD)
  • Enhanced Due Diligence (EDD)

High-Risk Customer Identification Program (CIP)

The customer identification program is a significant component of the KYC process in which the organizations are obliged to ask customers to provide their identification information. It is to verify the identity of the customer who wishes to carry out a financial transaction with a particular bank. The CIP requirement was made compulsory in 2003 for the financial institutions to develop and incorporate customer identification programs into their secrecy policies to meet anti-money laundering (AML) compliance. 

Every institution has its own CIP processes depending on the size and type of the institute. That’s why they may require different documents for verification. Generally, driving license and passports the most commonly required document by the banks. Regardless, some other documents may include: 

  • Utility bills
  • Financial references or statements 
  • Information from a consumer reporting agency or public database

No matter what document or information of the individuals and business is asked, it is to check their authenticity that they are not fake or fall in any prohibited lists so that fake customers and customers at high-risk can be filtered. 

High-Risk Customers Due Diligence

Customer due diligence covers multiple aspects of customer verification and identification. For secure onboarding of clients, it is essential to identify the future risks that can arise due to some customers – the reason why customer due diligence is conducted. While performing due diligence, the significant goal is to analyze customer behavior and predict the type of transaction pattern that the customer is most likely to follow. In an evolving regulatory climate, mobile identity verification can be of great help. It helps organizations in identifying suspicious behavior and assigning a risk rating to customers to identify the customers that can be threatening for organizations and how often their accounts will be monitored. 

The regulatory agencies have set no particular standards or methodologies for conducting customer due diligence leaving the institutions with an open choice to follow their own tools and devices. Many organizations demand a lot of information during the process including banking references, previous financial statements, salary slips, occupation, source of funds, etc. The purpose of this information is to analyze the background and behavior of the customer to predict future risks that may be linked to the customer. 

All this hassle because FinCEN has strictly imposed this requirement on the financial institutes to immediately report any threatening or suspicious activity. And you can’t do it efficiently unless you know your customer behavior and history.

now more about Digital KYC services

Enhanced Due Diligence (EDD) for High-Risk Customers:

Enhanced due diligence (EDD) is an advanced and more comprehensive set of KYC procedures for high-risk customers, exhibiting irregular transaction behavior or ambiguous sources of origin. The customers classified under the high-risk category after the Customer Due Diligence (CDD) process are more likely prone to money laundering and illegal funding of terrorists and criminals. They need to be monitored continuously. Considering the trend of such illicit transactions, the USA Patriot Act strictly dictates the institutions that they

 “shall establish appropriate, specific, and, where necessary, enhanced due diligence policies, procedures, and controls that are reasonably designed to detect and report instances of money laundering through those accounts.”

The EDD process includes verifying ultimate beneficial ownership information (UBO) and identifying politically exposed persons (PEPs). Monitoring the transactions is also one of the fundamentals of the EDD process.

High-risk Customers-Venomous for the Business:

High-risk customers are identified from the customer provided by using digital identity verification solutions. Such customers are monitored perpetually for the potential suspicious activities in their accounts so that no forgery can take place like money laundering, account takeover, identity theft, etc. Such customers can be a poisonous threat to business until they exist in the system. Various AI-powered Saas products offer inputs that are useful for the monitoring systems of the business to filter such AML high-risk customers that pose a threat of money laundering. Such a risk management framework will business in assessing customer risk. 

Digital KYC Checks- From Weeks to Seconds:

It is a documented fact that customers are the assets of any organization. Digital KYC is what the institutions need in this era of technology. Based on the principles of automation, the eKYC process can simultaneously execute multiple steps. It reduces the keystroke time, cost and human effort. The process that could take hours and days for an individual can be cut down to seconds with the help of AI-powered solutions and tools. With the use of intelligent KYC verification, the businesses can onboard a more secure clientele and that too with real-time verification, coping up with the regulatory complexities at the same time.

