From data and devices, to behavior analysis and technology, there’s a growing number of ways digital identities are being authenticated in the payments ecosystem today.
But identity assurance is still a hard nut to crack.
Though there are many tools and technologies out there, knowing when to use what and where can be a complex decision. Not only is fraud prevention top of mind, but also ensuring that authentication doesn’t include increased friction on the consumer or strain on a merchant.
As new approaches to authentication continue to emerge, the definition of what it means to validate a person’s digital identity is also blurring.
New Customers vs. Existing Customers
In the digital identity landscape, all of the tools, technologies and payment schemes address one of two parts of the financial services lifecycle: authenticating new users and authenticating existing users.
Sunil Madhu, CEO of Socure, explained that there are unique challenges for each.
For new users, the lack of historical information available means that authentication tools and methods such as passive biometrics, device fingerprinting, payment behavior analysis, etc., just don’t work – there’s no baseline.
For existing users, the difficulty lies in verifying that the transactions coming from an account that’s established with a financial institution or merchant are being performed by the person authorized as the owner of the account.
“There’s two things: making sure the person coming in the doorway is good, and making sure that the account that the person is using to perform transactions now and in the future has not been hacked or taken over,” Madhu said.
In situations in which users are creating new accounts, the traditional validation process involves passing personally identifiable information (PII) data to credit bureaus or identity broker companies that collect public data about consumers to perform an equality check. If the data provided by the consumer matches the bureau data, then there is some identity assurance that the person is who they say they are.
But the rising number of data breaches has drastically changed the effectiveness of this traditional validation process in the industry, Madhu pointed out.
He makes the point that, if one were to add up the total number of accounts that have been compromised as a result of data breaches in 2015 alone, it’s four times the U.S. population.
“We can assume pretty safely that most of the people in this country have had their identities stolen,” he continued, “so the availability of that data in the dark web and the cheapness of it poses a new challenge for relying parties.”
Fraudsters can use this stolen data to create new accounts or even set up synthetic IDs, enabling them to open lines of credit, apply for a loan, create a new bank account – whatever they think will give them the most bang for their (stolen) buck.
A synthetic ID is generally created by fraudsters using a combination of real and fake data together, so there is some basis in a real identity (perhaps a name and Social Security number match) but some data that is changed to aid the fraudster, such as changing email and/or phone information so out-of-band validations come to them instead of the true identity owner.
This increase in breaches of PII data also poses a significant threat to existing accounts.
With access to information that can be sourced publicly, such as trolling a user’s Facebook profile to find out their dog’s name, Madhu explained fraudsters can essentially use brute force to gain their way into an existing account.
Similarly, data associated with an individual’s credit history – such as prior addresses, cars owned, and lienholders on vehicles or homes has also been compromised. This is the type of data used in “knowledge-based authentication” which, Madhu also noted, given these shortcomings, may not be as solid as it once was in validating identity.
For example, they can go to an institution where they believe a consumer has an account setup and attack that existing account by using the forgotten password link. This allows them to be prompted with personal questions, such as “What’s your favorite pet’s name?” – a question that they already know the answer to after surfing the public web for that information.
In this way, the fraudster is able to “prove” to the system that they are “legitimate” and can then perform authorized transactions on that account.
When it comes to authenticating existing users, Madhu said that there are a myriad of tools and technologies to choose from: device fingerprinting, payment behavior analytics, passive biometrics and active biometrics.
While there are different levels of accuracy and challenges for each, one thing is clear, Madhu said: “Regardless of all these technologies and these approaches – if you don’t start with a foundation of a trusted identity, nothing else matters,” Madhu emphasized.
Combating The Threat
Madhu emphasized that these vulnerabilities make it clear that PII comparisons alone just aren’t enough to authenticate a consumer’s digital identity.
“We need a better way of not only going beyond PII comparison, but putting a hurdle in the path of the fraudster so that they just can’t steal PII and submit it,” he emphasized.
A hurdle that Madhu says is 100 percent essential given the sheer volume of “digital exhaust” created from consumers’ interactions online. From the friends consumers have on a social media platform to the email addresses they’ve created and used over the years, every person has an identifying digital trail that Madhu said goes above and beyond their offline PII data.
One of the hurdles that Socure has built into its digital identity solution is to leverage the rich and robust detail in the online presence that surrounds a person’s identity – starting with social media profiles an adding email, phone and address intelligence – to authenticate that a person is who they say they are.
So far, it seems to be a method fraudsters don’t have the time and energy to replicate. Most fraudsters aren’t going to steal an identity and then create an entire online and social network around it – it’s just inefficient, particularly when there are many other paths of least resistance for them to follow.
“It’s much harder to synthetically create a network of hundreds of people on multiple types of platforms just to vouch for one digital identity,” Madhu noted.
Madhu says he has the data to support the fact that using online and social data is a good predictor of whether that new account is being opened by a real person or someone who has stolen a person’s identity and synthesized it.
Drawing A Line In The (Tokenization) Sand
The rise of mobile payments has led to the development of a new set of standards and technologies to authenticate a consumer to an account and then authorize that transaction when that token is passed to the merchant at the point of sale.
Payments tokens that networks generate are starting to blur the line, Madhu said, between the once distinct lines between authentication and authorization and can make it harder to detect whether the token that is being passed is from a legitimate accountholder. Madhu cited the account takeover fraud that plagued Apple Pay in its early days. Stolen card credentials were tokenized, and then passed very securely to the merchant and back to the issuer for authorization. The weak link was the inability to authenticate that the user was legitimate.
Though we’re not there yet, the industry is moving in a direction that could potentially separate the payment account credential from the identity credential, creating a secure digitized consumer credential capable of being managed and mapped across different connected endpoints, not just to the merchant point of sale online and in-store.
“The notion that you can have a variety of step-up authentication mechanisms and identity verification mechanisms to give you identity assurance, and therefore the assurance that the identity token is trustworthy and that it can be bound or associated with to the transaction token is the ultimate desired outcome,” Madhu said.