Last year’s Equifax breach left upwards of 145 million people’s personal identity information (PII) in the hands of fraudsters.

Since 2005, more than 816 million individuals’ records were stolen in more than 4,500 reported breaches.

In 2018 alone, major companies like Whole Foods, Kmart, and Under Armour have already experienced breaches, exposing hundreds of millions of customers’ personal data.

Data breaches are so common now that it’s safe to assume that no one’s information is private and that we’ve all been hacked. As a result, it’s on us to think carefully about how fraudsters are actually using the PII they steal. And in order to best protect businesses and consumers, it’s on us to reconsider the traditional approaches to identity verification —which clearly aren’t working.

Opening a new account with stolen PII is easy for fraudsters, largely due to the widespread use of outdated verification processes. Unfortunately, companies continue to face several challenges surrounding the verification of new applicants, including:

  • Stolen PII. Most businesses rely on the credit bureaus to verify user identities. But the problem is that the personal information requested in most applications is exactly the same as the information credit bureaus use to verify identity. That means that if a fraudster steals real PII, he can easily open an account using that information, which matches the information the credit bureau has, so the account gets green-lighted. Moreover, as we have seen with so many data breaches, none of that data is secure anyway. In short, relying on credit bureaus and using the stale, static data that most of them have been storing for decades is no longer a useful means of verification; all that data can all too easily be bought on the black market.
  • Applicants with insufficient credit history. In recent years, growing swaths of the population have insufficient credit history—and despite being qualified, these applicants with “thin files” are more likely to get denied than those using stolen PII. This problem particularly affects millennials, members of Generation Z, and immigrants, who are all less likely to use credit cards. Studies find that millennials own 22% fewer credit cards than the generation before them at the same age, and 18-to-24-year-olds prefer to pay with cash or debit cards.
  • Existing authentication technologies are too rigid. The vast majority of identity verification solutions, including those used by the major credit bureaus, rely on a plethora of rules created by statisticians. Rules-based systems are only as good as the rule maker, grow unwieldy over time, and are difficult and time-consuming to update. As fraud tactics shift, as they inevitably do, rules-based systems degrade and have a hard time adjusting to the current conditions.
  • Emerging authentication technologies are ineffective. Despite their good intentions, advanced authentication technologies, such as biometrics, only work if an account has already been verified. But if the account is opened using stolen PII and verified by, say, a credit bureau, the advanced authentication only serves to further validate fraudulent accounts. Furthermore, given the nascence of the technology and the cleverness of fraudsters, even physical biometrics like fingerprints can be spoofed.

What these challenges make clear is that relying on credit bureaus to verify new applicants is no longer a sustainable model. Too often this data is compromised and static, and it doesn’t keep up with a changing population’s spending habits. Instead, a better approach is needed that relies on a wider range of data that’s more difficult to hack and replicate. Asking applicants to provide more personally specific information—such as IP addresses, emails, phone numbers, social networks, and other aspects of their “digital footprint”—would do a world of wonder in more accurately verifying identities. And it’s not a far-fetched solution, either. The technology already exists—and here at Socure, we’re already working with financial organizations to apply machine learning to mine these dynamic data sources.

It comes down to understanding the risks and realities of stolen PII—and understanding the way in which verification needs to change with the times. In short, identity verification is stuck in the 1990s. Isn’t it high time to bring it into the digital age?

Topics: Identity Fraud, Identity verification

Socure

Socure

Socure is the leader in Day Zero digital identity verification technology. Its predictive analytics platform applies artificial intelligence and machine-learning techniques with trusted online/offline data intelligence from email, phone, address, IP, device, velocity, and the broader internet to verify identities in real-time. The company has more than 300 customers across the financial services, gaming, telecom, and eCommerce industries, including three of the top five US banks, eight of the top 10 card issuers, three of the top MSBs, the largest payroll service, the second-largest retailer in the world, and over 100 of the largest and most successful fintechs such as Varo Money, Public, Chime, and Stash. Socure recently received numerous industry awards and accolades including being named “Best New Technology Introduced over the Last 12 months – Data and Data Services” at the 2020 American Financial Technology Awards (AFTAs), ranked number 70 on Deloitte’s Technology Fast 500™, being named a Gartner Cool Vendor, recognized by Forbes as one of the “Top 25 Machine Learning Startups to Watch,” listed to CB Insights: The Fintech 250, and awarded Finovate’s Award for Best Use of AI/ML, to name a few. For more information visit www.socure.com.