September 20, 2018
Digital Identity Verification: Familiarity Breeds Content(ment)
Posted August 25, 2017
Traditional brick-and-mortar businesses originally looked at digital channels to more efficiently reach new markets and offload transactions from the more-expensive attended channels. Many of these businesses now report that the vast majority of their transactions occur in the digital channel (both online and mobile). Today, businesses are seeing tremendous growth in new account creation in the online and mobile channels. Along with this growth, not surprisingly, comes risk as cybercriminals target these popular channels. In fact, slightly more than one in 10 new digital account creation transactions are rejected due to real or suspected fraud.
This continued shift toward digital channels for account creation and transactions is fueled by customers’ desire for convenient and persistent digital access. It behooves all businesses to provide user-friendly digital account creation or risk losing new customers to competitors. While many business leaders are fearful of the risks involved in digital account opening, others have put the appropriate protections in place and are reaping the benefits. If you’re still wondering if digital account opening be as safe as offline account opening; the answer is yes. In fact, in many circumstances, it may be safer.
Who Are You?
Organizations generally feel safer opening new accounts in person, as this has been the norm for quite some time. Usually a driver’s license and answers to challenge questions from historical credit and identity data are all that’s needed to verify an offline identity. An in-person meeting facilitates matching one’s visual appearance to identity information (such as age, gender, height, eye color, etc.) as well as looking for signs of nervousness or other suspicious behavior.
In a typical online account creation scenario, emphasis is placed on matching personally identifiable information (PII) and so-called out-of-wallet questions obtained from third-party data sources. Unfortunately, in a world of massive corporate data breaches and open sharing of personal information, answers to security questions are easily obtained. Cybercriminals are using automation to cobble together identity information from multiple sources to create a big-picture view of an individual’s identity. It has become almost impossible to ensure the user on the other end of an online transaction is legitimate based on secret questions.
The difficulty of digital recognition is primarily twofold. First, and most obvious, is the anonymity provided by digital channels. Second is that most organizations can only see what’s in front of their proverbial face when interacting with customers digitally. That is, organizations may recognize a returning customer using a variety of device and location data, but struggle to recognize new users, users with new devices and users with dangerous malware or remote access Trojans on their devices.
Hey, I Know You!
The ultimate form of recognition is familiarity. The bank teller who sees you every week doesn’t need to ask for your identification. While device intelligence methods attempt to replicate this capability in the digital world, this is akin to the teller recognizing the car you used, but not you. While it is highly likely you will be emerging from the car that appears to be yours, it isn’t a certainty. It could be your spouse or someone else using your car.
This is today’s digital identity conundrum.
However, what if that same bank teller followed you around for the past several months — watched you go to various stores, use a few different cars, perhaps saw other family members drive your car to a store and then back to your house? While a bit creepy in the physical world, this would nonetheless provide an abundance of information and certainty about your identity.
What if we replicated the above scenario in the digital world? Every time an individual visited, let’s say, an online bank, an eCommerce retailer or an online travel site, data surrounding that visit would be captured in a network and analyzed to create a complete digital footprint. Again, perhaps a bit creepy and likely illegal. But, what if the individual’s identity could be anonymized so we could associate this digital footprint with “person1234” without knowing who “person1234” actually is? When person1234 showed up at a new or existing site, that site would have a thorough profile of person1234 and a level of confidence in that individual’s identity and intent based on their past behavior.
Didn’t I Meet You At Joe’s House Last Week?
Now, some users in this vast network of digital footprints would be highly familiar, some would be completely new, and some would be somewhere in between. If a new, unfamiliar user arrived at a business, it is highly likely that the user would be familiar to the network. This, along with an assessment that the user’s device was threat-free, would provide the certainty needed to conduct business with the new user.
For those users that were completely new or questionably familiar, another tact is required. Using the dynamic data from the current interaction, along with some level of data from the network, is a great start. Fortunately, a number of new data providers now assemble a variety of identity data that can be used to assess the user’s identity validity. These data sources include such things as phone intelligence (correlation of phone number with claimed identity, carrier ID, etc.), email intelligence (age, correlation with other identity data, associated IP addresses, etc.) and social network intelligence (age on various sites, correlation with identity data, etc.). Unfortunately, this type of static identity data can be pricey. Fortunately, it’s only needed in some situations.
Maybe My Friend Knows You
When transactions require additional verification, third-party static identity data can be accessed to augment the decision process using an integration hub. After a thorough assessment of the interaction using the dynamic data and analytics at hand, data elements can be called to augment the analysis on an as-needed basis. Rather than grabbing every piece of data every time, this approach allows the system to remain very cost effective, flexible, and adaptable as the threat, vendor, and market landscape changes. This ensures that customer experience is not degraded through needless authentication requirements while maximizing the organization’s security posture and keeping costs in check.
Even with the 95-percent accuracy of digital identities, sometimes additional external help is required. Knowing what questions to ask and what external data to evaluate for each situation is paramount.
Read the Solution Brief to learn more about the ThreatMetrix approach to identity verification.