In-brief: companies that want to make life difficult for cyber criminals can start by moving valuable data off the front lines and finding ways to use less valuable information to verify the identity of their customers, writes Keir Breitenfeld, who works for Experian’s Fraud & Identity Solutions group.
As businesses and consumers become more aware of emerging cybersecurity risks, it remains crucial that they do not lose sight, or get fatigued, of the threat that continues to plague people year-round: fraud.
Currently, 1.9 million records containing personally identifiable information (PII) are compromised every day, leaving millions vulnerable to fraud. A large reason is the continued use of “static information” by businesses and agencies to authenticate consumers, think: names, addresses, social security numbers (SSNs), dates of birth, mother’s maiden names, secret questions, and usernames and passwords. The clear problem with using these data points as authentication factors in a vacuum is that, when stolen, this data becomes a key to the kingdom and over-trusted in predicting risk or proving identity.
The good news is that there’s a solution. If companies and agencies learn to rely on newer, more dynamic data and methods to authentic people (i.e. identity and device usage and link analysis, geolocation, etc.) – data that is not typically found in breached or compromised data sets as it is an aggregate view of identity and access device usage over time, but still enables institutions to conduct highly secure transactions – we can solve this major security challenge. Knowing most hacking incidents are economically motivated, this action would make it more timely, costly and otherwise difficult to monetize stolen data for criminals, stopping them in their tracks.
But how do companies, and the industry in general, take on this task of getting away from the status quo of financial transaction? Below are three key steps businesses can take to move toward devaluing data, and ultimately, reducing the economic appeal of fraud.
Develop a “holistic identity management” approach
Simply put, the traditional approach to identify consumers online is no longer enough. The binary authentication methods used today rely too heavily on matching basic identity elements (e.g. Social Security Numbers, dates of birth, names and addresses) to databases from trusted sources, such as credit bureaus and other demographic data aggregators.
The reality is that millions of people’s PII is stored collectively in said databases and, more likely than not, most of this data has already been stolen through the hundreds, if not thousands, of data breaches that occur worldwide each year. So, without digging deeper into a consumer’s behaviors across all types of interactions (i.e. online, mobile, call centers and even face-to-face) and habits, it’s nearly impossible to achieve a meaningful and actionable level of trust or assurance in the identity of a customer or user, even if the data shared matches verification databases.
Simply put, the traditional approach to identify consumers online is no longer enough.
PII verification should continue to be required and relied upon in the process of opening an account, given such information is critical for quality assurance, “contactability” and data provision to third parties, such as credit reporting agencies. It effectively allows an institution to know its customers; however, such checks must be complimented with a substantially more in-depth view of an identity, particular to its historic and current behaviors that can indicate possible identity theft, compromise or complete fabrication. For example, it is one thing to have verified a name, address, date of birth and Social Security Number against one or more trusted data sources (as is a typical verification check). It is, however, more holistic in nature to understand if such information is being pieced together inconsistently over time, at high velocities or through a set of access devices that look to be of high risk themselves.
Address consumer friction and provide education
Customer satisfaction and reputation is arguably the number one priority of most businesses and agencies alike, but there’s a clear disconnect between the online experience consumers want and the level of effort they’re willing to put into their personal security. A recent study found that Americans are still refusing to change their insecure passwords despite increasingly advanced fraud incidents and that the majority believe businesses are solely responsible for protecting their PII.
Institutions play a major role in safeguarding customer data, but consumers are equally responsible and must hold themselves accountable for their online activity and security hygiene. Although it requires an extra step or two, using strong passwords, monitoring accounts and taking advantage of multi-factor authentication (take, for example, Facebook’s updated system) are just a few ways consumers can help protect themselves.
[Read more Security Ledger coverage of identity theft.]
Additionally, institutions must not only educate consumers on the actions they should take, but also why it’s important that this industry shift to holistic identity management happens. At the end of the day, a truly fluid, optimized and enjoyable online experience requires effort from consumers and businesses to make this approach a reality. A few extra steps in on-boarding a customer or user can translate into more passive and friction-free recognition as well as enablement for the remainder of that customer’s relationship with a business or agency. Consumers are more likely to undertake multi-factor authentication checks if they are clearly educated on the longer-term benefits therein.
Collaborate and participate in industry information sharing programs
Lastly, it’s crucial that institutions stay educated and up to date on the fraud landscape themselves, so that they stay ahead of cybercriminals. One very effective way to do so is participating in an initiative or program for sharing information with industry peers about these types of attacks and incident response.
By collaborating with one another in this way, organizations can share common threat indicators and defensive measures to help other companies recognize and avoid similar schemes. While, companies are making great strides through the sector-specific Information Sharing and Analysis Centers, a recent Ponemon study found that only 41 percent of organizations are participating in these programs. If every company participated, the number of fraud incidents – already estimated at 15.4 million U.S. victims in 2017 – would substantially decline.
Fraud and identity management is one of the few disciplines and focal points across markets in which competitors do traditionally share information more openly for common benefit. That said, there is much more to be done in this arena as dynamic attacks are becoming more sophisticated, rapid and broad in scale once proven effective, and more difficult to repel via static policies. With action from both businesses and consumers, we have an opportunity to jumpstart the next industry transformation.
Keir Breitenfeld is a Senior Business Consultant supporting Experian’s fraud and identity clients by translating intimate product and service expertise into risk-based and compliance-based operational and strategic successes. Keir has been with Experian for more than 10 years, most recently as Vice President of Product Management and Marketing for Experian’s Fraud and Identity Solutions business.