Digital identity is core to the next wave of fintech, helping propel innovative, seamless, and secure ways of managing, moving, and leveraging money. Our first Fintech Digital forum brought leaders at the nexus of digital identity and fintech to unpack what the landscape looks like today and share actionable next steps for businesses to thrive in the rapidly-changing fintech and payments landscape. It’s no surprise that even after the sessions came to a close, we still had MUCH more to unpack with our speakers.
Following the event, we tapped Chip Witt, Vice President of Product Management at SpyCloud and Pattie Dillon, Anti-Fraud Network Relationship Manager at SpyCloud, to follow up on their session, Mind The Gap: The Future Is Passwordless, But What About Securing Identity Today, and answer just a few of the outstanding questions from our viewers.
One World Identity (OWI): What role do corporations play in encouraging customers to avoid password reuse? In general, who should take responsibility for bad customer habits such as this?
SpyCloud: Security is everybody’s responsibility. It’s not just the security practitioner’s role; it’s shared with the user. But you have to empower them to make strong password hygiene a habit.
Password managers are a great solution to help with that. Providing them as an employee benefit is something we see more enterprises doing to encourage unique, complex passwords for all services that the employee uses. That’ll help with corporate accounts, but the majority of password reuse risk isn’t in the corporate environment. Hence, making password managers accessible to your employees’ for personal accounts is also important.
While the idea of “user education” can elicit eye rolls, we find that users are becoming more educated about the risks associated with criminal activity (it’s always in the news!), and are open to sustainable ways to approach the problem. As practitioners, we have to understand what’s in it for them and educate them around that, and then encourage the right behaviors.
OWI: Should ATO/fraud prevention protocol vary depending on the importance of the account, similar to tiered CDD?
SpyCloud: It goes back to the value of your customer and depends on your industry. But very frequently, there are velocities or tolerances put on risk to mitigate one transaction a bit more leniently than another. But there has to be a balance between what you are trying to protect. You’re trying to protect everything, of course, but the reality is that you need to be in business to make profits, so your approach to dealing with risk has to match the value of the data or the account that you’re protecting. For financial institutions, protecting money means there’s an elevated risk that’ll be reflected in the policies you implement. Users seem to be understanding of that these days.
OWI: What are your thoughts on blockchain or the move to decentralized identity in terms of fraud/breach?
SpyCloud: Blockchain has benefits, but in terms of identity, these solutions are merely shifting the burden from an enterprise that might be directly performing authentication itself to relying on a blockchain platform that itself has its authentication standards (which ultimately often rely on passwords).
This allows us to do a couple of really key things, the first and foremost of which is to work with law enforcement officials to help bring the criminal to justice. The second is getting that data in our customers’ hands to remediate the compromised credentials right away. Enterprises proactively incorporate our data into their login process, account creation process, anti-fraud systems, and employee protection systems like Active Directory. They prevent users from continuing to use the passwords that have been exposed.
The biggest problem is that if you don’t know the information is out there, exposed, and in criminals’ hands, you can’t respond. SpyCloud provides that information to be more proactive in your defenses and mitigate the risk of those stolen credentials before they become a front-page news story.
OWI: Can you explain a little more about how criminals bypass multi-factor authentication (MFA)? I thought MFA would stop these types of attacks. And what are your thoughts on behavioral biometrics?
SpyCloud: One way around multi-factor authentication is very easy. People still use SMS text messaging for multi-factor authentication, which is silly because criminals have figured out ways to infiltrate cellular carrier networks, wherewith knowledge of the victim’s cell phone company, they can perpetrate SIM swapping attacks.
We’ve talked to one of our customers in the financial industry, and they said that they have observed attacks happening overnight when the victim is asleep. Criminals will study an individual that they’re targeting for access, will learn their sleep patterns, and while they sleep will perform a SIM swap. Then they reverse the SIM swap, so the unsuspecting victim has no knowledge that anything has occurred. Nothing stops working for them, so they don’t get any alarm bells telling them that they’ve just been hacked and their financial account is drained. This is an extreme example.
