To take a line from the Queen of Soul, Aretha Franklin: Every chain has got a weak link. When it comes to the bond between consumer and financial services, no doubt the relationship is a bit, well, frayed in the age of data breaches and the Dark Web. How, then, to build a “chain of trust” — one that endures, aided by technology, and one that helps financial institutions (FIs) ensure that the people on the end of the transactions are who they claim to be?
In the latest Data Drivers, Karen Webster and Philipp Pointner, chief product officer at Jumio, delved into some scary data points surrounding those aforementioned breaches. The numbers are sobering in scale and scope, enough to make one wonder if anyone is truly safe from the bad guys. Then again, according to the executive, there’s hope — if one looks past the scary numbers and faces them head on.
Data Point One: 1.4 Billion
This is the number of consumer records exposed on the black market, a tally from the past year. This data is not merely exposed: Now, that billion-plus number is floating around on the digital black markets, ripe for the plucking. Beyond the static number, said Pointner, a trend is afoot, one where large institutions are hacked, time and again, and where the data leaks out.
He said, “As an individual, you have to assume your data is already compromised,” so much so that all identity proofing solutions that rely on static knowledge about a person have been rendered invalid.
Data Point Two: 90 Percent
However, complacency seems to reign, as Webster and Pointner discussed, and as rendered by this second data point, which is the percentage of consumers comfortable with simply answering knowledge-based questions when it comes to proving their identity.
With only a bit of tongue-in-cheek, the question becomes: With all the data bobbing on the Dark Web’s waves (and with most of us stretching our memories to remember, say, just what the make and model of our first car was 20 years ago), might the bad guys be more comfortable with those questions than we might be? Amid the complacency, said Pointner, the consumers expect the banks and FIs themselves to be the guardians of the aforementioned data.
“They trust that the institution has done their homework and is applying state-of-the-art security,” he told Webster.
Yet, it is the financial services industry, he remarked, that knows there must be new and robust alternatives to knowledge-based authentication (KBA) in the offing.
“I have not had a single conversation where there was an advocacy for keeping KBA in place,” he told Webster, noting that “the pace at which we are moving away from those solutions is disappointing. But I think that the industry agrees that that has no future.”
This comes against the backdrop where people are knowledgeable about the records being taken — and may be surprised at the sheer number of data points that are out there for the taking. But there’s a difference between the recognition that something has happened to someone else … and how it might affect one personally.
As Pointner said, “There is not enough understanding yet about how tough it can get when, really, someone compromises your data.”
Data Point Three: 68 Percent
To get a sense of how lax some corners of the financial realm might be when it comes to protecting data and knowing who is on the other end of a transaction (i.e., that someone is who they say they are), that 68 percent is the share of cryptocurrency exchanges that have little to nothing in the way of Know Your Customer (KYC) protocols in place. A sobering stat, perhaps, but Pointner cautioned: Don’t be misled.
“I think it’s maybe a bit of the long tail,” he said. “The big institutions that are here to stay, and have been here for a long time, absolutely know what they are doing.”
He predicted that the gold rush — and the frenzy that is and has been the hallmark of crypto land — will shake out, leading more established players to keep their stakes in the ground.
Data Point Four: 12 Percent
Against the larger backdrop (against the data breaches, the lax cryptos and the questioned-based authentication efforts), what remains is a bit of a surprise. Shall we assume that this 12 percent growth rate, as noted above, is the annual pace of the overall digital security market through the next few years to 2020?
Nope — Pointner said the pace will likely be quickened quite a bit from that low, double-digit compound annual growth rate (CAGR), which was noted in Digital Journal. That’s because, he stated, the digital transformation of financial services is one of the biggest opportunities of the next 10 years.
Where We Are Now
If FIs and banks know that the old ways of authentication are not enough, he noted, a shift in thinking is needed, one that focuses on how these firms can maintain the security of the consumer — not just transaction by transaction, but through the entire lifecycle of the relationship.
In other words, it’s not just about onboarding. Real security and authentication lie with vigilance when consumers close accounts or shift money, all while creating a seamless experience throughout that aforementioned lifecycle.
The holistic approach, said Pointner, is one born from the two groups that dominate FIs today.
There are the challenger banks, he said, which “are born digital and tie [security and authentication] into the entire concept of the services they provide, indeed, where security is a starting point.” Then there are the traditional FIs, which have been obsessed (a tad too much, perhaps) with the onboarding process. These firms have difficulties in transitioning in-branch processes of consistently reverifying consumers down the line into their digital operations.
There is reason to be sanguine, however, as Pointner told Webster. Both types of firms, challenger and stalwart alike, have been able to create what he called “a successful ‘wow’ experience for consumers that also fulfil the security requirements. As you see the first banks doing this successfully, the others are going to follow.”
Where We Are Headed
Writ large, from the consumer point of view, FI authentication efforts have to be easy to understand, and can be directives that people can satisfy conveniently sitting at home on their sofas. The consumer has to trust the method and be happy to engage with it. Biometrics will play a role, as Apple ID has brought many consumers face to face with Face ID.
Work still needs to be done, the CPO noted. There is no continuous chain of trust from the account opening, the establishment of the identity, the enrollment of the biometric and the firm’s attempts at authentication down the line.
Thus, the salve, Pointner offered: A combination of biometrics and government-issued IDs.
“With ID proofing and biometrics in combination, a lot of these problems could be solved,” he told Webster, speaking of the efforts to thwart the bad guys and build that chain of trust, link by link. “Our approach [at Jumio] is that there is really only one route certificate of identity, and that is a possible identity card that the government has issued … those cards and little books were designed to be checked and they can be visually inspected.”
The levels of authentication can be adjusted, depending on the products that consumers are signing up for, whether transactions are being done across currencies or borders. Of course, there are telltale signs that come with, say, different devices being used for mobile transactions on different continents.
The FIs, aided by machine learning in their verification efforts, have potent weapons in the arsenal. As the risk engines become smarter, the banks can uncover constellations of activities that humans wouldn’t notice, ultimately ferreting out fraud before it is too late.
In the end, yes, the data is out there, numbering in billions of records. However, as Pointner noted, more sobering stats are likely to come our way. Maybe, just maybe, those scary numbers need not be so frightful. The best approach is one that moves forward, he told Webster, seeking the right level of identity proofing.
He said, “We need to work with this, embrace it and not have [our] heads in the sand.”