Confirm Co-founder on Confirming Identity, An Art And Science

Data breaches are so commonplace, might we have become immune to the news of more credentials hacked, more identities stolen? The latest salvo has been one fired by hackers at Amazon Marketplace, a marquee name if ever there was one. As noted, well, just about everywhere, sellers on the third-party marketplace lost tens of thousands of dollars each.

In an age where credentials are lifted and bartered and sold like the currencies hackers target themselves, the concept of anti-fraud efforts revolves around a simple idea: to make sure that the person being done business with is who they say they are in the first place.

Hence a very timely Data Drivers this past Monday, where PYMNTS’ Karen Webster discussed the thorny practice of digital identification, done speedily and well, with Confirm.io’s Co-Founder, Robert Geiman.

People can confuse, said Geiman, “what is a regulatory requirement and what are sound business practices. And I think a lot of that has come with how business has changed … moving more and more transactions,” which run the gamut from opening a bank account to transferring money, or even paying a babysitter through an online service.

The transactions go deeper than just the exchange of money and move toward meeting and inviting people into one’s life.

Initial enrollments may happen online, added the executive, where regulatory hurdles must be leapt, for identity verification, at the front end.

“But then you’ve got a problem, because in addition to that person being enrolled and meeting some sort of ‘know your customer’ regulation at the time of enrollment, that person is also likely to do all their transaction online going downstream … If you get the identity wrong at enrollment, you just created a problem downstream, and that is where identity authentication becomes more important.”

Data Point One: One Billion Plus.

Emphasis on the plus, as Webster noted. This is the reported number of accounts compromised just at Yahoo alone over the last several years. Of course, there have been many other breaches, spanning Anthem healthcare to government agencies. There are lots of credentials floating around the dark web, and “there were over four billion identities breached in 2016,” noted the executive.

The reason Yahoo was targeted, said Geiman, was because bad guys wanted to get the answer to knowledge-based questions. “Those same answers are the answers that most of the major banks use, most of the major credit cards use …” and so that initial discovery — of say, a mother’s maiden name gleaned from Yahoo — can be used to wreak real havoc.

Against the theft of that data, heads have rolled and high level executives have been fired, said Geiman.  Thus, security of data becomes top of mind within a firm.

“If you are not a technology person and you are running a large company,” he said, “it is an unknown thing to you. It is a scary thing to you.”

Data Point Two: 200 million. 

That’s the number of credentials — specifically identity credentials — in circulation in the United States alone. That’s a lot of data at risk for compromise, said Geiman.

There are two problems with digital identity credentials, said the executive, with the first centered on the fact that “it’s great that … you can transact so easily. You can get a lot of things accomplished in life online.  But there is a cost. You have to give information about yourself to get services. Hackers figure that, once getting in at that initial point, they are able to get into 150 different online services.”

Where does that traditional credential come from? Credentials can be issued, he said, “but they have to tie back to something that we trust.” He noted that Confirm’s credentials tie into government documents, where “for identity credentials to be really strong they need to be issued by lots of people, and they need to be, as much as possible, shared, without tying back to the individual.”

In other words, a single piece of information or credential, if tokenized (and this is an endeavor Confirm embraces), is useless unless it is combined with a ream of other data.

Data Point Three: 80 Percent. 

The third data point is the percent of social logins to third party sites — that is, a merchant or a content site — that Google and Facebook represent. This might, as Webster posited, “imply that consumers are done with passwords” and want to employ these social media sites as a springboard toward getting to their destinations or transactions.

With corporate clients, said Geiman, his firm is often “talking to the security group,” which focuses on technology and authentication, or they are talking to the product group, where the focus is on “protecting the consumer experience.”

“This is the challenge that the online world is going to face in perpetuity,” he stated. A lot of consumers hate two-factor authentications, he said, and a lot of people turn them off. There is also suspicion of just how secure some data might be, such as someone’s mother’s maiden name.

For Confirm, the company’s customers are various service purveyors. The identification process comes as an end user is asked to take a picture in front of, and with, a certain government-issued document, “and we will form-fill the data” with the rest of that application, “and behind the scenes we are authenticating that the document is real. One of the goals is to ascertain that the person who took the picture is the same person who is in the document, while also confirming, for example, that the information in the document matches the information on the phone. While you are finishing the application, we are doing the authentication,” he said.

And even so, he noted, as some industry watchers and participants would desire an industry-wide standard across authentication, “there is no silver bullet,” Geiman cautioned. Payments remains an ecosystem that demands multiple systems in place to guard against fraud.

“The system has to evolve,” he said, “because the adversary keeps evolving.”