Identity theft is scary for both financial institutions and their customers—and it’s on the rise. In 2017, cybercriminals spoofed the identities of 16.7 million consumers and stole $16.8 billion, according to Javelin Research.1 The perpetrators are increasingly sophisticated and use cutting-edge technology tools to gather the data they need to bypass the normal controls that financial institutions rely on to authenticate customers.
There’s a lot of consumer data available to steal. Huge data breaches at firms such as Equifax and Yahoo! have put millions of consumers at risk for identity theft. In the Yahoo! breach, three billion accounts were hacked, exposing consumers’ names, dates of birth, email addresses, passwords, and security questions and answers to identity thieves. And once criminals get this sensitive consumer information, they will use it repeatedly, because consumers often use the same passwords for all types of accounts.
But it’s not just consumers that are impacted. Financial institutions are incurring big losses as well. Synthetic identity theft, in which cybercriminals use fake personas to apply for loans and credit cards and then rack up debt, cost financial institutions $6 billion in a single year.2 The typical charge off of a synthetic identify theft attack is more than $15,000.
And, of course, there’s the regulatory fallout. Every regulatory agency has issued guidance surrounding identity fraud prevention. The New York Department of State’s Division of Consumer Protection adopted emergency regulations for its identity theft program. Other regulatory bodies have issued strong compliance requirements that financial institutions must comply with.
In addition to financial losses and regulatory challenges, financial institutions face reputational risk as well. Customers trust you not only to keep their data safe, but to protect them from identity theft. The knowledge that a cybercriminal has successfully impersonated them can make even the most loyal and long-term customers lose faith in your financial institution and severely tarnish your brand.
In such a risky environment, the knee-jerk reaction may be to impose more processes and methods of authenticating consumers. While this may reduce identity theft, it will certainly not make consumers happy with their experience. Consumers expect their financial institution to know who they are—and quickly. They expect a frictionless experience when they open an account, make changes to an existing account, or request a transaction. They don’t expect to jump through hoops to prove they are who they say they are. They’ll abandon the process. In fact, Signicat found that 40% of consumers have abandoned bank applications, with almost three-quarters of consumers reporting that the process took too long or required too much personal information.3
The goal is to identify legitimate consumers in real time, or near real time, with little or no friction, and to flag only those transactions that, based on the financial institution’s risk tolerance, require additional validation.
The de facto standard for consumer identification and verification for financial institutions has been multifactor authentication using SMS text messaging to a mobile device. Consumers have been conditioned to accept multifactor authentication, and most welcome it as a way to keep themselves safe from cybercrime.
However, cybercriminals are increasingly exploiting mobile devices, making it risky for financial institutions to rely only on multifactor authentication. SIM swap, phone porting, and call forwarding are now common ways for fraudsters to make it appear that they are calling or texting from the number matching, for instance, an existing credit card account.
In addition, the regulatory authorities will no longer accept the defense that a financial institution’s multifactor authentication controls are “commercially reasonable.” Instead, financial institutions must base their security controls on a risk assessment, raising the bar for regulatory compliance.
Rather than rely on multifactor authentication to identify consumers, financial institutions need to include an additional layer of verification to ensure consumers are who they say they are. The first layer includes offline sources, such as name, address, and other personal identifiers. The second layer includes a consumer’s online digital identity, such as IP address and cookie data. The third layer is “unstealable” device data elements such as phone type, activity, usage, and Mobile Network Operator (MNO) data.
Offline data, such as mother’s maiden name or name of a first pet, is relatively easy for a fraudster to get access to, either through a data breach or through social engineering and social media. Digital identity is also spoof-able since fraudsters can imitate IP addresses or caller IDs.
But what fraudsters don’t have access to is device-based identification data. Linking this third layer with offline and online data delivers a much higher level of confidence. The only way to gain access to this device-specific data is through relationships with telecommunications companies, government agencies, and utility companies that have the most up-to-date and accurate data.
For example, linking the device’s phone number to the consumer’s name and then verifying the length of time that consumer has had the device reduces the risk that the identity is spoofed. Verifying that the domain on the email address matches the consumer’s email address or that cookies are linked to the consumer provides a higher degree of confidence than just verifying email address or IP address alone.
Confidence is relative. Each financial institution has its own risk tolerance. While one financial institution may be comfortable with 95% confidence that consumers are who they say they are, another requires a confidence level of 99.9%. Financial institutions can make their own risk-based decision based on the confidence level.
As cybercriminals become more sophisticated, financial institutions will need to use authoritative identity signals to spot identity theft. The key is to do it without impacting the consumer experience and increasing abandon rates, quickly letting consumers through and stopping the fraudsters