Other token-based approaches are also vulnerable, even Google Authenticator. If you change or lose your phone, you lose all of your multi-factor that’s going through Google Authenticator. You have to go into each account, prove who you are, turn MFA off, and turn it back on with your new device. That’s a harrowing process for users. Somewhere along the line, users figured out that if you snap a picture of the QR code that is the seed for that token-based authentication, you can bypass having to reset. You go back and re-add those QR codes to your Google Authenticator, and that’s much faster than having to reset it on all the accounts. It’s smart, except that criminals understand that users like to do this.
Behavioral-based authentication can also be compromised. Browser fingerprints are also for sale on the underground, containing cookies that enable criminals to bypass the login process altogether.
Ultimately, there are positives to both MFA and behavioral biometrics. They’re a layered approach. There’s no one silver bullet, but a layered approach allows you to pivot if fraud trends change quickly, or a new pattern emerges.
Following that session, we caught up with Jeremy Grant, Coordinator, Better Identity Coalition & Managing Director at Venable LLP, Sandeep Dhadda, Head of Advanced Analytics for Retail Services Risk Management at Citigroup, and Ken Meiser Chief Compliance Officer, at ID Analytics, to dive a little deeper into their panel, Inflection Point: Synthetic Identities in 2020.
OWI: Does the Social Security Agency plan on releasing electronic SSN verification for sole proprietorships that are issued SSNs for business verification?
Jeremy Grant: No. The program is currently limited to transactions that fall under the FCRA.
Ken Meiser: As mentioned, the requirements under section 215 of the Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018 were somewhat limited. The requesting entity has to meet the GLBA definition of Financial Institution, for use solely in connection with a credit transaction or other consumer commerce needs under the Fair Credit Reporting Act, and the requesting entity must collect a signature affirming consent for the verification. We’re hopeful that once the pilot is complete, that additional use cases and requestor types can be authorized. Jeremy mentioned that the Better Identity Coalition has been working with the Federal Office of Management and Budget to create enabling regulations to support other use cases. Still, there’s likely to be some additional legislation needed to increase use cases.
Sandeep Dhadda: Social Security number (SSN) is a nine-digit number issued to U.S. citizens, permanent residents, and temporary (working) residents. Business ID (or TIN) is issued by IRS and will not be verifiable by SSA. Small businesses applying for credit leveraging the sole proprietor’s SSN should be verifiable using eCBSV.
OWI: Will there be a surge in synthetic identity before eCBSV comes in force?
Sandeep Dhadda: Our portfolio actually saw an unexpected drop in applications with synthetic ID markers since the start of COVID. We are assuming the fraudsters are busy cashing in on the massive flow of money from the stimulus checks, PPP, Unemployment claims, etc. However, we do expect a surge in synthetic IDs leading up to the eCBSV launch and for some time after the launch because only 105 FIs will be able to participate in the pilot.
OWI: Are you allowed to share suspected synthetic ID profiles among the peer groups for detection and prevention purposes?
Ken Meiser: As mentioned during the discussion, information sharing through consortia like ID Analytics’ IDNetwork has been very useful in detecting multiple types of fraud. The ability to examine patterns of behavior on large data sets helps develop signatures that can be used to evaluate new applications and portfolios
Sandeep Dhadda: An industry group that shares this information today is NCFTA. It is important to develop and maintain an industrywide, comprehensive, curated negative files of synthetic IDs (not keyed on SSN alone but at least SSN + DOB)
OWI: What options do financial institutions have that are not part of the initial pilot? Will they have to rely on paper-based systems in the interim?
Jeremy Grant: Per the point above: FIs may be able to join one of the existing service providers in the pilot that is about to launch. Those are listed at https://www.ssa.gov/dataexchange/eCBSV/enrollment.html. Each provider is allowed to serve up to 20 banks in the pilot; some may still have room for more.
Finally, we checked in with our panelists from Global Data Consortium, who spoke on Cross-Border Growth in the Fintech Era: A Conversation with the GDC Compliance Advisory Board, to dive a bit deeper into some of the topics and technologies discussed.