With the world moving into the digital sphere, customer convenience is even more important for any business. The manual KYC process is quite a time consuming and costly process. Clients get exhausted as it takes weeks or even months to onboard a customer. This cumbersome procedure even ends up losing customers as they move to other platforms during this time taking procedure. It is evident now that digital KYC doesn’t only help to identify any customer but helps to filter out customers that have some traits putting them as high-risk customers so that businesses are vigilant while dealing with them. Also, due to the digital revolution, the concept of global onboarding is becoming common which requires more fast and convenient verification and onboarding process. 

Perks of Using Digital KYC Solution:

To end up negative customer experience digital identity verification solution has achieved a milestone. Following are some of the benefits that come up with using the digital identity verification solutions for KYC:

  • Demit Frauds and Scams

Using digital KYC can decrease the risk of frauds like identity theft, credit card fraud, and onboarding high-risk clients. 

  • Increase Security

It’s more important than ever to verify the identities of customers due to an increased risk of terrorist funding and money laundering and other cybercrimes. 

  • Ensure Accuracy

Digital KYC solutions provide a seamless experience where there are lesser chances of errors and omissions. 

  • Provide Better Customer Experience

Digital KYC provides a better customer experience as it takes no time for the whole authentication process. 

In a nutshell, digital KYC clubbed with artificial intelligence is crucial to identify and tackle with high-risk customers that can bring along various dangers for businesses. Business can end up paying hefty fines due to such customers or owners end up losing their businesses. Digital KYC simplifies identity verification for an online business that plays a vital role in this area. In an evolving regulatory climate, mobile identity verification can be of great help. In the coming years, it will continue to morph with surprising speed.

Know more about Digital KYC

Amazon Challenges Pentagon’s $10 Billion Contract To Microsoft

Amazon Challenges Pentagon’s $10 Billion Contract To Microsoft

Amazon said on Thursday, that it is going to challenge a $10 billion contract awarded to Microsoft last month by Pentagon. Amazon called the decision-making process prejudiced and tainted by “political influence.” 

The Department of Defense had been considering a number of bids for a cloud computing project, “Joint Enterprise Defense Infrastructure” or JEDI initiative. The project, that has been delayed for a long period of time, is supposed to update the computing infrastructure of the Pentagon. Most of the agency’s technology relies on systems from the 1980s and 1990s. 

A number of people had expected the contract would be awarded to Amazon Web Services, which commands about 48% of the cloud computing market share. Over the past year, President Donald Trump has increased his attacks on Jeff Bezos, CEO of Amazon. Weighing in on the contract, he said in July, that he had considered intervening in the award process. 

“Great companies are complaining about it,” Trump said at that time, mentioning that this contract was one of the “biggest” ever. “So we’re going to take a look at it. We’ll take a very strong look at it.”

Last Friday on November 8, Amazon officially filed a notice to protest the decision and it is being filed in the US Court of Federal Claims. A spokesperson for Amazon Web Services said in a statement to HuffPost, 

“AWS is uniquely experienced and qualified to provide the critical technology the U.S. military needs and remains committed to supporting the DoD’s modernization efforts. We also believe it’s critical for our country that the government and its elected leaders administer procurements objectively and in a manner that is free from political influence. Numerous aspects of the JEDI evaluation process contained clear deficiencies, errors and unmistakable bias and it’s important that these matters be examined and rectified.”

Pentagon has more than 500 separate cloud systems throughout the military and through JEDI, it is intended to unify all the systems under one umbrella. This will help Pentagon keep up with the developments n the civilian computing industry. 

FATF Plenary Outcomes

FATF October 2019 Plenary – Here is What You Need to Know

Financial Action Task Force (FATF) President Xiangmin Liu, chaired the first meeting from 16-18 October 2019 under the FATF Chinese Presidency. In this three day meeting, 800 delegates represented 205 jurisdictions. The international organizations which include the UN, IMF, World Bank, etc. discussed the current issues that are giving rise to financial crimes and presented solutions that possibly contribute to global security.  

