As John Dancu, President and CEO of IDology, recently discussed with MPD CEO Karen Webster, it’s not as easy to maintain a consistent user identity on a mobile device as it is on a laptop, because elements of mobile phone ownership — the carrier, the SIM card, the device itself — are regularly in flux.
IDology has launched a security and identity verification solution — ExpectID Mobile — to address the inherently transitional nature of mobile device ownership and use while keeping consumers and merchants alike safe from fraud.
KW: You describe ExpectID Mobile as being a very reliable way of establishing a persistent mobile identity that is really resistant to fraud, helping consumers and merchants streamline transactions in a safer and more secure environment. How do you do it?
JD: Although mobile commerce is accelerating, security on mobile devices is different than it is on a laptop. With some of our customers, there’s a hesitancy to move to mobile because of concerns about that.
On a laptop, it’s easy to monitor transaction activity; there are multiple ways of doing it. One way is device fingerprinting, and you can keep your laptop for a long period of time — probably three or four years.
The challenge with mobile is that there’s lots of frequent change events involved: maybe you’re changing your carrier, upgrading your phone, swapping your SIM card … there are all these events that basically eliminate fingerprints relative to activity. So you need to have the ability to establish persistence, and move that persistent identity through those lifecycle change events. That’s, in essence, what ExpectID Mobile does.
We look at several factors in order to pull together what we call a “persistent identity.”
It takes information from the carriers, combines it with device and identity data and access to our collaborative network, in order to establish a persistent mobile identity attached to a consumer. When a user makes a change event — maybe switches carriers — that persistent identity moves with it. You don’t lose that activity relative to the customer, and the neat thing about it is, neither does the customer himself.
It essentially establishes a second-factor authentication on the phone. There’s nothing put on the phone — there are no tokens; it’s all done on a real-time basis with those three components that we look at. And, when the consumer returns to the mobile application, they no longer have to input a user name or password, making the entire experience more user-friendly.
It’s going to catch fraud, but it also makes ease of use a whole lot better for the end user.
KW: Is this something that you have to monitor on an ongoing basis? How do you keep up with the changes that consumers make with relation to their mobile identity?
JD: That’s a good question.
We have access to those change events. In fact, the beauty of our relationship with Payfone — who is a key partner of ours — is that they have historical data going back to 2009. We can actually track a relationship for a very long period of time. It helps us, again, with stopping fraud, but also with giving access to legitimate users.
If we know they’ve had a relationship over five years through this series of change events, it’s going to make us a lot more confident with respect to their legitimacy.
KW: How does the addition of biometrics on devices help increase that confidence level, and how does it factor into your ExpectID Mobile solution?
JD: Another good question. What we want to do is minimize any type of friction that’s occurring in a transaction, whether that’s opening a new mobile-based account, accessing an existing account or performing high value or high-risk transactions on a mobile device.
When you add friction — whether it’s taking a picture of your face, swiping on your phone — those are additional events that the end user has to perform. The beauty of the ExpectID Mobile solution is that the end user doesn’t have to do anything; it all happens within the coordination of the device, the network, and the carrier, and the persistence emerges.
I think biometrics are good; from the standpoint of fraud protection, the more layers, the better. But still the best thing to do is be able to validate people without any friction at all. And, then have the ability to escalate to higher levels of verification based on an individual’s risk profile as well as an organization’s own business rules.
KW: You mention layers, and I know that this is one piece of a portfolio of solutions that you have in creating a fraud-free environment for consumers and merchants. How does this fit with everything else that you’re doing?
JD: Let’s say a customer is signing up for a prepaid card on a mobile device. They put in their information and Step 1, validating that customer — determining that they are who they say they are, and that there are no fraud flags — is a pretty normal transaction for IDology.
Step 2 is we bind the phone, to establish the mobile identity for that consumer. And doing that expands the platform. Now, every time that person comes back to complete a mobile transaction within that application, that’s a transaction that IDology can assist with. And, as we mentioned before, this mobile identity is persistent and travels with the consumer from device to device and carrier to carrier, and more.
What we’ve done is combine ID verification or authentication for account opening with being able to establish this persistence on the phone or mobile device, and then transaction monitoring moving forward.
It really moves us into a new segment beyond identity authentication.
KW: That’s interesting because, when you bind the phone to the funding source, you are in fact authenticating not only the person but also the source. So it’s sort of a double security layer.
JD: It is. And the beauty of this tool is, again, the ease of use that it gives legitimate customers, but it also stops a whole lot of fraud.
If a customer is doing a transaction on a phone that’s high risk — say they’re changing their ACH account or they’re going to send a large amount of money — through ExpectID Mobile, we have the opportunity on a real-time basis to check those change events. If the customer’s activity is out of band from what they’ve historically done, we can immediately take a look to see if the device has been reported stolen, or the SIM card has recently been switched out, or if the number has been changed.
We can flag any behavior that gives us pause, and possibly move the customer to a higher level of authentication so the transaction can be approved.
Account takeover on the mobile side has grown dramatically, and there are very sophisticated maneuvers in which fraudsters engage in that regard.
KW: There’s a double-edge in enabling a real-time transfer, because that’s irrevocable. Having the kind of safeguards in place that you just described may give everyone involved — issuers, consumers, and other third parties — a little more assurance.
JD: You’ve pretty much just described why we did this.
The fact that we can check a relationship and determine that a customer has had a mobile identity that’s gone through change events over the last four years, that gives you a higher confidence level in being able to complete that real-time transaction.
If we check a transaction and we realize that the phone is prepaid and was opened within the last seven days, that could give a company pause.
KW: Regarding the data elements that you have available in creating these persistent identities, are there other uses for it that you’re either completing or currently doing?
JD: Carrier data tends to be very current data, and there are other things that we can do with it.
For one, with the new interpretation of the TCPA regulations about phone solicitations, we’re able to help in that regard by verifying that a phone number is still tied to a specific individual. It’s become a big regulatory issue, ensuring that when you dial someone or send them a one-time pass code you’re not spamming them.
It’s a different product, but the ability of the ExpectID Mobile solution to establish persistence on the phone and check that persistence can replace one-time pass codes.
John Dancu, President & CEO, IDology
John has served as President and CEO of IDology since 2005. During this time, IDology has grown to be a leading provider of identity verification and fraud prevention solutions in the financial services, merchant processing, payments, retail, healthcare and other markets. Through John’s leadership, IDology is recognized for its leading edge innovation in the identity space and provides its customers, including numerous Fortune 500 companies, with unparalleled service and domain expertise. John is a serial entrepreneur having previously guided Synchrologic (mobile enterprise infrastructure software), NetZip (consumer compression and downloading technology) and K&G Men’s Center (superstore retailer of men’s apparel) in their rapid growth and successful sale, including the public offering of K&G.