The use of stolen identity data is on the increase. In the first quarter of 2018, more fraud attacks were noted than in the same period for each of the last three years, with a particularly large volume of automated attacks, according to the latest ThreatMetrix Cybercrime Report.
As breaches increase, Europe and the United States are no longer the only especially large cybercrime zones. South America has become a hub for new account origination fraud and Southeast Asia is witnessing large amounts of identity spoofing. In addition, the proliferation of mobile usage has led to an expanding weak security point in new account creations via mobile phones.
Online identification presents a challenge as it is hard to know if the person is who they say they are. By contrast, when a person attempts to sign up in a bank branch, for a mortgage or other financial product, the employee can verify their identity with physical documents and watch for any suspicious behaviour.
This contrast has prompted firms that handle online applications to seek a quick but thorough assessment of customers signing up for important products where identity is essential.
Data, technology and analytics firm LexisNexis® Risk Solutions already helps such businesses verify the physical identity of customers. In January, it acquired digital identity management firm ThreatMetrix to expand this to full, yet rapid, online identity verification and authentication.
It is important to connect online and offline identity management, and enable companies to have a quick, full view of the people they are transacting with
“The combination of these skills will be essential to online businesses,” explains Paul Weathersby, UK senior director of product management at LexisNexis Risk Solutions. “It is important to connect online and offline identity management, and enable companies to have a quick, full view of the people they are transacting with.
“Normally when a person is signing up online, a company is trying to obtain basically a name, a date of birth, and a current address – those attributes are often accepted as an identity that can be verified against authoritative data sources. But it is easy for levels of fraud to creep in here, so businesses need to do much more to assess the real risk.”
The new way forward assesses “digital identity”, essentially as the online footprint of a person, cross-referencing data points such as the device being used, in which area the person appears to be located and known usage or behaviour patterns. Mr Weathersby explains: “We are in a strong position to assist businesses in knowing their customers, in the digital world, and then in verifying that it really is them.”
This approach is the only way to keep pace with fast-changing cybercrime patterns, says Alisdair Faulkner, chief products officer at ThreatMetrix. Given the growing scale and sophistication of identity fraud, he says, any systems attempting to tackle the threats “can no longer function in operational silos, but must have the ability to incorporate online and offline data in this way to build a more holistic view of a customer’s digital identity”.
An essential aspect of the technique is that it does not slow down transactions by asking people multiple questions. Instead, it automatically assesses identity aspects against known information. Consumers benefit from an effectively frictionless experience.
The ThreatMetrix network is crowdsourced and constantly updated, providing businesses with instant access to “a multi-layered approach to distinguishing between good customers and potential fraudsters”, Mr Faulkner says. “While a static, rules-based approach to detecting fraud may have worked in the past, it was catching good customers in the net, penalising them for behaviour that may operate on the outliers of ‘normal’, such as high-value spending or frequent travel.”
Crucially, this information is captured through standard use of online consumer services, with the benefit to the consumer being that they can more quickly, easily and reliably be identified and protected against fraud. “Data is captured as part of the fraud prevention process implemented by our customers,” Mr Weathersby says. For privacy, LexisNexis Risk Solutions system encrypts the data and uses a hashing process.
LexisNexis Risk Solutions has the aim of robustly addressing widespread fraudulent activity online and offline, including closing any other loopholes in identity assurance as they are discovered. Looking to the future, the company is optimistic about the prospects of building added assurance into online experiences. It is aiming in the medium term to enable “passive authentication”, a means through which retailers can immediately be given assurances about the identity of someone visiting their website, even if that visitor has arrived for the first time.
Given the rise in cybercrime and spoofing, behavioural analytics will become an increasingly important aspect of these checks. LexisNexis Risk Solutions expects online application processes to soon be bolstered by systems that pick up on signs of unusual behaviour, such as individuals applying for loans suspiciously quickly or much more slowly than would be considered normal. The idea is to mimic or recreate the behavioural vetting processes that would traditionally have been carried out by individuals face to face.
Mr Weathersby explains: “If you think back to what a bank employee would normally do in a loan application process, for example, if they had the person sitting in front of them, they’d be looking at their behaviour, how they talk and whether they seem hurried or stressed. For us it’s about creating a level of analytics capability that effectively replaces an in-person experience, so that we can assess real digital risk from all angles and at speed.”
For any business needing to check identity online, it is only truly capable when it has a process that equals or exceeds anything it would have done in person. Thorough and fast analysis, against constantly updated user data, is the only answer.
To find out more about smart identity management online please visit risk.lexisnexis.co.uk