Recent headlines that criminals exploited identity proofing systems used at the IRS website should come as absolutely no surprise to anyone. What’s surprising to me is that anyone still relies on public PII (personally identifiable information) data when they know how widely it’s been exploited over the past few years. Criminal compromise of PII data was readily apparent at least five years ago (see blogs.gartner.com ) and has gotten much more pervasive since then.
I don’t quite understand why the public and the media get so worked up over the theft of credit card data from retailers like Target and Home Depot, and essentially ignore much more significant disclosures of breaches against PII data that have been well documented by many such as security blogger Brian Krebs. See Krebs’ Sept 2013 blog “Data broker giants hacked by ID theft service.”
Consumers recover relatively quickly and fully from theft of credit cards. There are network and legal mechanisms to make consumers whole financially and to avoid future theft on known compromised credit cards. The same is not true at all with the theft of PII data. There are no built in network mechanisms (like those provided by Visa and MasterCard) when it comes to stopping the use of known stolen identities.
All the IRS can do and did for the 100,000 consumers who had their tax returns illegally accessed in this latest round is offer credit report monitoring but this type of monitoring does nothing to stop multiple types of thefts, including tax refund fraud which can take consumers at least six months to recover from. In the meantime victims are out the money and the burden of proof is on them to recover their good standing.
The topic of identity proofing is near and dear to many Gartner clients. They realize they can’t rely on compromised PII data yet most still use it to verify identities opening new accounts or conducting high risk transactions. As one large financial services company representative told me Friday over the phone when I asked him – “Why are you still relying on this?” his response was “Habits.” Well maybe it’s time to break these old habits.
Another IT Risk Manager who works for a State Revenue office also happened to call last Friday on this subject and told me the criminals answer ‘secret’ life questions and fill out personal information forms with incredible accuracy. In fact he says such accuracy has become a predictor of fraud. This risk manager insightfully added – there is no ‘private’ information anymore. And he does not understand why we keep fooling ourselves into thinking there is.
So what are the alternatives? No doubt companies and government agencies keep relying on PII data because alternative methods are not readily apparent nor are they necessarily easy to piece together. We came up with a four layer framework for identity proofing – see “Identity Proofing Revisited as Data Confidentiality Dies” that outlines these layered solutions for our clients.
You have to assume the criminals can get through one layer, so the more layers and measures you add the better off you are. (Most large financial services companies use device fingerprinting in addition to PII data for identity proofing but would be better served adding even more layers and methods as outlined in our research note). At the end of this layered identity proofing process you are left with exceptions, i.e. identities that you are still unsure of. The number of exceptions should be based on your risk tolerance and how many staff you have devoted to managing the exception process. A typical acceptable rate would be one percent or less of the total transaction population. Organizations have to be very careful how they treat exceptions since the bad guys know how to get around most exception processes as well. For example the fraudsters have shown they are able to forward voice calls or SMS messages containing one time passcodes meant for a legitimate consumer to their own number instead.
The strongest security measure is to slow the transaction down and use snail mail or face to face visits for identity verification. Yes this is very inconvenient but at this point, you are just inconveniencing a tiny percentage of the population and those who constitute the highest risk. After all is said and done, it should in fact be very inconvenient for these ‘risky identities’ to sign up or conduct transactions at your organization’s site.