3 Seismic Fraud Shifts in 2024: Takeaways from Identity Week
Last month, the NeuroID team and I were in Washington, D.C. for Identity Week. It was great to catch up with others in the industry, meet some new faces, and, most of all, learn what’s on the minds of leaders and strategists in the fraud space as we march toward the end of 2024.
This wasn’t our first Identity Week rodeo, and one of the most interesting things to see was how trends and talking points have shifted since last year. While 2023’s conference focused on expanding the U.S.’s digital identity infrastructure, Identity Week 2024 was all about fortifying the gaps that exist within it and adapting to new threats. Fraudsters’ quick evolution has created new challenges for fraud and identity professionals, and experts kept returning to these three big shifts when discussing how the identity landscape has changed in 2024:
Shift #1: Fraudsters are Winning in More Ways
Historically, fraudsters attacking businesses had one clear goal: break through a business’s onboarding defenses and take as much money as possible before being shut out. Success was binary—either they succeeded or they didn’t. Those straightforward attacks are still a priority, but Identity Week’s discussions underscored that fraudsters are now diversifying their strategies—and winning in more ways than one.
First, fraudsters aren’t relying as much on immediate-value, in-and-out attacks. With next-generation bots and advanced synthetic identities, today’s fraudsters have the tools to fly under the radar when opening fraudulent accounts. Those accounts can be used to test a target’s defenses ahead of a larger attack, or lay undetected for months before striking at the most opportune time. These strategies can take weeks or months to fully play out, but the potential for larger, more productive attacks makes them well worth the wait.
But it’s not just about direct attacks anymore. Experts at Identity Week highlighted how fraudsters are deploying their bot armies for large-scale data scraping, validating email addresses and other account information, then listing the verified data for sale on the dark web. With a single verified email account selling for well over $100 on digital black markets, it’s a lucrative business for fraudsters. In these attacks, there’s no immediate loss for businesses, but the reputational repercussions of a data breach are enough to raise red flags when an attack may be underway.
Shift #2: The Growth of Passkeys (and a Big Problem Still to Solve)
Passkeys were one of the hottest topics at the conference. Because they rely on connecting a private, device-based key to a server-housed public key, passkeys are a great way to protect accounts. It’s a major reason why companies like Apple and Google have prioritized getting passkeys in front of consumers over the past few months.
Identity Week experts agreed that passkeys are more secure and convenient than traditional passwords and OTPs, but one big question remained: what happens when the key-holding device is compromised? If a device is stolen or sold without being properly reset, the private key remains intact, meaning the device’s new holder can access accounts that don’t belong to them.
Right now, passkey providers rely on physical biometrics to verify that the person holding a device is truly the one who was granted a passkey, requiring a fingerprint or face scan to “unlock” the device-based key. It’s an effective but privacy-intensive approach, requiring the storage of loads of personal data, and also poses a major hurdle for less tech-savvy users who aren’t familiar with digital biometrics.
The alternative is behavioral analytics recognition, which compares data entry patterns across sessions associated with a user ID. If a login attempt doesn’t align with how a user historically types, swipes, and interacts with the login form, it could be a sign that another person is accessing the device. That information can prevent a login attempt, even if the device-side passkey is verified.
Shift #3: The End of Single-Layered Point Solutions
This one is nothing new. Modern fraudsters can easily bypass single-layer defenses, necessitating a comprehensive, multi-layered strategy that can triangulate multiple sources of information to determine risk. After over a year of headlines about the challenge of stopping genAI-powered fraud, you’d be hard-pressed to find a fraud and identity expert who doesn’t agree on the importance of multi-layered fraud detection.
The challenge? Many businesses, especially larger ones with more complicated implementation processes, can’t upgrade their stack fast enough to keep up with the rapidly accelerating fraud arms race. Some that we heard from at Identity Week are still relying on community reporting, captchas, and KBA to keep fraudsters at bay. Fraudsters are only going to become more active as we approach the high-risk winter months, so, for those businesses, now is the time to get the ball rolling on implementing new solutions.
There’s a major opportunity for smaller, more agile businesses, too: while larger businesses work through their maze of implementation requirements and reviews, smaller businesses can move quickly to implement more secure, seamless security solutions that can set them apart from the competition in 2025.
Identity Week was a great way to recap many of the trends we’ve been discussing throughout 2024. If you didn’t get a chance to see us at the show, I’d still love to chat—set up a call with us to talk more about how behavioral analytics can protect your business from today’s fraud threats.