Securing Consumer Data Beyond The SSN

Noted Webster and Madhu, people often do not know if their identities have been compromised until they go to a bank and find they are blocked from opening an account, or that accounts have been opened without their knowledge or consent.

Biometrics May Not Be the Panacea

If the SSN and all manner of traditional identifiers have been compromised and are floating around the dark web, biometrics is the cure-all. Right?

Think again.

Some experts, regulators in particular, point to biometrics as a static identifier, which means they are immutable to the individual – yet, in combination with the aforementioned data points, spoofable.

Madhu agreed, emphasizing Apple Pay’s higher-than-average fraud rates on credit cards. Research from digital identity and payments executive Cherian Abraham has estimated that Apple Pay fraud rates are roughly 6 percent of transactions at banks, 60 times the fraud rates seen with credit cards. In multi-pronged attacks, he said, fraudsters can target bank call centers, provisioning stolen cards in their wallets.

“If you have robust digital identity verification, you can solve for that problem,” Madhu told Webster. But in order to ensure that defenses are indeed up to snuff, one cannot always rely on identity verification processes that compare names, email addresses and other data against offline sources that can, increasingly, be purchased on the dark web.

“If you take the synthetic ID – let’s say I stole your identity, altered the phone number or the email address – and then I went to register at a bank for an account opening and I passed that to a biometric on my phone,” posited Madhu … the chase down the rabbit hole becomes maddening.

But here’s the rub, Madhu said, and where the fraudsters often fail: The synthetic ID that has been created from these sources does not have social presence. And social presence makes a difference, offering up a layer, or layers, of defense in the battle for secure identities.

Static data does not have a cohort of people who are connected to you, and social presence is built over a length of time, he said, making it impossible for a fraudster to replicate with any real impact. The effort involved is daunting enough to stop them from trying.

Combining the onlinepersona with the offlinedata traditionally tied to identification, said Madhu, “actually gives you the assurance not only that the data correlates well, but that the person is legitimate, with presence on the internet that can be [several] years old … and we use at least a dozen network apps,” he said, which allows for a smorgasbord of social behavior that can be used to triangulate someone’s behavior.

Phones Are a Vulnerable Target

Increasingly, the mobile device and the phone number is becoming the second factor in authentication, said Madhu, and fraudsters are retraining their attention there.

They know that when a bank account password is reset, the bank sends an SMS message to the phone linked to that account. Bad actors can use any number of free reverse lookup offerings to find the carrier, call the carrier directly, use a Social Security number or other data and forward calls to a new number – allowing access to PINs and other temporary access codes to eventually hack into bank accounts … and own them.

The social network angle, which collects information via “shards” gleaned from different sites, is facing a changing landscape, said Madhu, as social network operators have been battling to keep data under wraps.

As an example, he offered up a recent case, now in appeals, where LinkedIn has been battling to keep data private. Should the social networking giant lose the case, he said, companies would not be able to refuse such requests in the future, so long as individuals have consented to that access.

“This is not going to be a gray area,” he told Webster, evidenced by the fact that Singapore has passed laws allowing the use of social information for modeling purposes. The traditional notion of credit models tied to SSNs and the like, said Madhu, is on its way to “dead duck” status. With so much traditional data stolen and out there, “the credit bureaus’ business model is monetizing stolen data,” said the executive.

Webster asked about customer data privacy as it stands in Europe, and how regulations like General Data Protection Regulation might impact the United States. Regulations seem like they may be done in isolation, but ripple effects abound. Problems may be solved in one area, but can cause unintended consequences elsewhere in the payments and data security arenas.

“That is what happens when politicians create rules,” Madhu said.

Two themes dominate the discussion and crafting of legislation, at least at present, and at least as it pertains across the pond. Consumers must consent to the use of their data, and they also have the right to be forgotten, as companies can be ordered to wipe data. There are legitimate use cases, he cautioned, for data to be stored, such as for anti-money laundering (AML) and know your customer (KYC) efforts.

Ultimately, said Madhu, data security will embrace a combination of behaviors, attributes and devices that will work in tandem with machine learning to ascertain that identities are, in fact, legitimate.

One thing that won’t be in the offing: A “one ring to bind them all” approach that Madhu said is part of the notion, for example, of blockchain ID. “That is going to be a disaster,” he said, because “already there are multiple blockchains.”

So, what does the future hold? Madhu said that real, robust and resilient data security will be a combination of features and devices, attributes, IoT and geolocation, and that machine learning will be the “guru that brings the bits of data together to be able to say, yes, this identity is legit.”

The upshot is that parties will wind up going to one or more service providers, which could be sourced from either the private sector or the government.

Regulation as Saving Grace?

What will break the logjam of innovation and disparate progress and allow real progress? Madhu’s answer might surprise you: regulation.

“Normally, you would just let evolution take over,” he said, and let startups do the inventing for which they are famous, “take the risk” and penetrate the market with some success.

Though conventional wisdom may say that legislation stifles innovation in the market, Madhu said one only has to look to China and India and their successful initiatives to create digital identities on a nationwide basis. What falls out of this process, and what becomes useful to the industry at large, said Madhu, is certification.

The framework is one where the government – domestically, the Federal Reserve, the Office of the Comptroller of the Currency (OCC) and the Financial Industry Regulatory Authority (FINRA), among others – can say, “‘Here is the risk-based approach we are recommending as a whole’ … If vendors come with a differentiated approach and can demonstrate why their approach fits within the framework … that can make all the difference,” Madhu said. The private sector, he explained, becomes more accepting of new technologies and services if they come with certifications attached.

And, consequently, “discombobulation among customers will disappear.”