How to Identity Proof in an Increasingly Virtualized World
Grow Your Business, Not Your Inbox
Proving a person's digital identity has always been a challenging problem, especially when balanced against the need for information to be accessible online. Customers want their information to be secure, but they also want to avoid being hassled by burdensome authentication tasks. Businesses, therefore, are faced with balancing security with accessibility, and the problem will only continue to grow more complex as almost everything moves online.
Evaluating the potential for fraud
Companies that find it necessary to identify customers or business partners must always be aware of the potential for fraud, but luckily, AI and advanced systems for proving identity are making great strides in fraud identification. The increasingly expansive digital footprint of online activity makes it possible to establish patterns of behavior and indicate whether or not a device is associated with potential fraud, across various online activities. A solution that can couple digital footprint data with consumer credit information and public records data, where available, will provide an even more complete picture, therefore enabling a company to determine with increased confidence whether a consumer is who she claims to be – or is a potential fraudster.
All of this technology serves to help identity proofing companies identify potential cases of fraud early for their clients. Online retailers or banks are moving away from a simple username/password authentication process in favor of multiple factors of authentication, along with fraud detection services, to prove a consumer's identity. These factors include:
- Knowledge-based authentication (KBA) informed by hard-to-guess personal or credit data
- Multi-factor identification, leveraging email and phone
- Document-centric identity authentication
- Digital attribute risk assessment
- Behavior analysis
- Reputation and link analysis, which can associate multiple devices which each other
With all these factors, machines can learn a person's identity and be leveraged to improve pass rates in online businesses. In this way, consumers can be sure their identity is being successfully safeguarded, while the business can be sure it's protecting itself and its consumers from fraud.
The private sector can often learn lessons from the way the government operates, particularly in the realm of cybersecurity. To authenticate its users, government agencies have largely moved away from relying on knowledge-based exams alone to using a combination of device-risk, document verification and multi-factor authentication, leveraging email and phone, as an example, to evaluate physical credentials. This has enabled government agencies to cut down on fraud and improve identity verification pass rates. Moving towards this model may be a way for businesses to provide a more streamlined and secure method of verifying identity.
Focus on being proactive
There are plenty of examples of supposedly secure applications and websites being hacked by unsophisticated methods (phishing is one of the widespread examples). There's always room for improvement, but some of these breaches have finally forced companies to wake up and become more aware of the threat. A good assumption is that everyone's identity has already been stolen, so the bad guys can be assumed to have passwords and answers to security questions.
New methods of identity verification need to be developed, which brings us back to using additional factors to stop fraud. Fraudsters are getting smarter, though, so companies can never become complacent with their own authentication processes. There is a need to constantly innovate.
For example, with TransUnion, we have a database that partners with tens of thousands of businesses and consumers around the world. These partners feed both positive and adverse information on digital devices back to the database. This allows crowdsourcing of possible threats, where device information and other risk factors can be pulled off potentially fraudulent devices and shared among other subscribers so that fraudulent activities are immediately detected and mitigated. Fraudsters can be identified by their devices even if they change their online identity because of the uniqueness of each device.
It's important to implement any new security measures so that customers maintain a positive user experience, while at the same time balancing security concerns. This goes back to that balance between security and accessibility; applications need to be secure while at the same time avoiding being burdensome. This is where risk signal intelligence analysis can become crucial; it allows for businesses to verify identity without placing any additional requirements on their consumer base.