What have we learned from the Equifax hack?
Maybe nothing? Maybe everything? Maybe something in between?
The stats are alarming, of course. Equifax, which is one of the triumvirate of major consumer credit reporting agencies, said last week that hackers had been able to access data across 143 million consumer accounts, or more than half the country’s adult population. The data exposed included driver’s license and Social Security numbers.
The latest and not-so-greatest of hacking news spotlights the attention on what works and what doesn’t when it comes to stopping bad guys — or at least not giving them enough data grist to feed their nefarious mills.
Yet, this is the simply the latest headline across a slew of big entities that have been under siege in recent years, showing the risk (and lure) of sensitive information that greases the wheels of all manner of transactions and the machinations of daily life — from payments to medical records to credit card data and beyond.
Add this one to the Time Warner and four million customer account breach, the healthcare system hacks and the innumerable merchants and millions of accounts tied to them (Target, anyone?), and, of course, Yahoo.
To all this, it must be asked: If this is the new normal, what should enterprises and institutions do to protect digital identities?
In an interview with PYMNTS’ Karen Webster, ID.me CEO Blake Hall said that “secrets are useful when you are establishing trust. But once the secrets are public knowledge, you clearly cannot trust that information anymore — by definition, it is no longer a secret.”
No one, of course, can get a new Social Security number or date of birth. Those things are immutable and true facts and identifiers. With the Equifax data breach, he said, “the toothpaste is out of the tube.” Individuals’ most sensitive info is out there, publicly available, and the latest event should give food for thought to CEOs and other organizational leaders to think about identities in two different ways.
The first step to establishing trust with identities, said Hall, is to make sure that a digital identity has been established and, at the same time, that it is unique — namely, is the proffered information true about a real person? In satisfying that first step, Hall said, names, dates of birth and Social Security numbers still prove useful.
But that aforementioned data is no longer useful for making sure that the user who is claiming that identity is, in fact, the owner of that identity — and it is not actually a criminal working with that data for their own aims.
The future, then, lies in what the executive called “next generation techniques” and methods that rely on possession of devices and identity documents (like driver’s licenses) biometrics, all combined to work in sync to give additional layers of security.
The faster companies move to those relatively advanced techniques, said Blake Hall, the lower the risk of being the victim of fraud and breaches — and the risk to businesses.
Against that backdrop, ID.me seeks to help businesses assess whether a person who lays claim to an identity is, in fact, that individual. Matching the image of a user’s face to the image on a driver’s license can be a powerful tool, said Hall. If someone steals an identity but their face looks different than what is presented on the document, that is a control that stops further illicit use of that identity.
Other lines of defense include using mobile network operator data, said Hall. According to the executive, thieves are lazy, even though they are professionals. Thus, some behaviors can offer clues on bad actors working behind the scenes. By way of example, consider a SIM card that hasn’t been switched in a year, Hall noted. This is a piece of insight paired with “true” consumer history (such as timely bill payments and a lengthy tenure with Verizon or another mobile operator) that would make it just too hard for a criminal to mimic, at least profitably.
ID.me works to find patterns of behavior among the thieves themselves, where fraud algorithms make sure accounts are not taken over or detect new devices activated with accounts. “We can look at the velocity of a device as it is being used across the multiple sectors of the economy.” Three or four financial accounts being opened in a day signals activity that likely needs to be stopped.
Hall went on to say that his firm stitches those indicators together. As individuals go on to log-in across sites, transact and interact across financial services and government entities with no reports of fraud, the next organization to track that log-in “has a high level of confidence that you are you.”
The reputation of that log-in has been protected and has gained currency and trust.
Moving beyond reliance on static data, however, mandates change and transition. That’s no easy task, when so much of identity verification has relied on static data points and passwords.
In the battle to protect consumers, then, Hall offered an analogy: When a group of people are surprised by a bear … you don’t always have to be faster than the bear. You just should be faster than your slowest friend.
Put another way: Corporate laggards in the move to embrace change and technology in digital identity are going to wind up as bear snacks. Or hacked snacks.
There has been some initial movement from firms that are installing CIOs who report directly to CEOs, with an eye on faster breach response times, but more needs to be done.
“There’s no silver bullet, because there are so many ways to commit fraud,” said Hall. But the ultimate goal is to make what the bad guys take harder to use.