When it comes to fraud, consumers will likely think of common threats like identity theft, credit card fraud, fraudulent bank transactions — the list goes on. However, cybercriminals are constantly evolving, and now online dating sites and applications are in the crosshairs. To be clear, fraud in online dating isn’t new — the term “catfishing” became mainstream following the 2010 documentary “Catfish.” However, recent data breaches have given fraudsters an excessive amount of personal identifiable information (PII) to be used in online dating scams. Furthermore, a 2016 study in Psychology Today found at least half of dating website users have lied about themselves in their profiles. Most are mild lies like weight and wealth, but some users are what would be called more severe “catfishers” and pretend to be someone they are not. Beyond catfishing, thousands of reports of stalking, rape, abductions, murders and physical attacks have emerged from dating sites. A study by Statistic Brain found that 10% of sex offenders use online dating to meet new people.
There is virtually no digital identity verification process when creating an online dating account to ensure the digital identity of the account holder matches the physical identity, nor an ongoing authentication process to ensure an online account is still being operated by the same person. Most dating apps verify through other apps such as Facebook, and it’s easy to create a fake Facebook profile. The hands of these companies are tied – the consumer expectation of a frictionless user experience is higher than ever, but companies must also be able to provide the best security available when creating the ideal user experience.
Data Breaches Have Made Impersonations Easier to Achieve
Roughly 7,500 dating websites exist globally, encompassing 35 million U.S. users. Following a year full of high-profile data breaches, a user’s PII is now more readily available for use by cybercriminals to conduct fraudulent attacks. A 2015 Ashley Madison breach exposed the data of some 37 million users. Last year, a scam took place in South Carolina in which prison inmates set up an extortion ring blackmailing members of the military by posing as underage women online and collected more than half a million dollars. It’s clear that the fraud-related risks of online dating are becoming more apparent and companies must adopt higher levels of security to protect their own ecosystem and customers.
The Cost of Online Dating Scams
Romance scams and similar scams cost consumers more than any other type of internet fraud, with consumers losing more than $230 million in 2016, according to the FBI. Businesses can expect this number to be much higher. Furthermore, online dating sites often facilitate in-person meetings between two people, and it’s an organization’s responsibility to make sure the people are who they claim to be online. As the consequences of online dating fraud escalate, businesses need to implement stronger means of user authentication for online dating sites in 2019. Companies must confidently ensure that people using an online dating app or service are who they claim to be — even after initial account creation. Online sites are trying to recruit as many accounts as possible to boost their numbers and aren’t willing to take the necessary precautions to verify that an account holder’s digital identity continues to match their physical identity. By establishing these standards of identity verification, site users will also benefit. If a user’s profile is 100% verified confirming they are who they claim to be, other users can feel safe interacting with the individual without fear of fraud. As more users become 100% verified, the site becomes safer for everyone to connect and interact. Users are also likely to spend more money on dating sites that have identity verification standards in place.
Leverage Biometrics to Deliver a Secure, Frictionless User Experience
Modern identity verification providers are now providing emerging methods of verification and face-based authentication with seamless user experience, and online dating sites need to follow suit. Consumers demand a frictionless experience when online. However, if companies continue to allow users to create accounts with only an email address or Facebook account, these scams will continue to happen. Because of the proliferation of data breaches taking place over recent years, traditional authentication methods such as knowledge-based authentication and SMS-based two-factor authentication are no longer approved by the National Institute of Standards and Technology — they are much easier for cybercriminals to bypass today.
Face-based biometric authentication with a strong liveness detection allows users to access their account through a selfie. Each time a user logs in a new selfie is compared with the original selfie created upon enrollment to ensure only the true user is accessing the account. Liveness detection is also applied to ensure the user is physically present when creating the account and logging in. This is not only more convenient for consumers than traditional methods, but it is also much more secure. The biometric data combined with liveness detection cannot be hacked or duplicated. Even if a device is stolen, the data on the device will remain secure. Just as important, facial biometrics offer a simple one-step solution to the problem of remembering a vast array of PIN codes and passwords. Online dating companies that don’t consider adopting this technology in the future may experience significant losses in both active users, revenue and reputation.
Biometric authentication and identity verification are changing the way consumers interact in the digital world – whether it’s to unlock a smartphone, check-in for a flight or verify a highly sensitive financial transaction is being made by the real user. As this technology continues to evolve and gain momentum, it is critical for online dating companies to do the same to protect consumers with the security they demand, while also providing the convenience they expect.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.