FATF is an inter-governmental body that aims to set standards for effective implementation of the regulatory, legal and operational measures to combat money laundering and terrorist financing. FATF goals for the elimination of any criminal activity that disrupts the flow of the financial system. In the recent meeting, FATF highlights important issues discussed below: 

 

  • Associated Risks with Virtual Assets 

 

Money laundering and terrorist financing risks with virtual currency, “stablecoins” or similar assets are pondering. FATF focuses on countries and their norms to facilitate the virtual currency industry. According to FATF, it is necessary for the countries to take in place requirements while recognizing the risks associated with virtual assets. This sector should be properly supervised to eliminate the incidences that aid criminal activities. The countries which have already implemented measures should report back regarding the actions they took for evaluation purposes.

It is the duty of FATF to monitor the standards industry is following in its development processes and make sure that they are complying with the requirements defined by FATF. Emerging virtual assets such as “stablecoins” are supposed to introduce to a shift in the virtual currency ecosystem which could be a source to facilitate criminal activities most likely money laundering and terrorist financing. “Stablecoins” service providers are supposed to adhere to FATF standards strictly just like traditional financial service providers do. FATF is continuously monitoring the characteristics and is looking for further specifications these virtual assets hold and to be reported with updates these currencies come up with. 

 

  • Understanding Digital Identity Use

 

A swift shift towards the digital world, digital payments, and digital identity are worth notable. Every year, a large number of transactions through digital means take place and are growing by 12%. The digital identity roaming over the internet should be identified and verified. This is a vital step to perform as its negligence gives rise to criminal activities. Fake identities over the internet participate in money laundering and terrorist financing. This can be eliminated through customer identification to make sure that each person has its own real identity. 

FATF is going to release a draft for public consultation elaborating on the use of digital identity. The draft would give clear statements regarding the use, reliability, and standards of digital identification systems. FATF aims to eliminate the sources that are facilitating criminal activities.  

 

  • Follow-up Assessments

 

Mutual Evaluation of the Russian Federation and Turkey 

 

FATF plenary conducted a mutual evaluation of the Russian Federation and Turkey. It evaluated the effectiveness of AML/CFT compliance in both countries. Also, their compliance level with FATF requirements. 

In Russia, the FATF-EAG-MONEYVAL assessment was conducted whch showed that Russia has an in-depth understanding of the criminal activities and risks associated with them. It follows robust policies to combat risks of financial crimes like terrorist financing. However, it needs to work on the supervision standards of money laundering especilaly the money that is laundered abroad. 

In Turkey, plenary concluded that measures Turkey is taking in place to cater to money laundering and terrorist financing activities are stringent. However, it is in dire need of persuing financial crimes in line with the risk profile of the country. Also, there should be strict actions immediately to freeze the criminal liability at the spot which includes any detection of terrorist financing or money laundering or even weapon proliferation of the purpose of mass destruction. 

Plenary discussed AML/CFT regulations compliance of each country. After evaluation of both countries’ compliance with FATF requirements, mutual evaluation reports will officially publish in December 2019. 

Norway and Spain Follow-up Assessments

 

Since the mutual evaluations conducted in 2014, plenary discussed changes Norway and Spain entertained at their ends regarding money laundering and terrorist financing activities. 

Norway is on the go to strengthen its strategies for financial intelligence to understand the bad money flow through money laundering and terrorist financing, it has developed effective strategies to combat the risks of dirty money flow. Its improvements towards the ability to freeze suspicious criminal liabilities are also effective.

 Similarly, Spain is also active in ensuring the sources that facilitate criminal activities and measures they are taking to combat them. It has established an effective framework and mechanism to freeze the weapons proliferation supposed for mass destruction.

Denmark, Ireland and Singapore Mutual Evaluation

 

FATF plenary re-rated these countries on the basis of mutual evaluation. It came out that among these, Ireland moved to regular follow-up procedures from enhanced processes. FATF will be publishing the mutual evaluation report soon declaring fluctuations in technical compliances. Also, the rating with respect to measures taken to eliminate terrorist financing, money laundering and ability of weapon freezing having mass destruction intentions.

Brazil’s Mutual Evaluation Report

 

In the report of 2016, FATF conveyed concerns about Brazil’s continued failure with technical compliances to deter the risks of money laundering and terrorist financing. FATF declared that this would be the primary concern in the October FATF plenary. Now, evaluation resulted in positive results depicting the effective adoption of regulatory compliance by Brazil. Its substantial progress has proved to address most of the compliance requirements for the betterment of the financial system.

