Data Breaches Are Endangering Identity VerificationPartner, Digital and Financial Services for Oliver Wyman Partner, Digital Practice of Oliver Wyman
The recent Equifax data breach affecting the personal and financial data of 143 million Americans has had a profound effect on consumers. While their credit cards can be re-issued with new numbers, their legal names, addresses, Social Security numbers, and birthdates cannot.
Equally profound are the implications for companies that use information stored by credit bureaus as a mechanism for confirming the identity of new and returning customers. At many companies, standard procedures for confirming customer identity involve asking for the last four digits of a Social Security number. The safety of this procedure is now in question. It is reasonable to assume that all these social security numbers are now circulating among fraudsters and offered for sale on the dark web.
Other standard procedures for confirming identity require the consumer to answer challenge questions based on the contents of their credit file. For example, a consumer may be asked whether or not they took out an auto loan during the last six months, and if so, for what type of vehicle. Or they might be asked to confirm a prior address. These methods are now far less safe as the underlying information has been hacked. In fact, there is a real question as to which commonly used identity-confirmation processes are still viable.
Banks, mortgage companies, insurance companies, asset managers, telecommunication companies, medical and health companies, hospitals and other organizations hold critical information on their customers and often their money. These organizations arguably have a moral and fiduciary obligation to prevent fraudsters from obtaining data and using it to take over accounts or open new accounts fraudulently. If organizations fail to protect their customers, they may expose themselves to legal action as well as punitive responses from regulators.
ID verification needs to start relying on information that is only known to the company and its customer.
Arguably, the safety of using Social Security numbers in authentication has been declining for some years and certainly since the large-scale hack of the IRS in 2015. However, the last four digits of the Social Security number are still casually assumed to be confidential information in identity verification processes.
Companies need to start relying on information that is truly only known to the company and its customer.
Rethinking Customer Identity Confirmation
When considering fraud risk and procedures for avoiding customer account opening or takeover by fraudsters, the use of third-party information for identity confirmation is arguably less reliable than ever before. Adapting to this new reality will complicate many existing processes, especially those that support account password resets. If a customer cannot access their account, you cannot readily confirm identity using past transaction history.
The only information that can be used with confidence for identity confirmation is that which is unique to the consumer and the verifying company. Companies could employ a statistical approach that relies on a broad range of different types of information, the totality of which is unlikely to be available to a fraudster. However, the constant onslaught of data breaches and ongoing innovation by fraudsters and other bad actors renders even this approach problematic.
Another challenge: Many organizations only encrypt and protect key data such as Social Security numbers, not the information they will now need to use to confirm identity. Companies must now reevaluate what information should be deemed sensitive or critical across databases and customer support systems. Then they must determine how to protect this information from leakage or unauthorized access.
Rethinking Two-Factor Verification
Today, many organizations use two-factor authentication to protect against account takeover attempts, phishing, and other fraudulent activities. The most common approach is to leverage a customer’s mobile phone and a text message to confirm identity. But the information likely released in the Equifax breach (and other breaches) could be the same information used to confirm customer identity by mobile phone companies.
Using text messages to support two-factor authentication processes has always been a dubious approach, as mobile phone companies have had difficulty preventing fraudsters from taking control of their customers’ phones. Given the Equifax breach, alternative approaches should be examined.
Biometrics is another potential tool for confirming identity, though there have been many examples of smartphone fingerprint readers being spoofed by fakes. Emerging capabilities to perform facial recognition and iris scanning via mobile phones are worth watching, but they won’t address the immediate challenge of confirming identity.
Identifying New Customers
The most difficult part of authentication typically occurs when a new customer opens an account. For complex financial products, this can be less of a concern due to the larger quantities of information that need to be collected, extensive know-your-customer processes and the sheer amount of time that opening a new account requires. Yet, as more consumer account opening processes are digitized and the time-to-first-transaction decreases, companies need to redesign the processes by which they confirm that the new customer truly is the person they claim to be. This will be even more critical for products that allow a customer to establish an immediate liability such as a short-term loan or that aim to provide an immediate service for a deferred payment.
Industry groups such as the FIDO Alliance are attempting to create industry-wide standards and to support new solutions to the identity problem. This is all to the good, but in light of the Equifax data breach, every organization must perform a comprehensive audit of its own customer identity processes and ensure that is properly assessing the risk of process failures.
Given the increasing sophistication of attackers, the question is not if, but when will you be attacked and compromised. Too often organizations focus on the potential for the direct losses—fines, litigation and remediation—that result from compromised customer accounts, rather than the reputational harm in terms of brand value and customer loyalty.
With these factors in mind, senior executives need to ask: “Are we fully prepared to respond to a large-scale information breach?” and “How do we protect our customers in the best possible manner?”