Accelerating Digitization Exposes Persisting Weaknesses in Identity Protections
The coronavirus crisis' spike in cyber crime underscores the need for stronger authentication; banks could play a central role in implementing standardized digital IDs
Friday, September 25, 2020
By Katherine Heires
The much touted digital transformation of business, finance and the economy is well underway, judging by how readily people and organizations adjusted to new working and distancing conditions dictated by COVID-19.
At the same time, that digital dependency has brought on a surge of online fraud and other cyber crime, often exploiting the weak link of inadequate ID protection. Secure, seamless, frictionless communication and commerce remain largely theoretical.
Imagine an identification technology that ensures easy and authorized transactional access, whether with a banking service, business database, medical consultation or gaming platform - and without the hassle of managing or memorizing myriad passwords and personal identification numbers.
Immediately upon login, on any chosen device, using a voice command, swipe or other gesture, the user is verified and authenticated by way of a trusted, standardized and interoperable ID system.
That's a vision which various technology companies, banks, credit card providers, government agencies and cybersecurity specialists - many in alliances such as FIDO, DID and health-care-focused SAFE Identity - have been pursuing for years. There is no shortage of technological solutions, but they run up against obstacles both operational and behavioral.
“Synthetic identity fraud - in which criminals use fictitious IDs to secure credit - is a troubling and fast-growing type of financial crime,” says McKinsey & Co. partner Olivia White.
Co-author of the paper Digital ID: The Opportunities and the Risks, White adds that synthetic identity fraud is the fastest-growing type of financial crime in the United States. As of 2016, synthetic IDs were responsible for up to 20% of defaulted credit card debt. This cost lenders worldwide an estimated $6 billion during that period and persists in 2020, without signs of going away any time soon.
Synthetic identity fraud is the subject of a July Payments Fraud Insights report from the Federal Reserve, one of a growing volume of educational materials and warnings from financial regulators amid the rising crime wave. In another example, the Securities and Exchange Commission's Office of Compliance Inspections and Examinations on September 15 called attention to an increase in credential stuffing, an attack on client accounts “that uses compromised client login credentials, resulting in the possible loss of customer assets and unauthorized disclosure of sensitive personal information.”
Digital by Design
The solution, White asserts, is digital IDs, which she defines as providing verification and authentication of an individual's identity to a high degree of assurance and uniqueness.
Digital IDs can also be seen as the electronic equivalent of such common means of verification as drivers' licenses, passports or birth certificates.
There are other authentication factors not dependent on a static document, including biometrics such as a fingerprint, hand, voice or iris pattern; data drawn from social media profiles; and unique behavioral characteristics, such as the way one taps a mobile screen or keyboard. Artificial intelligence, machine learning and blockchain are being enlisted to support or advance these ID efforts.
Getting Past Passwords
“There have been so many hacks of government, credit bureau, retail and banking customers that it's clear that the traditional, password-based ID systems have outlived their usefulness,” asserts Steve Hunt, senior analyst at Aite Group and author of Making the Case for Identity and Access Upgrades. “We are toast if we continue to use the systems we have,” he says.
Underscoring the need for something better than the basic password, a November 2019 Celent research report said that over 14.7 billion data and identity records had been lost or stolen globally since 2013 due to data breaches and cyber crime. In 2020, identity theft and account takeovers are on the rise, with cyber attacks targeting the financial sector in particular increasing 238% from February to April, according to VMWare CarbonBlack.
In 2019, identity fraud losses amounted to nearly $17 billion, with many due to fraudulent account openings and takeovers, according to Javelin Strategy & Research.
In mid-July, teenage hackers gained unauthorized access to Twitter and compromised accounts of prominent politicians and celebrities, raising concerns about the vulnerability of social media to even more serious privacy violations and election-campaign-related manipulation.
“You have lots and lots of itty bitty systems all competing for a piece of the monetary pie,” notes Peter Carroll, a partner at consulting firm Oliver Wyman. The result is “a seething cauldron of competitive approaches.”
Adds Emma Lindley, chief commercial officer at Trust Stamp, provider of an AI-powered, facial biometric identity solution, who spoke at a recent Fintech Insider webinar on digital identity: “By not having a consolidated approach to digital ID offerings, we are making the risks bigger, resulting in even more fraud.”
Despite these challenges, there are some indications that a consolidated and interoperable approach to digital ID is coming closer.
“What we realized during COVID-19 is that digital ID is a key linchpin in a crisis situation, helping to make things better,” says White. It could have helped in delivering government stimulus funds to qualified recipients. Many transactions were delayed, White says, in part due to the lack of up-to-date authentication systems.
And, with more working at home and greater dependency on online services, “we're seeing banks that have condensed their three-year plans to digitize services to three months, and they are now going live,” says Philipp Pointner, chief product officer of ID technology start-up Jumio. The company's services for financial firms have seen “a 15% to 20% uptick in demand since the onset of COVID-19,” Pointner says.
Oliver Wyman's Carroll published a paper in July, Digital Identity: Banks Must Seize the Opportunity, asserting that banks' status as a trusted service providers with extensive customer reach puts them in position to provide and gain wide acceptance of a digital ID and authentication platform.