However, serious concerns remain regarding the international compliance standards of Brazil. This emerged as a result of limitation laid by a provisional injunction that was issued by a Brazilian Supreme Court judge. This limitation was on the use of financial intelligence for criminal investigations. FATF is active to get timely updates regarding this matter.

 

  • Jurisdictions Identification

 

Identifying Jurisdictions w.r.t AML/CFT Deficiencies

 

FATF concerned the identification of Juridictions with respect to strategies that they are taking in place for the elimination of terrorist financing and money laundering. FATF maintains public documents of June 2019 containing lists of jurisdictions that might pose potential risks to the international financial system. These contain amendments regarding the call for action and an action plan with FATF.

Ethiopia, Srilanka, and Tunisia with no Jurisdiction monitoring 

 

FATF is satisfied with the progress of Ethiopia, Srilanka, and Tunisia in addressing AML/CFT deficiencies. Now, these jurisdictions are out of the list of FATF monitoring. 

The FATF praised Ethiopia, Sri Lanka and Tunisia for the significant progress made in addressing the strategic AML/CFT deficiencies identified earlier by the FATF and included in their respective action plans.

These jurisdictions will not be subject to the FATF’s monitoring any long under its on-going global AML/CFT compliance process and will work with the FATF-Style Regional Body of which they are a member and continue to encourage their AML/CFT regimes.

New Jurisdiction Monitoring over Iceland, Mongolia, and Zimbabwe

 

FATF identified serious deficiencies in AML/CFT compliance programs of Iceland, Mongolia, and Zimbabwe. Each jurisdiction now has developed an action plan to comply with FATF requirements and FATF is looking forward to their plan. 

Pakistan and AML/CFT System

 

Since Pakistan committed to making high-level progress in June 2018 in regard to the requirements of FATF and APG, Pakistan has improved the AML/CFT regime’s compliance. However still, the progress is not up to the mark. Pakistan still lacks a proper understanding of terrorist financing risks. It is able to complete five out of 27 action plans. FATF urges Pakistan to complete the thorough action plan by February 2020. In case of any discrepancy, FATF will take action. This action could be a serious call to all jurisdictions to give special attention to the relationship with Pakistan’s financial institutions.

Iran and AML/CFT System

 

In June 2018, Iran committed with FATF regarding effective practices with respect to AML/CFT strategies to overcome the current deficiency and to act upon the implementation of the Action Plan. Iran significantly lacks proper identification of terrorist financing risks. FATF calls upon its members in June 2019 to conduct the supervisory examination in Iran’s subsidiaries and branches of financial institutions. Now if before the deadline i.e February 2020, Iran does not act upon the conventions of terrorist financing and Palermo, FATF will call for members and subject Iran with effective countermeasures. 

Iran will be in FATF public statements till it fully comes up with with the Action Plan. Until Iran takes a serious approach towards the implementation of countermeasures to eliminate terrorist financing, FATF will be highly concerned with the risks that can arise from Iran regions and pose this threat to the international financial system.

 

  • Promoting more Effective Supervision

 

In the plenary of FATF, one the major discussion involve identification of improvements that can better help in the supervision of AML/CFT regimes. FATF discussed the program and aims to outreach to improved strategies to national supervisors. The objective behind this effort is to let entities regulate their processes and focus more on the outcomes while taking in place a risk-based approach. 

 

  • New Practices for Legal Professionals

 

FATF focuses on the transparency of beneficial owners of the legal sector. It is important to prevent terrorist financing and money laundering through companies. However, jurisdictions find it challenging to implement the requirements in this field. Although mutual evaluations using a prolonged approach opens the ways for effective solutions. The collection of information through several sources contributes to effective approach towards the prevention of misuse of the legal sector. Facilitation of criminal activity through legal persons can be avoided. A large number of sources help in better addressing of problems and identifying their respective solutions. Using input from global databases can help in catering to criminal activities in a better way.