Why Are We Relying on Breached Credit Bureau Data to Confirm Identity?

We’re all familiar with the stats: Last year’s Equifax breach left upwards of 145 million people’s personal identity information (PII) in the hands of fraudsters. Since 2005, more than 816 million individuals’ records were stolen in more than 4,500 reported breaches. In 2018 alone, major companies like Whole Foods, Kmart, and Under Armour have already experienced breaches, exposing hundreds of millions of customers’ personal data. Data breaches are so common now that it’s safe to assume that no one’s information is private and that we’ve all been hacked. As a result, it’s on us to think carefully about how fraudsters are actually using the PII they steal. And in order to best protect businesses and consumers, it’s on us to reconsider the traditional approaches to identity verification —which clearly aren’t working.

Opening a new account with stolen PII is easy for fraudsters, largely due to the widespread use of outdated verification processes. Unfortunately, companies continue to face several challenges surrounding the verification of new applicants, including:

  • Stolen PII. Most businesses rely on the three major credit bureaus to verify user identities: Equifax, Experian, and TransUnion. But the problem is that the personal information requested in most applications is exactly the same as the information credit bureaus use to verify identity. That means that if a fraudster steals real PII, he can easily open an account using that information, which matches the information the credit bureau has, so the account gets green-lighted. Moreover, as we saw recently with Equifax, none of that data is secure anyway. In short, relying on credit bureaus and using the stale, static data that they’ve been storing for decades is no longer a useful means of verification; all that data can all too easily be bought on the black market.
  • Applicants with insufficient credit history. In recent years, growing swaths of the population have insufficient credit history—and despite being qualified, these applicants with “thin files” are more likely to get denied than those using stolen PII. This problem particularly affects millennials, members of Generation Z, and immigrants, who are all less likely to use credit cards. Studies find that millennials own 22% fewer credit cards than the generation before them at the same age, and 18-to-24-year-olds prefer to pay with cash or debit cards.
  • Existing authentication technologies are too rigid. The vast majority of identity verification solutions, including those used by the major credit bureaus, rely on a plethora of rules created by statisticians. Rules-based systems are only as good as the rule maker, grow unwieldy over time, and are difficult and time-consuming to update. As fraud tactics shift, as they inevitably do, rules-based systems degrade and have a hard time adjusting to the current conditions.
  • Emerging authentication technologies are ineffective. Despite their good intentions, advanced authentication technologies, such as biometrics, only work if an account has already been verified. But if the account is opened using stolen PII and verified by, say, a credit bureau, the advanced authentication only serves to further validate fraudulent accounts. Furthermore, given the nascence of the technology and the cleverness of fraudsters, even physical biometrics like fingerprints can be spoofed.

What these challenges make clear is that relying on credit bureaus to verify new applicants is no longer a sustainable model. Too often this data is compromised and static, and it doesn’t keep up with a changing population’s spending habits. Instead, a better approach is needed that relies on a wider range of data that’s more difficult to hack and replicate. Asking applicants to provide more personally specific information—such as IP addresses, emails, phone numbers, social networks, and other aspects of their “digital footprint”—would do a world of wonder in more accurately verifying identities. And it’s not a far-fetched solution, either. The technology already exists—and here at Socure, we’re already working with financial organizations to apply machine learning to mine these dynamic data sources.

It comes down to understanding the risks and realities of stolen PII—and understanding the way in which verification needs to change with the times. In short, identity verification is stuck in the 1990s. Isn’t it high time to bring it into the digital age?

Topics: Fraud, Online Id Verification, equifax breach, verifying customer identity, PII

George Tubin

George Tubin

George Tubin is Vice President at Socure and he is a recognized expert in online and mobile banking and payments security and cyber-fraud prevention. He was previously a senior research director with the leading financial services research firm CEB TowerGroup (acquired by Gartner, Inc.) where he delivered thought leadership and insights to leading financial services institutions, technology providers, and consultancies on business strategies, technologies, and market trends in retail, Internet and mobile banking, and fraud management.