Data breaches happen every day. Astonishingly, over nine times the population of the United States’ data was stolen in 2016 alone. Data breaches affect not only merchants but large-scale financial institutions like banks, credit card companies and credit bureaus that store a lot of information about consumers. It now costs about $4 on average to buy someone’s stolen identity data and mere hours of trolling people’s social media exhaust to learn enough to commit fraud. Fraud costs trillions of dollars to world economies annually. For consumers whose identity data has been stolen, the impact on their lives can vary from being a nuisance to financial and emotional trauma.
Technologies like strong encryption can help businesses securely store customer data so that in the event of a breach, the data is made useless to the attacker. However, a variety of attack vectors can be used to help criminals access customer data. For example, customer information can be teased out from employees through social engineering or by using malware attacks to compromise employee devices and then access critical databases housing sensitive customer data. Preventing data breaches and data loss is therefore a very tricky problem for most businesses.
Over the last 10 years, a variety of tools have been deployed to help businesses address the problem, but identity fraud continues to occur. In some instances technological advancements have only made matters worse. Take Apple pay as an example. When Apple Pay was first launched, its use of fingerprint biometrics was claimed to ensure that the Apple Pay platform was free from fraud. Apple Pay went on to have about a 6 percent fraud rate, approximately 60 times the fraud rate of swipe cards in 2015. This was because it was possible for fraudsters to use stolen identity data to attack a bank's call center and trick its employees into authorizing the enrollment of the stolen identity’s credentials and card details into the digital wallet of the fraudster. This enabled the fraudster to attach his fingerprint to someone else's stolen identity in the fraudster’s digital wallet with which they could commit fraud.
So, what can businesses do to protect themselves and their customers’ data, and what technologies can businesses employ to help them get a leg up on the fraudsters? Given that businesses have had the ability to use encryption technology for more than 20 years and yet many choose not to effectively encrypt their data, the ecommerce industry has decided to come up with an approach to tokenize customer identity and transaction data using standards defined by EMV Co. This means that if a merchant business is breached and its data stolen, the tokens -- which act as reference pointers to the customer identity and card details held by the card issuers -- make the attack pointless as the fraudsters can't use the tokens like they would be able to do with raw customer data.
But that's just a start. Businesses have started to employ better digital identity verification and multi-factor authentication technologies in tandem to combat fraud. Because of the availability of stolen data and the growth of the credit “thin file” demographic -- millennials and people living on debit cards or cash -- the latest in digital identity verification technology combines offline data such as consumers' names, addresses and phone numbers with their digital exhaust (online and social proof) tied to their name, email and other offline attributes. It’s far easier to steal or fake someone’s name and address than it is to fake the networks of people to whom she is connected in the real world that's represented online in social network connections. That’s what vouches for whom we claim to be online.
These cutting edge digital identity verification solutions combine predictive analytics and machine learning to process vast amounts of identity data from bureaus, websites and apps, social networks and identity aggregators in real time to risk rate an identity as real or synthetic (stolen and repurposed) or fake, as well as to predict fraud risk based on the offline and online features of previously discovered fraudsters reported by businesses at scale into these solutions.
Finding an opportunity in mobile
The general shift of ecommerce from the internet to mobile apps also presents an opportunity for businesses to combat identity theft and fraud. In the mobile world, most applications do not have an anonymous “guest” mode like their website counterparts. When we install a mobile app, we are required to enroll to the app. In this enrollment process, businesses are increasingly employing multi-factor authentication technology.
After the identity of the consumer is verified using digital identity verification technology, the mobile device is fingerprinted -- a unique identifier for the device is generated, and the consumer is asked to register her fingerprint or face or some other biometric. The verified consumer identity, device identity and consumer biometric (encoded fingerprint, facial image etc.) is then tokenized and this token is securely stored on a chip in the mobile device.
Subsequently, if the business has any doubt that the person performing a transaction in her app is the legitimate consumer and not a fraudster, it is able to invoke multi-factor authentication to verify the biometric and device and identity binding in the previously enrolled token by simply asking the consumer to “step-up” their authentication level to perhaps verify their fingerprint. This makes it incredibly difficult, if not impossible, for thieves to commit fraud even if they possess stolen data for their attacks.
The final verdict
Businesses can ensure that all consumers being enrolled are thoroughly vetted with digital identity and document verification technologies and that the transactions that pose the highest risk are gated with multi-factor authentication. These technologies and continued tokenization or encryption of sensitive data will protect businesses and consumers from data theft and change the economics of fraud so that it's no longer in favor of the fraudsters.