Online fraud is fluid. It is fast. It is dangerous and ever-evolving. And fighting that fraud must be fluid, too, ever-evolving, and preemptive when possible.
Easier said than done.
The goal for enterprises, from retail to health care, is to validate identities in real time, even as transactions are taking place. With the emergence of mobile and the continued push by payments as an activity into the digital realm, companies must balance customer service and security. At times, one might be served to the detriment of the other. Abandon security with an eye only on the consumer experience, and dangers increase to crucial data. Keep too stringent an eye on security, and vulnerabilities may prove all too tempting for hackers.
In a presentation before Innovation Project 2017, IDology CEO John Dancu delved into the need for multilayered identity verification as an effective front against fraudsters and in separate conversations with PYMNTS noted the ways that establishing a robust and persistent identity can create a better experience for consumers and merchants alike.
Dancu told PYMNTS that identity verification should be “invisible and dynamic,” which in turn helps the relationship between firms and the individuals they serve. And as commerce skews increasingly mobile, said Dancu (and thus transactions are not done in person, where he stated that “historically … all you had to do was show up with a driver’s license [or ID] to do a transaction”), there is a growing “need to prove that the customer is who they say they are, but you don’t want to do it in a way that causes friction” at the moment of interaction.
Should friction be in the offing, then consumers will abandon a purchase right at the very end, leaving the shopping cart, virtual or tangible, right at the point of checkout.
The executive stated that there is also the need for higher levels of authentication or additional levels of attributes that define that “this is a legitimate person who wants to do business with you” and that IDology “realized years ago that there are other factors that are needed to corroborate” identity.
Those factors, he said, can extend across activity gleaned from online sources, affirmation of location or even device-level attributes. In the case of the latter, Dancu stated that levels of trust for a person’s identity can be based on granular data that can be tied to, say, a cell phone. An example here would be the length of time a person has been with a carrier or even with a certain number or how much of a geographic range they may be away from a central location or address. Such data helps provide additional levels of assurance.
All of this, collected on IDology’s anti-fraud platform, helps in an age when the fraudsters are dynamic (and thus defenses must be dynamic). Dancu walked PYMNTS through the way people operating across the dark web have been able to create “synthetic identities” that go beyond the pieces of information that might be limited to piecemeal points such as Social Security numbers or names. The synthetic identity is one that is built off one piece of information, with others (that may not be for the same person) combined, to create a whole new persona. Thus a Social Security number can be combined with a different name or a different date of birth. The synthetic ID, Dancu explained, is then used to open up a credit file and, through weeks, months or years, acquires and expands a history of credit use (and fraud). It can take four to five months or longer to recover from such fraud. Children are especially at risk, as their Social Security numbers are 51 times more likely than adults’ to be co-opted and used in building a fraudulent synthetic identity.
That, Dancu told PYMNTS, means fraud can follow an individual for decades, Carnegie Mellon’s Cylab has estimated. And writ large, the Federal Trade Commission has said that synthetic identity theft makes up as much as 85 percent of the 16 million ID thefts that occur annually.
Thus the need for the multilayered examination of attributes, said Dancu, along with participation in networks that focus on fraud driven across mobile conduits, especially as malfeasance can get a boost with recycled mobile phone numbers, SIM card fraud and SMS intercepts. Robust mobile protection also is needed as millennials increasingly virtually live on their phones.
For IDology, and for the process of authentication at large, mobile network data gleaned from operators is a valuable resource as fraudsters step up their efforts to piggyback off digital devices. Dancu told PYMNTS that his firm will be announcing new efforts tied to mobile identity verification in a matter of weeks.