It’s time to shift from verifying data to authenticating identity
As fraudsters continue to develop increasingly sophisticated schemes that allow them to produce an apparent valid identity, either by stealing personal data or fabricating it themselves, organizations need to make a fundamental shift in their fraud-fighting strategies. Rather than performing authentication through a series of data point verifications, they should instead examine the linkages between all the identity markers holistically over time.
Traditional identity verification tactics involve sequentially testing individual data points in an effort to confirm that the person posing as a customer or potential customer is really who they say they are. For example, a financial institution processing a credit card application may first check whether the provided Social Security number is linked to this person’s name and, if it does, then move to the next step (e.g., checking whether this person’s name is linked to this person’s phone number) and then the next.
These checklist-style fraud-prevention measures are intended to verify the person’s legitimacy, but they can be easily circumvented by a determined criminal. On the surface, each of the data linkages on its own might appear correct, leading the organization to clear this customer as a non-threat. However, closer inspection shows that the historical data these types of solutions rely on can be manipulated or only fractionally correct — leaving the door open to savvy fraudsters.
Risks at play
According to the Federal Reserve, sophisticated forms of fraud are on the rise, and synthetic identity fraud is the fastest-growing type of financial crime in the U.S., accounting for billions of dollars in losses annually. The FBI and the Cybersecurity and Infrastructure Security Agency have also warned that some forms of fraud, particularly vishing, have increased as a result of telework and the pandemic eliminating in-person verification.
Let’s take a closer look at how sophisticated forms of fraud such as vishing and synthetic identity fraud thwart traditional fraud-prevention systems.
Vishing (voice phishing) attacks use social engineering methods to obtain personal or financial information from victims over the phone. These attacks can take many forms and often involve scammers posing as someone from the victim’s bank, corporate tech support or a government agency.
One of the more complex vishing schemes is the man-in-the-middle attack, in which a fraudster sets up two parallel conversations between a business and its customer. The business believes it is connecting with the customer, and the customer thinks they are talking to the business — but in reality, it is the fraudster interacting with both. The fraudster might initiate the scheme by requesting the issuance of a one-time passcode via a session on the business’s website.
In parallel, posing as the business, the fraudster calls the unwitting customer and, using social engineering, convinces the individual to read off the one-time passcode sent by the business. The fraudster then uses this information to log in to the customer’s account and perform unauthorized transactions. Since the fraudster was able to provide all requested data to pass each point in the verification process, access is granted.
With synthetic identity fraud, criminals combine real and fake information to create a fictitious identity, which they use to open up financial accounts and make fraudulent purchases. While a false identity might seem easy to spot, the reality is much more challenging. Criminals will often use real Social Security numbers from people who are not likely to be checking their credit reports — such as children, the elderly or homeless individuals — to create fake identities and patiently build up credit history over time. If a fake identity has a verified credit history and passes the other sequential verification checks, most institutions will see this identity as legitimate, leaving them vulnerable to significant losses when the fraudster is granted a loan or line of credit and walks away with the cash.
Both types of fraud take advantage of the same weakness: the organization’s reliance on validating disparate data linkages. Both types provide legitimate identity markers that criminals have either swindled from the customer or created themselves. And most traditional fraud-detection solutions would approve these data points without raising any red flags.
For example, a fraudster can easily create a new Google email account under a fake name to make an email-to-name match verify. Address checks often allow for fractional verification with just a first initial and last name, and the IP geofencing used to compare a customer’s IP address with a claimed physical address requires only general proximity — meaning that the fraudster could simply be sitting in a coffee shop nearby. Efforts to verify virtually any individual piece of information can be overcome by someone who knows how to game the system.
A path forward
To achieve more accurate identity verification, organizations need to adopt a holistic view of identity across online, offline and device-based data and behaviors over time. Such a process entails the following near-real-time assessments:
- Examining each piece of data (name, address, email, phone, IP address, etc.) in conjunction with the others to create an integrated view of a single, stable identity
- Determining how frequently and completely each data point connects to the others, and how long those connections have been in place, to assess how strong the links are between all the pieces of data
- Inspecting the recent activity of the mobile device being used, as well as its historical behavior, to understand the level of risk (of SIM swapping or spoofing, for example) associated with the device
- Assigning a risk factor to the person’s identity and device before moving forward with the interaction
Assessing the strength of each data linkage (for example, how long the email address has been associated with the person’s name, or what kind of activity the phone number has been involved with historically) allows a value to be assigned to that linkage; when viewed in relation to each other, all these linkages contribute to an overall identity risk factor.
Understanding the risk can help businesses decide how to proceed with any given interaction and allow them to differentiate user treatment based on the assigned risk factors. This differentiated treatment not only allows companies to block out fraudsters — it also enables them to let trusted customers through faster, thus improving both fraud prevention and the customer experience.
An integrated view of identity
Organizations can no longer afford to rely on a fragmented or sequential approach to vetting personal information. They need to look beyond the individual data points themselves and evaluate the bigger picture by asking how the data points relate to each other in total and how long they have been related.
Companies can build this more integrated view of identity by using solutions that draw on hundreds of authoritative and constantly updated sources of person-centric offline information, combined with device-centric digital identity, to determine who is on the other end of every interaction.
This shift in the way we look at authenticating identity is key in enabling organizations to build resilient fraud-prevention infrastructure that can withstand the sophisticated fraud attempts seen today — and those to come.