I just returned from a couple of business trips to Brazil and Russia and reinforced my view that identity proofing is one of the top fraud issues across the globe. Companies and government agencies everywhere struggle to identify the person on the other end of an electronic transaction. Fraudsters either make up fictitious identities, or take over legitimate ones in what has become a global crime epidemic.
Don’t Depend on Static Identity Data
More U.S. identities have been compromised than have not over the past few years in widespread data breaches, according to Gartner clients who directly witness and suffer fraud losses from this phenomena. This is likely true outside the U.S. as well, where data breaches do not generally have to be disclosed under law. Static and regulated personally identifiable information (PII) such as name, social security number, tax ID, other government IDs, and date of birth is therefore not reliable anymore on its own for identity proofing. Yet most organizations and regulators across the globe still depend on this information to identify new users and existing ones executing high risk transactions.
Knowledge based authentication based on life history questions has also been heavily compromised according to Gartner clients, and also represents static data stored in data aggregator warehouses.
Don’t Rely on Static Biometrics
Most organizations and regulators I speak with, no matter where they are based, tend to believe that biometrics will solve their electronic identity proofing challenges by providing a yes/no binary decision as to whether a user can be trusted or not. But use of static biometrics over electronic channels is not fool-proof. This became very clear to me on my recent trip to Brazil, where online fraud is rampant and where new fraud trends and schemes show up early relative to the rest of the world.
A top Brazilian bank security manager I met with demonstrated how his team tested and defeated identity proofing solutions that compare:
- consumer identity documents, such as passports or drivers licenses, with information the user presents online, including application data (name, date of birth, address, etc.) and
- a consumer’s photograph on the identity document with a selfie picture taken by the smartphone application.
The Brazilian security testers defeated such identity proofing applications from two separate vendors. They presented counterfeit identity documents to the smartphone applications, and used a photograph of the identity victim taken from the Internet (e.g. Facebook or other social networks) and successfully presented that static picture displayed on a separate smartphone to the identity verification application. The counterfeit identity was verified and APPROVED by both of the tested identity verification applications.
The Brazilians showed me the test and I must admit it was a deflating experience since I had been quite bullish on these identity verification applications. Like most market observers, I thought they could help organizations confidently address the identity verification problem.
I think the key is that these applications were missing effective ‘liveness tests’ that could have detected the static picture being presented was NOT in fact a live human face.
The bottom line is that static biometrics are not going to solve the identity problem anymore than static PII data does. It can be stolen and replayed, just like has happened in successful gummy bear fingerprint replay attacks.
Reduce Reliance on STATIC Data
Dynamic information is more reliable, whether it’s data-oriented like device behavior or linkages between email addresses, phone numbers and devices, or biometrics-oriented like facial recognition testing for liveness or gesture analytics testing for a consumer’s mouse movements.
Increase Reliance on Dynamic Data
A layered identity proofing approach is always the most effective approach. See Absolute Identity Proofing is Dead; Use Dynamic Identity Assessment Instead for our research in this area. It’s not always easy to piece together but vendors across the globe are starting to do this for end users.
The main recommendation is to REDUCE reliance on STATIC Data, and INCREASE RELIANCE on DYNAMIC information instead, whether it’s biometrics or just regular structured data.
Biometrics is no different in that sense than any other type of static data point that can replayed, copied and reused.
In the end, and in the relatively new global information age, no one can ever be absolutely sure of your electronic identity. They can only assess the likelihood and probability that you are who you say you are.
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
6 Comments
Nice post Avivah! Great food for thought.
Insightful as ever Avivah,
The challenge (at least in the US context) appears to be two-fold (1) a conflation of the the validation (ensuring that the data being used is not synthetic and is valid) and verification (binding a specific carbon-based-lifeform to the data they are claiming as representing them) pieces that make up “identity proofing” and (2) Lack of metrics around the goodness of individual methods or combinations of methods.
Ultimately, for validation to be truly effective, one needs access to the authoritative source of data to do, at a minimum, a match/no-match against it. In the absence of such access, we are simply sniffing the online transactional exhaust of our lives and thinking that life is good.
Biometrics, whether static or dynamic, are a verification technique. But in general there is little to no work being done on putting metrics around non-KBV/KBA approaches. A start on this is currently being worked on via https://www.sbir.gov/sbirsearch/detail/867815
Anil, thanks for your response.
The issue with matching against authoritative data is that the perceived and available authoritative data has been largely compromised, at least in the U.S.
I agree we need metrics around non-KBA approaches. I’ve seen some from financial institutions – for example how using device fingerprinting or gesture analytics provided a good lift in fraud detection rates. But those are one off case studies.
It’s very difficult to get good metrics around the various approaches without many companies sharing results in a controlled test environment. But it looks like you are embarking on a project that will get to these metrics. I really look forward to seeing the results.
Thanks for sharing.
Hi Avivah,
I agree completely, as discussed in the past, this question is at the genesis of financial crimes; ‘how do I know it is you’ (the customer).
I have been involved in trying to answer this question via traditional methods for over 15 years from both banking and vendor perspectives.
As we long since moved from individual to individual recognition, as you banked / lived / shopped not far from the neighborhood you grew up in, to being ‘recognized’ by the assigned identity numbers we carry in a wallet (physical-plastic or logical-device). Then to add validation to the number, the institution wraps biographical and transactional history data around it, (the analogy of ‘sniffing transactional exhaust’ is so true!).
This data then acts as a surrogate to positive proof of life, for a specific carbon-based life. All of which we now know can be easily researched, or perhaps worse synthesized.
I recently heard about a large US FI who in their recent past found hundreds of synthetic ID’s that all passed KYC, including a level of social media vetting, as well with respectable credit scores.
This identity issue is a pervasive foundational problem that has a potential to get much worse if blockchain delivers on the promise, as once committed, this would be immutable information.
The industry needs the capability to validate holistic dynamic customer behaviors in far more depth vs the current static approach. I believe a lot more discussion and insight is needed in this space to keep pace with innovation by criminal elements.
Great post!
Thanks as always for sharing your perspective and excellent insights and experience Garry!
Would be useful if some of the vendors started putting together combined dynamic identity proofing techniques. I see that starting – but it needs to go further.
Avivah