Survey helps begin conversation on using biometrics to deter financial aid fraud

In May of 2016, the U.S. Department of Education (DOE) stated that it “seek[s] not only to protect Federal student aid funds from waste, fraud, and abuse, but also to protect the interests of the next generation of our nation’s leaders—America’s students.” The DOE also reported a “continuing commitment to promoting accountability, efficiency, and effectiveness” in the same report. (See pages 13 and 1 of the Semiannual Report to Congress, No. 72.)

U.S. DOE audits in 2015 revealed that organizations such as the Higher Learning Commission “did not establish a system of internal control that provided reasonable assurance.” (See page 1 of the Semiannual report to Congress, No. 71.)

The DOE “disburses about $150 billion in student aid annually and manages an outstanding loan portfolio of $1.2 trillion … [making this] one of the largest financial institutions in the country,” according to the 2016 semiannual report to Congress, page 13. In both of these reports, the DOE reports example after example of lack of protection from fraud, waste and abuse. The need for auditors who are Certified Fraud Examiners and strong internal accounting leaders who are Certified Management Accountants is clear.

Biometric examples

Touch identification (ID) technology, as used on the iPhone and iPad, has made biometric ID an everyday reality for many. The advertisements for Touch ID illustrate purchases and protection of assets using a thumb and/or fingerprint. Apple says, “Touch ID can read multiple fingerprints, and it can read fingerprints in 360-degrees of orientation. It then creates a mathematical representation of your fingerprint and compares this to your enrolled fingerprint data to identify a match and unlock your device.” (See About Touch ID advanced security technology, Apple.)

Biometric ID is no longer new and different; it’s proved efficient, effective and secure.

New and different concepts can cause fear or hesitancy. However, biometric ID is no longer new and different; it's proved efficient, effective and secure. The technology is part of everyday life for those younger than the baby-boom generation and probably for most baby boomers. See sidebar.

Ethical concerns

The medical field is concerned that eventually medical information might be connected to biometric IDs, and if others can steal victims’ fingerprints they’d have access to medical records. (See the paper, How Do Violations of Privacy and Moral Autonomy Threaten the Basis of Our Democracy? by Katrin Laas-Mikko and Margit Sutrop, 2012, Trames: A Journal of the Humanities and Social Sciences, 16(4), 369-381.)

We must seriously consider ethical dilemmas that biometrics raise globally. However, along with the dubious effects we might see encouraging benefits. Biometric technology might eliminate financial fraud altogether. A financial aid applicant might eventually have to not only give their fingerprints but a voice authorization, a palm scan and a retinal scan, plus a password. We’ve yet to discover data on the use of biometrics with financial aid applications, but we anticipate eventually finding it.

Glenn Fleishman, a senior contributor for Macworld, reported that Touch ID “rules are in place ostensibly to prevent compelling or coercing someone to provide a fingerprint, raising the bar to demanding or cracking a passcode instead.” Touch ID can also be used for mortgage and credit card applications. (See New Touch ID rules: Why you have to enter your passcode when you wake up, by Glenn Fleishman, Macworld, May 18, 2016.)

Survey results

We administered our survey on biometrics for deterring education-related financial aid fraud in January 2017 with Survey Monkey. We invited 1,194 U.S. college graduates from the SurveyMonkey.com database to complete the survey under the assumption that they might have a greater awareness of the financial aid application and distribution process.

None of the respondents were under the age of 18, 15.9 percent were between the ages of 18 to 29, 29.3 percent were between the ages of 30 and 44, and 27.9 percent were  between the ages of 45 and 59. Respondents who were 60 or older were 26.8 percent. A total of 52.4 percent were female, and 47.6 percent were male. A total of 23.3 percent had a household income of less than $50,000, 31.7 percent had a household income of $50,000 to $99,999 and 45 percent earned $100,000 or more. The diverse respondents were distributed evenly in all U.S. regions.

A total of 67.7 percent of the respondents had experience using biometrics; only 32.5 percent had never used biometrics. Of the 87 people posting comments, several said they used biometrics to clock in for work.

Several said they used biometrics at Disney parks but didn’t specify how. Many had to use voice recognition at financial institutions. Several respondents said they had to use biometrics for medical and travel reasons. A total of 44.9 percent used biometrics with their smartphones, and 33.1 percent had to use biometrics during background checks. A total of 61.6 percent believed using biometrics to deter financial aid fraud was a good idea, 23 percent thought that it was a bad idea and 15.5 percent checked “other” without commenting. Thirty-one percent indicated that biometrics shouldn’t be used at all in the federal student aid process.

A total of 583 of the 1,194 respondents, or 48.8 percent, wrote comments in a reserved space on the survey. Forty-five percent showed strong support for biometrics use, 40 percent gave strong statements opposing the use of biometrics for any purpose because it would be an invasion of privacy and 15 percent gave neutral comments.

This preliminary survey helps begin the conversation on whether higher-education institutions and other organizations will use biometrics to deter financial aid fraud. More research is needed. In the meantime, fraud examiners, forensic accountants and forensic auditors can play a significant role in establishing and continuously developing strong internal control systems for effective and efficient asset and identity protection.

Dahli Gray, DBA, CFE, CPA, CGMA, is a professor with the graduate school of Keiser University. Her email address is: DGray@KeiserUniversity.edu.

John Tahlier is an accounting analyst at Verizon. His email address is: jptahlier1@msn.com.

Most still rely on passwords, not biometrics

When a user starts to interact with any information system, they’re required to provide an identifier (e.g., a username, employee number or account number), and the system must recognize the user attempting to access a resource. The user’s identifier should be unique, unlikely to change and need not be kept secret. Thus, employees shouldn’t have the same type of usernames because it makes it easier for an attacker to spoof or log in using an employee’s information.

In addition to being used during processing for authorization controls, the identifier can be used for variance detection and for other purposes, such as accounting and billing.

Authentication

Once a user is identified, they must be authenticated. Three primary considerations are associated with user authentication:

• A user must be prevented from fooling the computer system into thinking they’re someone else. (False positive verification must be avoided.)
• The computer system must accept an accurate user identity. (False negative verification must be avoided.)
• Verification procedures must be easy for users to comply with.

Organizations use three primary methods of authentication:

• Something the user knows (e.g., a secret password).
• Something the user has (e.g., a magnetic stripe card or smart card).
• Something the user is (e.g., biometrics information).

Ideally, the authentication process requires the user to comply with at least two of the three methods above — a strategy known as two-factor authentication — to gain access to the system. In reality, however, most organizations with medium-
security requirements still depend solely on re-usable passwords.

Excerpted from the 2018 Fraud Examiners Manual, 1.1451, 1.1452