Securing Consumer Data Beyond The SSN

How do you build a real, resilient and robust standard of best practices in data security? And how do you do it when just about every piece of traditional identification has been compromised? In a wide ranging interview with PYMNTS’ Karen Webster, Socure CEO Sunil Madhu offers an answer that, in part, might surprise you: through regulation.

The Social Security number (SSN) was never meant to get this much attention.

It was never meant to be shorthand for, well, you – proving that you are who you say you are, serving as a gateway to all manner of sensitive data and, of course, financial accounts.

Yet those nine numbers have become a standard bearer for identity verification, a gold mine for fraudsters – maybe rendered moot by the huge breaches at Equifax and other companies.

Let’s not pick solely on the SSN. After all, your very name, address, telephone number, maiden name and so on are all ticking time bombs, putting you at risk for identity theft.

In a wide-ranging discussion, Socure CEO Sunil Madhu and PYMNTS’ Karen Webster discussed the brave new world of identity security and verification, and what those terms mean when it should be assumed that all of your data has been compromised.

The numbers are sobering, as always: The Federal Trade Commission (FTC) has found that account takeover fraud is on the rise. Synthetic identity fraud – where identities are stitched together from disparate pieces of information, often from a mosaic of individuals – is a burgeoning field. FTC data spanning from 2014 to 2016 shows that in recent data, as many as 30 percent of complaints stemmed from unauthorized account openings that used a person’s identity, with another 26 percent of complaints centered on account takeovers.

Noted Webster and Madhu, people often do not know if their identities have been compromised until they go to a bank and find they are blocked from opening an account, or that accounts have been opened without their knowledge or consent.

Biometrics May Not Be the Panacea

If the SSN and all manner of traditional identifiers have been compromised and are floating around the dark web, biometrics is the cure-all. Right?

Think again.

Some experts, regulators in particular, point to biometrics as a static identifier, which means they are immutable to the individual – yet, in combination with the aforementioned data points, spoofable.

Madhu agreed, emphasizing Apple Pay’s higher-than-average fraud rates on credit cards. Research from digital identity and payments executive Cherian Abraham has estimated that Apple Pay fraud rates are roughly 6 percent of transactions at banks, 60 times the fraud rates seen with credit cards. In multi-pronged attacks, he said, fraudsters can target bank call centers, provisioning stolen cards in their wallets.

“If you have robust digital identity verification, you can solve for that problem,” Madhu told Webster. But in order to ensure that defenses are indeed up to snuff, one cannot always rely on identity verification processes that compare names, email addresses and other data against offline sources that can, increasingly, be purchased on the dark web.

“If you take the synthetic ID – let’s say I stole your identity, altered the phone number or the email address – and then I went to register at a bank for an account opening and I passed that to a biometric on my phone,” posited Madhu … the chase down the rabbit hole becomes maddening.

But here’s the rub, Madhu said, and where the fraudsters often fail: The synthetic ID that has been created from these sources does not have social presence. And social presence makes a difference, offering up a layer, or layers, of defense in the battle for secure identities.

Static data does not have a cohort of people who are connected to you, and social presence is built over a length of time, he said, making it impossible for a fraudster to replicate with any real impact. The effort involved is daunting enough to stop them from trying.

Combining the online persona with the offline data traditionally tied to identification, said Madhu, “actually gives you the assurance not only that the data correlates well, but that the person is legitimate, with presence on the internet that can be [several] years old … and we use at least a dozen network apps,” he said, which allows for a smorgasbord of social behavior that can be used to triangulate someone’s behavior.

Phones Are a Vulnerable Target

Increasingly, the mobile device and the phone number is becoming the second factor in authentication, said Madhu, and fraudsters are retraining their attention there.

They know that when a bank account password is reset, the bank sends an SMS message to the phone linked to that account. Bad actors can use any number of free reverse lookup offerings to find the carrier, call the carrier directly, use a Social Security number or other data and forward calls to a new number – allowing access to PINs and other temporary access codes to eventually hack into bank accounts … and own them.

The social network angle, which collects information via “shards” gleaned from different sites, is facing a changing landscape, said Madhu, as social network operators have been battling to keep data under wraps.

As an example, he offered up a recent case, now in appeals, where LinkedIn has been battling to keep data private. Should the social networking giant lose the case, he said, companies would not be able to refuse such requests in the future, so long as individuals have consented to that access.

“This is not going to be a gray area,” he told Webster, evidenced by the fact that Singapore has passed laws allowing the use of social information for modeling purposes. The traditional notion of credit models tied to SSNs and the like, said Madhu, is on its way to “dead duck” status. With so much traditional data stolen and out there, “the credit bureaus’ business model is monetizing stolen data,” said the executive.

Webster asked about customer data privacy as it stands in Europe, and how regulations like General Data Protection Regulation might impact the United States. Regulations seem like they may be done in isolation, but ripple effects abound. Problems may be solved in one area, but can cause unintended consequences elsewhere in the payments and data security arenas.

“That is what happens when politicians create rules,” Madhu said.

Two themes dominate the discussion and crafting of legislation, at least at present, and at least as it pertains across the pond. Consumers must consent to the use of their data, and they also have the right to be forgotten, as companies can be ordered to wipe data. There are legitimate use cases, he cautioned, for data to be stored, such as for anti-money laundering (AML) and know your customer (KYC) efforts.

Ultimately, said Madhu, data security will embrace a combination of behaviors, attributes and devices that will work in tandem with machine learning to ascertain that identities are, in fact, legitimate.

One thing that won’t be in the offing: A “one ring to bind them all” approach that Madhu said is part of the notion, for example, of blockchain ID. “That is going to be a disaster,” he said, because “already there are multiple blockchains.”

So, what does the future hold? Madhu said that real, robust and resilient data security will be a combination of features and devices, attributes, IoT and geolocation, and that machine learning will be the “guru that brings the bits of data together to be able to say, yes, this identity is legit.”

The upshot is that parties will wind up going to one or more service providers, which could be sourced from either the private sector or the government.

Regulation as Saving Grace?

What will break the logjam of innovation and disparate progress and allow real progress? Madhu’s answer might surprise you: regulation.

“Normally, you would just let evolution take over,” he said, and let startups do the inventing for which they are famous, “take the risk” and penetrate the market with some success.

Though conventional wisdom may say that legislation stifles innovation in the market, Madhu said one only has to look to China and India and their successful initiatives to create digital identities on a nationwide basis. What falls out of this process, and what becomes useful to the industry at large, said Madhu, is certification.

The framework is one where the government – domestically, the Federal Reserve, the Office of the Comptroller of the Currency (OCC) and the Financial Industry Regulatory Authority (FINRA), among others – can say, “‘Here is the risk-based approach we are recommending as a whole’ … If vendors come with a differentiated approach and can demonstrate why their approach fits within the framework … that can make all the difference,” Madhu said. The private sector, he explained, becomes more accepting of new technologies and services if they come with certifications attached.

And, consequently, “discombobulation among customers will disappear.”