My debit card was compromised a couple of years ago. My bank’s response? In addition to cancelling my card while I was on holiday, I got a call on my personal mobile phone with an offer to upsell me “free” identity services that converted to a paid subscription – monetizing the fact that my identity was compromised.
I share this story because it nicely illustrates three huge problems with the current state of online identity protection and privacy:
1. The consumer bears the burden of protecting privacy.
2. The brand relationship is damaged both through breaches and the currently accepted measures to secure identity.
3. The “fix” of linking online identity to physical identity doesn’t increase my privacy – and may put it at greater risk.
Let’s look at each problem in isolation.
The Consumer Suffers
When there’s a data breach, the consumer has to take steps to repair the damage – reversing charges on their cards, changing passwords across accounts, or even signing up identity protection services.
Some businesses are offering their customers two-factor authentication services, which can add an extra layer of security but also create an additional burden at the point of login. If I want better security, I’m also in a Catch 22 position of needing to hand over even more personal data.
Brands Suffer from Erosion of Trust
My bank’s upsell offer did serious damage to my relationship with that institution. They had already lost my trust, then I felt they tried to capitalize on it. Is credit monitoring helpful? Sure, but even good intentions can sour brand relationships if not executed correctly and it still doesn’t protect my identity being re-used outside of the credit application process.
The problem of trust is not just limited to those businesses that suffer breaches. It’s a challenge for every business that interacts with customers online. If a criminal registers an account or buys a product from your business using stolen credentials, the person who owns those credentials will forever associate you and your brand with that breach of trust – even if the data breach happened somewhere else. Why? It’s hard for a consumer to differentiate between a business with insufficient fraud detection capabilities and one they think has somehow tricked them or their family to purchase or subscribe to a service online.
Our Privacy Continues to Decline
Worse, the traditional measures that businesses offer to increase the security of my online identity don’t protect my privacy well.
Identity theft protection plans offered by banks tap into services like credit bureaus. These bureaus aggregate data about my online identity with my real-world identity and sell it as a service to legitimate business. The problem is that these identity aggregation points are themselves targets for hackers and insider threats. According to Brian Krebs’s blog, at least one credit bureau has unintentionally sold data to an identity theft service, while another ID theft service has hacked into multiple data brokers and aggregators. Recently nearly 40% of the South Koreans were exposed due to insider theft.
Anonymized Behavior-based Identification Solves These Problems
Traditional ways for proofing online identity often rely on services that aggregate identity information and connect online identity with our real-world identities. We need a new approach – and I think behavioral-based identity proofing is the right way to go.
At ThreatMetrix™, we enable context-based security for frictionless multi-factor authentication – it entails determining someone’s online persona by linking anonymized credentials to related identities, devices, behaviors and associations based on a dynamic matrix of attributes. In the same way that “actions speak louder than words” your online identity (a Persona ID) is created and verified through global online behavior and not simply reliant on knowledge of your offline identity. Unlike identity bureaus that are in the business of monetizing your identity, ThreatMetrix is only in the business of protecting trust so our algorithms don’t need to know your actual name to know whether you are who you say you are.
Best of all, it takes the burden off the customer and helps businesses restore trust in online services without introducing friction.
For details on this new approach to securing online identity, see this week’s press release on frictionless identity protection.