“There is a public wariness about Big Tech companies and how they would use the data they might collect from a digital ID system,” says Carroll, a former senior banking executive. “If they [Big Techs] said customer data is stored in a central database, I would ask, 'Who is the system administrator?', because techies can be bribed.”
Carroll is “bullish” about a distributed ledger, or blockchain, technology component.
“From the banks' point of view, advancing a digital ID platform would be a hugely defensive move against others who would otherwise do so,” he says, also bringing strategic benefits that include: a reduction in fraudulent banking activity; cost savings and efficiency gains; stronger bonds with customers, with banks at the center of their daily activities; incremental revenues as ID and authentication are applied across multiple use cases; and a stronger competitive position against Big Techs and fintechs.
Carroll's fear, however, is that traditional interbank competitive patterns will prevent the cooperation and standardization necessary to overcome the negatives of siloed ID systems.
“What banks have to recognize is that we are in a lifeboat, and we are in this together,” Carroll says.
Bank-driven ID systems are making headway outside the U.S.
There are, for instance, the interoperable e-ID network in Norway and Sweden; the itsme Mobile Wallet in Belgium, established by four major banks with a telecom partner; and Verified.Me in Canada, which involves seven leading financial firms and employs a Hyperledger blockchain platform.
On a nationwide scale, Estonia has established a state-issued e-identity, associating it with voting, access to health care and more. India's Aadhar is a biometric “proof of identity” system designed to reach 1.2 billion citizens.
In the U.S. in 2018, Capital One acquired digital ID start-up Confyrm, which today, as Capital One Confyrm, offers a suite of digital verification capabilities, and is available for use by third parties and outside institutions. When the companies came together, Confyrm founder Andrew Nash wrote in a Medium.com essay, “Identity systems are becoming more and more complex and are progressively more distributed, federated and outsourced and more core to trusted online transactions for governments, companies and consumers alike.”
Big Techs and Entrepreneurs
Meanwhile, the Big Techs are not standing idle. Facebook and Twitter have introduced login systems that are interoperable and facilitate access to other online services and apps without the need to repeat the registration process. Microsoft has partnered with Mastercard on a blockchain-based, universal ID system powered by Microsoft Azure.
Amazon has advanced the use of voice technology as an identification tool. Apple's Sign In with Apple service accommodates two-factor authentication with Face ID or Touch ID biometrics, and the company has filed for patents related to credential identification via smartphones that can validate a mobile driver's license.
Dozens of smaller and specialized innovators are developing ID solutions. Jumio, for one, employs AI to verify government-issued IDs and selfies to detect the “liveness” of remote workers; Socure integrates multiple capabilities including biometrics, AI and machine learning and has received funding from Citi and Wells Fargo; OneSpan, an identity platform and e-signature provider, allows users to specify the rules that guide the authentication process; and Obsecure, which launched in September, authenticates in real time with AI, biometrics and action capture technology.
Bloom, Civic and uPort are working with distributed ledger technology. So does Evernym, offering a self-sovereign system, which puts the individual, rather than an intermediary, in control of the release of identity data to third parties.
Supporting digital ID on a global scale, promoting financial and economic inclusion, is the World Bank. It says that out of 1.7 billion adults who are currently under-banked, 20% to 30% cite a lack of documentation as a primary reason for being under-served. Accordingly, the World Bank has launched ID4D, funded by, among others, the Bill & Melinda Gates Foundation and Omidyar Network, to “provide legal identity for all” by 2030.
As the digital ID trend plays out, analysts and other observers warn of risks and missteps.
Martin Ferenczi of Martin Ferenczi llc, an adviser to fintechs and other corporations on digital ID and a former president of Oberthur Tehnologies, says that although the pandemic presents clear opportunities, failures could be crushing: “If we don't act now, there could be fraud linked to health care issues and government programs. We need to know that our doctors are certified and verified, and in a world where we increasingly hire people online, you need to know that they are who they say they are.”
On the flip side of authentication's anti-fraud, risk management, social inclusion and other benefits is potential for misuse or poor execution.
“You need to question and contemplate system design and ask 'how is customer data protected, what can customers expect when they give their consent, how is the ID data used,'” says McKinsey's Olivia White. Well-governed controls are needed to mitigate the risks.
Carey O'Connor Kolaja, president and COO of AU10TIX, which employs biometrics for Know Your Customer and anti-money-laundering compliance, advises that risk managers seek out modular approaches to digital ID that allow adoption and upgrading over time, and calibrate how they re-authenticate, or confirm digital ID on a continual basis.
“Verification is not a one-time event,” she says. “We need systems that are adaptive and continually verify individuals for signals or patterns of fraud-like behavior.”
Pointner of Jumio says it is important to look beyond a single, point solution for digital ID and be clear about the risk emphasis or appetite in order to select the right provider. “At the end of the day, there will always be remaining risk in your system, as there is no bullet-proof solution,” he explains. “Being able to make use of a best-of-breed solution for your specific concerns is what is important.”
Celent's Bareisis says it is critical to monitor AI-powered identification and verification systems regularly, as they are never foolproof, and to keep up with advances in the field. “Join consortiums and industry associations,” he says. “Understand what is coming and make sure you don't lock yourself into a system that will be obsolete in a few months or years. Make sure you can build on it or add to it, whether it's what's new in biometrics or something else.”
Katherine Heires is a freelance business journalist and founder of MediaKat llc.