“On the internet, nobody knows you’re a dog.”
It was the original internet meme, more than two decades before the term “meme” would even be coined. It appeared in a 1993 comic in The New Yorker by Peter Steiner, and it made an early statement about anonymity on the World Wide Web that still rings true today.
Like the dog in the cartoon, fraudsters use the same technologies as regular people when moving about in the virtual sphere. Their goal is to trick businesses into thinking they are legitimate customers so they can leverage credentials and money that aren’t truly theirs.
This is why identity verification (IDV) is so important – but it’s also complex and difficult to execute well.
Labhesh Patel, CTO, Jumio says that striking the perfect balance between making life harder for fraudsters and easier for legitimate customers is a bit like finding nirvana – and the path is different for every organization. Each one must look at itself in the mirror and determine what it truly needs, Patel said, and then make the decision for itself – not just based on what others say will work.
In a recent webinar, Patel and Karen Webster took a deep dive into the challenges, the reasons standard choices fall short and what it takes to attain the elusive IDV nirvana.
The Pros and Cons of Standard Security Choices
Beyond the static password, there are a few methods that organizations have been implementing in recent years to try to stay ahead of the fraud problem. While all of them have their benefits, Patel is quick to note that each one also comes with drawbacks that make it a less-than-ideal solution.
For instance, knowledge-based authentication is well-understood by users – but the answers to security questions can be socially engineered without too much trouble just by visiting victims’ social profiles. Plus, data breaches have left a lot of those security responses exposed. The names of most people’s childhood pets and favorite teachers are now for sale on the black market.
Then there’s two-factor authentication. Since this requires a secondary token, it can be a strong deterrent for fraudsters – but it can also act as a deterrent for legitimate customers due to its slow and cumbersome nature. Plus, it’s vulnerable to key logging, SMS spoofing and other attacks.
Credit bureau-based solutions offer easy API implementation and a fast, non-intrusive experience, but they do not actually verify the identity of the person who is doing the transaction.
Database solutions weigh data from social profiles and crime databases to come up with a model that can determine who is and isn’t a fraudster – but, like credit bureau solutions, they don’t verify the exact identity of the person who’s present on the website.
That leaves online identity verification: a marriage of biometrics, machine learning and human intelligence to verify the true physical identity of the person who is trying to transact. This method, Patel said, also ensures that organizations are meeting compliance and regulatory requirements.
While it may introduce some friction to the user journey, Patel said that’s a necessary evil in today’s fraud-rich web environment.
A Portrait of IDV Nirvana
In an ideal IDV scenario, users may first be asked to scan their IDs and send them to an organization’s solution provider, who will sort the legitimate ones from the fraudulent ones. But since IDs can be stolen, additional layers of security may be necessary. Users may be required to take selfies or submit additional documentation, such as bank statements or utility bills, that ground them to a physical place.
That’s IDV nirvana from afar, said Patel. Up close, the list of essentials for the ideal solution is lengthy and complex, and Patel noted that there aren’t any shortcuts.
Machine learning can be one of the top components of good IDV, but that alone does not make a workflow great. How large of a data set is being used? Does the provider have access to “ground truth” – that is, a baseline of reality against which potential fraud can be checked?
Patel said ground truth should always come from the vendor’s side, and there should be some manual elements involved in determining it, since human intelligence (not machine learning) is what identifies new fraud patterns and trends; the machine learning algorithms are trained off this intelligence.
Data tagging is how ground truth is established. For example, someone has to show the machines which part of the ID is a face and where the first and last name are listed. Doing this in a compliant way means that the entire operation must be on-premise with the provider and cannot be crowdsourced, Patel said.
Verification auditing should be the provider’s responsibility, not the organization’s, he said – that’s why they’re paying the vendor. After all, if the organization has to check the provider’s answers, it might as well do the whole IDV process itself. The provider’s internal audit mechanism should have manual elements, he added, where 10 to 20 percent of verifications are sampled to determine when new types of fraud are creeping in.
Liveness detection means that the selfie match algorithm must be able to tell the difference between a live human face and a photo pulled from Facebook or a video frame from YouTube.
Geographic coverage means caring about the long tail of identification types. Two hundred types of IDs may account for 80 to 90 percent of a website’s traffic, but business owners care about 100 percent of their traffic, so they must be prepared to accept a wide range of ID types that serve that tail.
Human review is how anomalies are spotted and algorithms are subsequently trained – so, it’s important to know how good a provider’s team is. Businesses should ask many people on the team how experienced they are and what training they have received.
Trend spotting enables providers to be proactive about new types of fraud. For example, say that Colombia has legalized gambling. In that industry, there may be a propensity for a certain type of fraud, such as using multiple IDs to support multiple accounts. Once that trend is identified, the intel can be relayed quickly through providers with a global presence.
PCI compliance is the one of the highest standards in the industry. Few online IDV companies are PCI-compliant and certified, but if one is, organizations can be sure that the IDs in their system will be protected at the same level as an account or card number would be at a bank. Basically, said Patel, “If a provider is PCI-compliant, you can take confidence in the resilience of their security and how they handle your customer’s personal data.”
Some other factors to consider on the way to IDV nirvana: ID version support; expired IDs; KYC, AML and GDPR compliance; barcode and MRZ scanning; omnichannel support; blur, glare and black-and-white detection; and document verification.
Finally, said Patel, it’s worth looking for a provider who gives a definitive answer to accept or reject a transaction. Some providers give a probability score, which he feels is less useful; the provider, he said, should take the onus and stand by its answer.
With such a complex path to IDV nirvana, there are a few things Patel noted that organizations should bear in mind.
One concern that’s top of mind right now is complying with the European Union’s upcoming General Data Protection Regulation (GDPR), which goes into effect later in May and will affect how companies can store and use customer data when doing business with the EU.
GDPR will give consumers the right to data erasure. If a customer asks to exercise this right, the processor must have a workflow and API in place for immediately clearing that data out of its system. Just because businesses aren’t transacting with the EU today doesn’t mean they won’t in the future, said Patel, and complying with GDPR now will enable seamless dealings down the road.
Another thing businesses should do before choosing a provider is test out several options using a representative sample of their own data. Consider how much fraud each one catches and how many good users get through the system quickly, with minimal friction.
Patel noted that organizations must aim to produce a clean audit off this test so they can compare apples to apples when making the final decision about which provider to work with.
Why It Matters
There’s a difference between fake IDs and legitimate ones that have been stolen by fraudsters to abuse in eCommerce settings. That, said Patel, is one reason why IDV is so critical.
But in the real world, this process isn’t all about fraud, he said – it’s all about conversions. He added that there are myriad other use cases for online IDV: account opening, employee onboarding, the gig economy, car sharing, peer-to-peer shopping … the list goes on.
“Fraud is extremely prevalent,” Patel acknowledged, “but it’s still only 1 percent of eCommerce traffic. There are requirements that must be fulfilled, but what companies are really worried about is making sure good users convert well, and growing use cases where background checks and identity verification are required.”