The continued phishing attacks in the past years have prompted organizations to strengthen their security postures by adding layers of authentication for identification among online users. Some companies or websites have also added age restriction features to ensure that content is age-appropriate with the hopes of mitigating cyberattacks.

People have gotten used to providing their data freely as a result of the rapid digitalization during the pandemic. The clueless may not be able to tell which are legitimate emails from phishing emails.

“While much of this data is intended to help businesses provide more accurate and personalized services, handing over personal information does have its risks,” said Frederic Ho, vice president of Asia Pacific at Jumio Corp., in an email interview with Back End News. “Increasingly, customers are becoming aware that their data can be stolen, misused, or sold to third parties.”

Identity verification firm Jumio secures $150 million from Great Hill Partners
Making the PhilSys digital identity system work for both citizens and businesses

Ho said the Asia Pacific (APAC) saw a 168% increase in cyberattacks in just a year from May 2020 to May 2021.

Among the tools that companies resort to ensure data security is age check or verification.

The use of age checks is not just about compliance with government regulations but also enables companies to protect children from harmful content.

Age checks

“Google, for instance, recently announced that it will be expanding age verification checks to users in Australia who want to access age-restricted content on YouTube and Google Play, in response to the government’s Online Safety (Restricted Access Systems) Declaration 2022,” Ho explained. “This may very well be just a start. Other service providers and online businesses may soon follow suit to ramp up their age checks to protect minors from age-sensitive content and to protect themselves from the legal consequences of non-compliance.”

However, the current age checks are unreliable because users only need to tick the “Over 18” box provided on websites. According to Ho, “it does not qualify as age verification and is no longer enough to prove due diligence.”

There are companies that require additional proof of identification (such as a driver’s license or tax identification ID) but this can discourage users because it could be tedious and inconvenient.

2FA, MFA

Financial services institutions (FSI) have always been among the top targets of cyber-attacks. This is also one of the primary reasons banks require multi-factor authentication (MFA) or two-factor authentication (2FA).

“While 2FA does improve the security of financial services, it is not entirely foolproof,” Ho said. “Many of the two-factor authentication (2FA) methods today require two distinct forms of identification — a password, personal identification number (PIN), One-Time Password (OTP), or biometric — before the user can access their account or authorize a transaction.

“2FA can help prevent unauthorized users from gaining access with nothing more than stolen credentials, such as passwords. But hackers can still acquire the authentication factors through other means, including phishing attacks, account recovery procedures, malware, and intercepting text messages used in 2FA to force their way in.”

Ho noted the recent phishing scams in Singapore that saw cybercriminals tricking victims into disclosing their banking credentials and PINs and stealing at least SGD $8.5 million out of their accounts.

“But that is not to say that we’re better off completely renouncing 2FA,” he said. “Rather, it’s important to look at how secure the authentication method is, and decide on the additional security layers required for higher-risk transactions — all while assessing its usability and convenience for users.”

Ho said there are steps that organizations can take so clients will be encouraged to use authentication methods.

• Organizations must assess the level of security and convenience needed for the service — which may differ between industries. The good news is that these checks don’t have to complicate the online experience, nor be restrictive for the users. With the right strategy, organizations can design a workflow that benefits both the customer and the organization — while minimizing costs and security risks.
• There are already identity verification technologies available that can verify that users are who they say they are, without any laborious steps. Banks are already implementing modern features such as facial recognition and liveness detection, on top of ID checks — which enables them to determine the user’s physical presence behind an app — to thwart impostors, reduce fraud levels, and ensure the highest levels of age verification.

Identify, age verification

With more data and the emergence of new technologies, cyberattacks are seen to become even more sophisticated. As e-commerce or online shopping becomes more and more normal, more online users will become vulnerable to hacking and data breach.

“Businesses must look toward robust real-time identity and age verification solutions that don’t precede the real needs of users and businesses,” Ho said. “Jumio’s solution, for instance, requires a valid government-issued ID and a live selfie. This pairing serves as a powerful age-verification and fraud-prevention tool, especially as many minors and cybercriminals would not be able to use their own likeness in a real-time selfie, if they’re using another person’s ID.”

Ho further explained that the solution also deploys liveness detection — a feature that enables companies to determine the user’s physical presence behind an app. Jumio’s liveness detection goes through rigorous testing (for example, using live human testers wearing realistic 3D masks, lifelike dolls, digital and paper photos, and others) to ensure that they can thwart advanced spoofing attempts.

“It would therefore require an unimaginable amount of investment into bleeding-edge technologies for hackers to be able to sneak past these checks,” Ho said. “This ensures an airtight online age verification process that keeps harmful content out of reach of underage and thwarts hackers — while assuring simplicity for users. Ultimately, the best solution should not hinder the online experience, allowing online businesses and service providers alike to effectively balance security and convenience.”