While there’s a concern throughout the payments and commerce ecosystem that any digital identity being presented might not be what it seems (i.e., fraudulent), that potential duality manifests into a literal one in the goals that businesses seek to achieve: protecting account data while simultaneously authenticating a customer’s identity.
Karen Webster recently spoke with Sunil Madhu, Founder and CEO of Socure, about the need for a digital identity authentication solution that does not give either one of those concerns short shrift.
KW: There’s a lot of attention being focused on the differences between protecting the payment stream and protecting the customer data stream. What are your thoughts on that distinction with respect to the focus on security in payments today?
SM: Most solutions in the marketplace focus on both sides of the fence, if you will.
Identity verification is obviously important, as is examining the behavior on an account over time to determine that the person using the account is the same one who opened it in the first place.
There are different sets of tools available for those two areas.
On the one side, new account openings and identity verification has historically been handled by data brokers and credit bureaus that possess a lot of offline information about consumers and verify them based on that data.
That method isn’t working well anymore, for a few reasons. All of that data is public to begin with and a lot of the credit bureaus have been breached, leading to consumers’ PII (personal identifiable information) being stolen and sold to fraudsters.
More importantly, demographics are changing. Fifty-one percent of the world’s population today is millennials (people between the ages of 18 and 34), and those individuals are treated as thin-file by the bureaus, given that there’s often very little offline information about them. Meanwhile, 50 million adults in the U.S. are outside the banking system; and compounding that problem is the fact that the financial collapse turned a lot of good credit (in regards to individuals) into bad.
That’s why we think that using online and social data, in addition to that offline data, in order to validate the legitimacy of consumers interacting with FIs is a viable strategy.
It’s very difficult for a fraudster to fake social proof — for example, the network effect of creating online friends, followers, etc. Using social data as an augment to offline data, we think provides the opportunity to discern more accurately if the person interacting with a business is in fact who they claim to be.
On the other side of the fence — examining behavior over time — a lot of solutions have started to use step-up authentication or multi-factor authentication as way of ensuring the legitimacy of a transaction. Increasingly, those methods rely largely on biometrics.
But utilizing biometrics alone is insufficient, because it is possible for a fraudster to associate their biometrics with a legitimate consumer’s PII; it’s happening with Apple Pay, which — despite utilizing Touch ID — has about 60 times the fraud rate of swipe cards.
In order to get the utopian state where we’re able to eliminate online transaction fraud or account takeover fraud, you have to bind the verified identity to a biometric or to step-up authentication credentials. That binding ensures that when credentials are presented, there’s no way that they could have been stolen and reused by a fraudster.
The combination of these two things — augmenting offline data with social data, and the binding of an identity — prevent the need for us to look at things like the device being used or payment behaviors, et al.
KW: Isn’t that one of the problems that payment tokens are trying to solve for?
SM: FIDO is obviously one of the organizations that are trying to do tokenization; there are also a lot of private enterprises coming up with their own tokenization schemes.
Knowing how slow technology gets adopted in the industry — credit cards, for example, took decades — you’re really looking at the next 15 to 20 years before we move to such a scheme.
As we move to stronger authentication and biometrics in any kind of step-up or multi-factor mode, it’s important to note that there is no standard for any biometric credential.
The technology for each type of biometric credential — fingerprint, face, voice recognition — is actually proprietary.
Regarding tokenization, the first challenge is getting the industry to agree upon a standard for interoperable credentials, as well as for which constitutes a trustworthy ID. Then there’s the larger problem of creating a trusted identity against an authenticator wherein the biometric credential itself is proprietary.
There’s still a lot to be done in solving both of those problems in order for tokenization to be useful.
KW: The move to online, driven by mobile, is forcing this lack of distinction between the offline and the online worlds. I think that will accelerate the intensity of the ecosystem to find an identity authentication solution that actually can be deployed across channels — one that isn’t device dependent, but is person dependent.
SM: Most of the transactions that people are making today are still taking place offline. But I agree with you that the adoption of mobile in a lot of different markets will accelerate that growth.
It’s great that the industry has recognized the problem surrounding digital identity and is starting to move toward a consensus solution … but, optimistically, I think it will be a decade or two before we see the outcome.
And in the meantime, we still have to deal with fraud.
KW: A lot of the bureaus have tried to look at social attributes as the way to build the thin files of the consumers you describe into thicker files, and they’ve determined that that’s not necessarily appropriate if you’re making a risk assessment for an individual.
But I suppose what you’re doing is just trying to say that “Joe is Joe” and “Sally is Sally” — and, for that purpose, social is effective. Is that the working theory?
SM: Although our system isn’t used to create credit models, it actually does both of the things you describe.
We de-risk the authenticity of an identity, and we also make a fraud prediction.
Fraud varies from one industry to another. In the merchant space, the focus tends be on chargeback fraud, while issuing banks care more about synthetic ID fraud, and a lender might care about first payment default fraud, et cetera.
What we’ve been able to do is obtain data from our customers — financial institutions and global payment companies — in terms of who is actually committing fraud in their industry. That’s allowed us to train artificial intelligence machine-learning systems to discern between the features of a person committing fraud and those of people whose identities have been stolen and are being used for fraud (of various types).
Our system looks at data spread across different networks, combines them with offline PII, and determines whether or not they correlate well — a determination that can be meted out both by social proof (or a lack of it) and an assessment as to whether or not the features of identity are indicative of fraudulent behavior in a specific industry or vertical.
It’s the combination of those things that makes our system effective and empirical.
KW: Is the application of your technology used mostly to validate the identity of a consumer when they are taking a new action, or is it inserted into the payment stream in the midst of transactions that are happening?
SM: Again, there, our system is used in both ways.
We’re used both in account opening and in post-account openings — instances where people have changed their profile data. In the remittance industry, for example, we’re used on every transaction.
KW: The industry obviously can’t wait 20 years for an effective digital identity authentication solution — we needed one 10 years ago. What do you think is a shorter-term path to both protecting consumers and giving relying parties assurance that an identity is legitimate?
SM: The best way to do that is, simply, to actually do it.
Regulation typically lags behind the market; there is no standard, for example, for KYC - knowing your customer compliance — technology simply has to be proven out. And we intend to do that with ours.
We intend to show the world that relying on credit bureaus and offline data is no longer the most effective method, and that much more empirical models can be created by combining a variety of what was once esoteric data and applying it in meaningful ways for much better outcomes.
And we expect to be able to do that in less time than 10 years.