I just returned from a couple of business trips to Brazil and Russia and reinforced my view that identity proofing is one of the top fraud issues across the globe. Companies and government agencies everywhere struggle to identify the person on the other end of an electronic transaction. Fraudsters either make up fictitious identities, or take over legitimate ones in what has become a global crime epidemic.
Don’t Depend on Static Identity Data
More U.S. identities have been compromised than have not over the past few years in widespread data breaches, according to Gartner clients who directly witness and suffer fraud losses from this phenomena. This is likely true outside the U.S. as well, where data breaches do not generally have to be disclosed under law. Static and regulated personally identifiable information (PII) such as name, social security number, tax ID, other government IDs, and date of birth is therefore not reliable anymore on its own for identity proofing. Yet most organizations and regulators across the globe still depend on this information to identify new users and existing ones executing high risk transactions.
Knowledge based authentication based on life history questions has also been heavily compromised according to Gartner clients, and also represents static data stored in data aggregator warehouses.
Don’t Rely on Static Biometrics
Most organizations and regulators I speak with, no matter where they are based, tend to believe that biometrics will solve their electronic identity proofing challenges by providing a yes/no binary decision as to whether a user can be trusted or not. But use of static biometrics over electronic channels is not fool-proof. This became very clear to me on my recent trip to Brazil, where online fraud is rampant and where new fraud trends and schemes show up early relative to the rest of the world.
A top Brazilian bank security manager I met with demonstrated how his team tested and defeated identity proofing solutions that compare:
- consumer identity documents, such as passports or drivers licenses, with information the user presents online, including application data (name, date of birth, address, etc.) and
- a consumer’s photograph on the identity document with a selfie picture taken by the smartphone application.
The Brazilian security testers defeated such identity proofing applications from two separate vendors. They presented counterfeit identity documents to the smartphone applications, and used a photograph of the identity victim taken from the Internet (e.g. Facebook or other social networks) and successfully presented that static picture displayed on a separate smartphone to the identity verification application. The counterfeit identity was verified and APPROVED by both of the tested identity verification applications.
The Brazilians showed me the test and I must admit it was a deflating experience since I had been quite bullish on these identity verification applications. Like most market observers, I thought they could help organizations confidently address the identity verification problem.
I think the key is that these applications were missing effective ‘liveness tests’ that could have detected the static picture being presented was NOT in fact a live human face.
The bottom line is that static biometrics are not going to solve the identity problem anymore than static PII data does. It can be stolen and replayed, just like has happened in successful gummy bear fingerprint replay attacks.
Reduce Reliance on STATIC Data
Dynamic information is more reliable, whether it’s data-oriented like device behavior or linkages between email addresses, phone numbers and devices, or biometrics-oriented like facial recognition testing for liveness or gesture analytics testing for a consumer’s mouse movements.
Increase Reliance on Dynamic Data
A layered identity proofing approach is always the most effective approach. See Absolute Identity Proofing is Dead; Use Dynamic Identity Assessment Instead for our research in this area. It’s not always easy to piece together but vendors across the globe are starting to do this for end users.
The main recommendation is to REDUCE reliance on STATIC Data, and INCREASE RELIANCE on DYNAMIC information instead, whether it’s biometrics or just regular structured data.
Biometrics is no different in that sense than any other type of static data point that can replayed, copied and reused.
In the end, and in the relatively new global information age, no one can ever be absolutely sure of your electronic identity. They can only assess the likelihood and probability that you are who you say you are.