Last year, over 49 million Americans were affected by identity fraud, costing victims a staggering total of $56 billion dollars. The bulk of these losses ($43 billion dollars) were caused by digital identity scams; attacks such as phishing, impersonation, and account compromise.
Digital identity fraud has skyrocketed during the pandemic, as stay-at-home orders and retail closures have caused an unprecedented reliance on digital services. Credit card fraud doubled in the UK in 2020, as cybercriminals took advantage of people applying for cards online, rather than in person at the bank.
At the same time, digital identities are becoming more fragmented. For individuals, accounts are increasingly spread across dozens of applications and services; for digital service providers, who often rely on multiple systems and processes to manage customer data.
Unsurprisingly, consumers have all but lost faith in the security of their digital identities. A report published before the pandemic found that nearly 9 in 10 people were worried about their digital identities being used to commit a crime, and 71% of people think they are likely to fall victim to identity theft.
Financial organizations are spending hundreds of millions of dollars to help alleviate these fears, heavily investing in new technologies such as machine learning, biometrics, and behavioral processes to help better secure and rebuild consumer trust in identity services.
Keiron Dalton is the Vice President and UK Country Manager at Prove, a leading digital identity verification and authentication provider. Prove’s digital onboarding and digital engagement platform uses phones as a conduit to verify and authenticate user identities throughout the entire customer lifecycle. This helps to establish and maintain trust between companies and their customers, while also enhancing the customer experience by minimizing complex authentication processes.
“We’re trying to create a consistent method of proving digital identity using the phone number as the conduit to determine the identity,” Dalton explains. All the system needs to work effectively is for a user to enter their number.
“From that point forward, we can determine everything we need to ensure that individuals can be onboarded, rather than entering a multitude of different data points. We’re trying to give organizations confidence with just a phone that this person is okay.”
Prove has also recently acquired UnifyID, a mobile behavioral biometrics company, with the goal of expanding their technology stack into the realm of behavioral authentication.
“One of the things we can determine in a privacy-enhanced manner is using someone’s physical motion and device interaction to create a “behavioral biometric”. No sensitive information is being exchanged, but we understand the behavior, the trust, and the history there.” Dalton explains.
How Phone Centric Identity Builds Digital Trust
The majority of Prove’s customers are in the financial services industry, including Tier 1 banks, FinTech organizations, and fully digital “neo-banks”, which are becoming increasingly popular in the UK market. These customers have a particular need for digital identity security, Dalton says.
“They’re coming to us saying: ‘How can we establish trust, when we know very little about somebody who wants to access our services?’ If somebody wanders in, accesses a website, and wants to register for a bank account or some other service, it’s difficult to establish trust without something ubiquitous. And that’s why we look at the phone” he says.
Prove’s “Mobile Auth” solution works by using phone numbers as the primary method of authentication, using a similar process to how mobile network providers authenticate the ownership of phone numbers themselves.
“We’ve built a capability with telecommunications providers that’s partially based on how mobile payments came about. We use phone numbers, using a tokenized approach, which basically tells us that the number that has been entered by a user is the same number that’s associated with the user’s phone,” Dalton explains.
“And so, we’re using the security of the network, we’re using cryptography, and we’re removing the social engineering element because there is no PIN code. So, you can’t intercept it—if you did, we would know. I’m loath to say it’s unhackable because somebody probably will one day! But the reality is, we will determine if somebody had done that, and we’re using the underlying security of a mobile network, which has never been compromised.”
A particularly harmful identity-related threat that is on the rise are “SIM-swapping” scams. These instances of fraud involve a criminal tricking your mobile network into transferring your phone number to their SIM-card. Since many banks require the use of phone numbers to authenticate identity, SIM-swapping is a major cause of account compromise. Over the past year, SIM-swapping fraud has increased by up to 400%.
SIM-swaps are not a new threat, Dalton says, and it can often be difficult to directly attribute fraud to a SIM-swap when it does occur. The biggest problem with dealing with SIM-swapping is human involvement, he explains. “The telcos themselves try to create robust processes, but the reality is, if you phone a telco and tell them, ‘I’ve lost my phone, can you send me out a new SIM?’ You’re essentially social engineering an individual.”
Prove is working with the telco community to create a system which looks at a range of attributes to help determine if a SIM-swap scam is taking place. The system is wrapped up as part of Prove’s Trust Scoring™ platform, helping create a holistic view of whether a person is who they say they are. This is critically important to keeping the whole process accurate and user-friendly, Dalton says.
“If you buy a new iPhone, you might get a new SIM. This would be flagged as a SIM-swap, which means you can’t complete a transaction, and the whole system falls apart,” he explains. “Our technology allows us to consider the tenure of the consumer with this device or phone network so that we can fundamentally reduce the false positive element.”
The Future Of Authentication Technologies
Phone-based and biometric authentication technologies are far more secure than the use of passwords, Dalton says, and are likely to represent the future of how we authenticate digital services.
“You see a lot of educational pieces that go out, that talk about coming up with three random words and making it really complicated,” Dalton says. “My experience of that is that the more complicated the password, the more likely you are to write it down somewhere!” Prove’s phone-centric identity model effectively removes the need for passwords altogether, which Dalton believes is “ultimately where we are heading.”
In the meantime, education is the most important way for consumers to stay secure against identity- related threats, as well as receiving clear information from banks themselves. “I think education is a critical thing. There are some banks out there that fundamentally will say, they will never do X, Y or Z. I think they’re completely critical to the whole thing.
“But actually, the biggest problem is, can the individual trust the organization? Unfortunately, SMS messages often get sent out from nondescript phone numbers with a one-time password. And I look at them and think, well, I’m wary of this, but how would someone who is less digitally savvy than I am react? So, we need education. There’s more to be done to raise awareness generally and improve that process.”
Dalton’s advice to organizations on how to rebuild trust in digital identities is to consider security first. “When I say security first, I mean how the process works. No storing of information, consent captured where required, and all those good things.”
“A pilot is worth a thousand meetings. The entities that are willing to look at opportunities, test, play, do data studies where they look at the impact technologies have on fraud, but also look at the customer experience and helping the vulnerable, those have been invaluable. Exploration, and testing, and doing it the right way is critical.”
Thanks to Keiron Dalton for taking part in this interview. For more information, visit Prove’s website.