Voice of the Industry

Passkeys, cookies, and the fight against fraud

Monday 14 November 2022 09:09 CET | Editor: Raluca Ochiana | Voice of the industry

New authentication technologies are emerging from industry giants. Callsign’s Joe Micara examines their roles – and their weaknesses – in the fight against fraud.


Tackling fraud and scams is an ongoing challenge, often hindered by a reliance on older authentication approaches. Major tech industry players have been evolving measures to lessen that reliance, with Google taking a solid stance in reducing third-party cookies and Apple's Passkey technology aiming to remove the dependency on passwords.

These are the latest advances in a decades-long battle, and for businesses seeking to protect their customers, they are welcome innovations. However, these advances need to be evaluated as part of a more comprehensive defensive strategy that needs to be adaptive, responsive, and proactive.

The evolving struggle against fraud

It's worth looking back at how fraud and threat actors' tactics have evolved and how responses to them have also evolved.

Fraud was first tackled with IP-level intelligence to block IP addresses associated with fraudsters. Businesses bought bad IP range lists, lists of proxies, and so on. As technology grew to use things like dynamic IP addresses and fraudsters adopted proxies and VPNs, it became clear that IP intelligence alone could no longer solve the problem.

That led to a move towards browser-based detection using cookies to tag returning devices to accounts. But unfortunately, the industry had to innovate further when fraudsters stole those cookies to replay them and sidestep those controls. 

Those innovations included the rise of browser intelligence tools that looked at cookies and generated value from the metadata within the browsers themselves. For example, those tools would compare time and language settings on the browser to the geolocation of the user's IP address. 

Fraudsters switch their focus

As fraudsters continued to remodel their attacks, they developed specific software to evade detection. Applications such as Antidetect and FraudFox were designed to steal entire user browser fingerprints and replay them to evade anti-fraud solutions. Once again, the industry was forced to modernise, triggering the rollout of strong authentication and technologies that could ensure that the returning device was the expected device and couldn't be spoofed.

The effect of closing down fraudsters' attack vectors was that they began targeting users directly. Using tools such as remote access trojans (RATs), criminals could take control of the end user's device and bypass any strong authentication detection. As a result, even though it was still the genuine user's device, it was not the genuine user who was on the other end.

This highlighted a clear need for mechanisms to verify beyond the device and validate the individual user operating it. And these mechanisms have materialised, designed to provide certainty that the individual is who they claim to be. 

Out of band… and out of the safety zone

But even with the latest and most secure technologies in place, there will always be times when additional authentication is needed. Therein lies the problem: any security technology is only as strong as its weakest link, and one of the most common approaches used to verify users is also vulnerable.

Businesses will often step up to an out-of-band authenticator. One of them is SMS OTPs, a technology that had its genesis in the early 1980s and was never designed with security in mind. Unfortunately, criminals can easily bypass out-of-band OTPs, meaning that all of the hard work that's been done by businesses to keep their customers secure can come undone by one simple text message.

For businesses looking to stay ahead of the fraudsters, SMS OTPs are not an ideal solution. Apart from the security concerns, they are also far from ideal in terms of customer experience. They flip customers out of what may be an otherwise-smooth user journey or, in the case of the user having poor or no signal, fail altogether. 

Strong Customer Authentication

The drive for more robust defences has led to the development of Strong Customer Authentication (SCA) in the UK and similar regulations and guidelines in other territories. These include Reg E in the US – where there have also been moves to deprecate SMS OTPs – and the Digital Payment Security Controls published by the Reserve Bank of India (RBI).

Strong authentication is underpinned by a variety of technologies, including Passkeys and device identification. These are powerful assets in the fight against fraud, but not enough on their own. They form an approach that’s binary and deterministic; it solely tells us whether a given device is the expected device. That's not a complete defence against ever-changing fraud vectors. 

There is a technology that does provide the assurance organisations need, and it's seen widespread adoption: behavioural biometrics. Solutions such as Callsign's Muscle Memory Technology analyse how users interact with their devices and the individual applications and websites they browse. Combining this with advanced machine learning, device and location intelligence, this layered approach creates a mechanism for independently identifying both good and bad users in real time.

As users' behaviours change, the machine learning models also learn alongside these changes to build a detailed digital fingerprint of who the user is – regardless of the device they're using.

Changing the game

This alone represents a firebreak from the stimuli-response approaches that have dominated previous approaches to counter fraud. Rather than wait to see what new methods fraudsters evolve and formulate a defence, this approach allows businesses to adapt intelligently and shut them down.

Solutions such as Callsign allow an organisation to integrate new technologies as they evolve and finally begin to deprecate the older, analogue methods such as cookies, passwords, and SMS OTPs – replacing the weak links in the chain with strong ones.

In other words, they can finally be on the front foot in the fight against fraud. In a long struggle, the chance to pull ahead of the bad actors for the first time is a welcome opportunity.

About Joe Micara   

Joe Micara is Vice President of Sales, North America for Callsign. As well as holding key roles across sales leadership, delivery, and product, Joe has also been instrumental in opening up new markets in the cyber security industry. A top contributor, he has received numerous performance awards for his achievements. 



About Callsign

Callsign makes digital life smoother and safer by helping organisations establish and preserve digital trust so people can get on with their digital lives. The first true representation of identity online, Callsign positively identifies users by their unique characteristics, replicating real-life recognition signals with AI models. The only solution to identify people across every journey, channel, and brand, Callsign makes digital identification seamless and secure, helping drive business growth. 

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: fraud prevention, online authentication, behavioural biometrics
Categories: Fraud & Financial Crime
Companies: Callsign
Countries: World
This article is part of category

Fraud & Financial Crime


Discover all the Company news on Callsign and other articles related to Callsign in The Paypers News, Reports, and insights on the payments and fintech industry: