MFA: How to Eliminate Profile Fraud and Win the Fight for Consumer Trust
Social media sites are fraught with fake accounts and imposter profiles aimed at scamming money from innocent users or promoting fake products in support of illegal businesses. These fake accounts, on Facebook and various dating sites, have defrauded tens of millions of dollars from consumers around the world.
Malicious actors using these methods don’t discriminate. There have been highly publicized reports of fake profiles targeted at single women. And in another example, former U.S. Army Colonel Bryan Denny found thousands of spoofed accounts using pictures of him over the course of two years.
Denny’s story is not unique. An analysis from the International Journal of Engineering Technology Science and Research estimates a significant portion of online dating profiles are fake accounts. The report noted, “It has been estimated that in every 10 online dating profiles at least one is accounted as fake, and per year more than $50 million is lost to romance scams.”
Trust is an important pillar in the foundation of any business’s relationship with its customers, especially among online businesses that are common targets of malicious threat actors (such as retailers and financial services institutions). It’s also fragile, dependent upon on the security and responsibility with which the business interacts with its customers and the safety of the environment it provides. Successful scams carried out via false profiles can do significant harm to a business’s brand reputation and potentially irreparable damage to its trust relationship with consumers.
Maintaining trust with customers is one area where brick-and-mortar businesses have a leg up over online-only ones. Meeting a customer face-to-face provides an opportunity to confirm identity, and employees can ask for numerous forms of identification to eliminate suspicion. Online brands must find another way to establish the same proof of identity with every user. This is why multifactor authentication (MFA) is so important. MFA enables a safer, transparent customer and user experience. It allows a company to know who its customers are and reduce the incidence and risks of fake identities.
Fighting Fakes Online
All too often, sites fail to adequately verify user identities, leading to the commonly known and damaging practice of catfishing. Many find it surprising that more effort isn’t put into authenticating individuals when they are creating a user account, especially when so many controls are built into applications to protect against data entry errors. Most sites use CAPTCHA tests to distinguish humans from bots, but these steps don’t offer much protection when humans are entering deceptive information.
Some tools for fighting online deception have emerged, such as plagiarism-checking sites that can identify unusually similar text and reverse image-search services that check if a purported picture of a user is found elsewhere on the web. These are a step in the right direction, but do not sufficiently address the problem—especially for social sites designed to scale.
Proving Identity and Blocking Fake Accounts with MFA
MFA is the one solution that has consistently proven effective in proving user identity at scale. In many use cases, MFA adds an additional security control that a fraudulent user would have to bypass. It’s possible to guess someone’s password and it’s possible to steal someone’s phone (and know their device passcode) but it is much more difficult to do both. When one of the factors used to authenticate identities on social sites is a software token, a piece of data generated using a shared secret or one-time passcode sent to a mobile device, then an identity can be linked to a specific device with a unique identifier (e.g. a phone number).
Now consider how a scammer could be blocked from creating false identities. A catfisher creates an account on a dating site, using photos and personal details found on the web. The fake identity has a compelling story and the catfisher is ready to finish creating the account. He is then prompted to provide a second factor, such as a series of numbers sent to an SMS device. The first time the catfisher uses that number, he can fool the system. But once that identity is associated with that number, he won’t be able to use it for additional identities. Unless the he has a cache of active mobile phones, it will be highly improbable to create additional fake identities. In this way, MFA blocks the threat actor’s ability to scale up this type of fraudulent operation. So, why don’t more sites use MFA to stop fraud before it starts?
Some sites have been reluctant to implement MFA out of concern that it creates a barrier to entry for legitimate users, or because it can be difficult to implement. MFA services help with the latter concern, as they do the heavy lifting and eliminate the need for sites to set up and maintain their own MFA infrastructure. Still, consumer adoption is a valid consideration. If there are too many steps to create an account, users may give up on registering. But new approaches and best practices have streamlined the process and made it more user-friendly. Social sites can let users choose how to receive their one-time passcode, and today’s tools allow for that to happen in a variety of ways, such as via SMS or through an app. This provides user choice, so every customer can have an option that works best for their preferences.
Online brands can distinguish themselves from competitors by proving and maintaining consumer trust with MFA. With fewer false profiles and incidents of fraud, users can engage more authentically and more frequently, which in turn will reinforce a strong, vibrant online community.
