A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

June 26, 2023 • Issue 23:06:02

Solving the digital identity crisis - Part 2

By Dale S. Laszig

As payments and security leaders have noted, identity unlocks commerce and financial services, making it a coveted credential in the commerce value chain. This series explores emerging trends in identity protection. Part 1 surveyed the digital identity battle between fraud fighters and criminals. Part 2 interviews thought leaders across the expanding identity community.

Andrew Hindle, conference chair and head of strategy and content for Identiverse, stated advanced technologies create safer, easier and more discrete ways to share personal information, such as age eligibility or driving entitlement.

"Identity is now everywhere, enabling safer, more private, more efficient experiences and interactions for customers, customers and citizens; online, and increasingly, in the physical world as well," he wrote the 2023 Identiverse Trends Report, published in March 2023. "The boundaries are blurring, and that has tremendous implications not only for the industry itself, but for all the organizations that rely on digital identity technologies to provide their services."

Reusable identity

Identiverse held its 14th annual conference May 30 to June 2, 2023, at the Las Vegas Aria Resort and Casino, attracting nearly 2,500 identity and security professionals. Keynote speakers and panelists explored a range of topics throughout the four-day event, including reusable identity, a single login that enables users to securely navigate multiple devices and channels.

"Reusable identity is typically achieved through the use of identity federation, which allows different systems and applications to recognize and trust the same digital identity," Identiverse researchers wrote. "Identity federation uses standards such as SAML (Security Assertion Markup Language) or OAuth (Open Authorization) to enable the sharing of authentication and authorization information between systems."

Citing passkeys as a practical approach to reusable identity, researchers commended the FIDO Alliance for designing and scaling the solution. Google, Apple and Microsoft and other leading brands are deploying passkeys, which combined with the technology's ease of use, will help passkeys eventually replace passwords, they added.

Passwordless sign-ins

Andrew Shikiar, executive director and CMO of the FIDO Alliance, agreed the shift away from passwords is a major emerging trend. "Passwordless sign-ins are rapidly making their way to the mainstream, reducing our reliance on an inherently flawed authentication model that is based upon human-readable 'secrets,'" he said. "Major service providers like PayPal, Shopify and Kayak are already supporting passkey sign-ins—and Google recently enabled passkeys for all consumer Google accounts."

Shikiar expects early, high-profile implementations by other leading brands to boost adoption and encourage consumers to replace passwords with non-phishable passkeys. He noted this will enable users to access online services securely and easily, and the networked economy will subsequently benefit from reduced fraud and increased service consumption.

Subscription services

Shikiar pointed out that consumers are becoming more interested in simplifying and securing their identities online, which, he noted, has led to subscription service offerings in the space.

"Twitter and Meta rolling out identity verification as a subscription service has brought identity verification into the mainstream vernacular," he said, while questioning how this will help prevent trolling, misinformation and online scams and whether verification service offerings should be required or offered as a free public service.

Todd Robertson, senior vice president of business development at ARGO, mentioned his company has integrated LexisNexis True ID, an automated forensic analysis solution designed to quickly authenticate identity documents. The solution can verify government IDs from around the world and is available as a standalone application or hosted service, he noted.

"Consumers want to use digital and physical channels to manage their finances and meet their goals," he said. "That means financial institutions must have a complete strategy to serve these needs and address the risk exposure by blending the right technology innovation, risk foundation and relevant operational functionality to align customer experience and service."

API lifecycle management

Filipe Torqueto, head of solutions, USA at Sensedia, wants to see the identity community evolve faster in response to new variants in phishing and AI-powered attacks on banking and financial services.

"In the post-pandemic world, identity, especially in the digital universe, will become increasingly important," he said. "It is evolving, yet there is a gap between this evolution and the overall technological evolution in terms of the adoption of identity technologies into normal services like banking, financial services, retailing, etc."

Torqueto urged businesses and service providers to meet new threats with new, more secure technologies. As data leaks and new attacks threaten an increasingly interoperable financial ecosystem, he added, the industry must adopt new identity technologies such as API management, which protects users across digital channels and apps, all of which are served by APIs.

"API management plays a key role in digital identity, particularly in authentication and authorization," he said. "With API management, we provide an open ID to connect, enable and standardize the authentication and authorization process, to ensure that only authorized individuals have access to specific APIs, meaning it has access to specific functionality."

Federated strategies

Identiverse researchers noted that reusable identity is achieved through the use of identity federation, which allows different systems and applications to recognize and trust the same digital identity.

Torqueto noted the federated principle also applies to API management, adding that organizations leveraging multiple tools within an API omnichannel strategy can detect when they're under attack, mitigate damage and identify which API is affected. He also described identity protection trends as follows:

  • Zero trust security: "A hot trend that means you assume no layer of your infrastructure is safe, even the intra service communications that have its encryption. The permissions used are the least permissive as possible. Zero trust will add security layers on top of your environment, making it even more difficult for the attacker."
  • Decentralized identity: "It's a self-serving identity that's currently gaining traction. Users have full control over their digital identities, including their personal data. They're now using this centralized technology, i.e., blockchain, or a distributed layer of technology to actually establish this identity - the APIs have this role. This crucial tool enables this interoperability within secure interactions between the decentralized identity itself and identification."
  • Consent and private management: "It's a common theme in open banking. Your banking data is yours, not the bank's. It belongs to the individual. Any action in the open banking ecosystem requires the final user's consent. It's privacy management. If the consumer doesn't want their data to be shared or simply doesn't want to participate, they have this right. There's GDPR, California Consumer Privacy, and other international laws that protect data privacy."

Synthetic identity threats

Christina Luttrell, CEO for GBG Americas and IDology, advocated using a multi-layered approach to fight all types of identity fraud, including synthetic identity, which she characterized as insidious and fast-growing in the United States. Layered data sources and alerts can notify enterprises when deceased individuals' records or address verification are in play, she pointed out.

"Perpetrators of synthetic identity fraud attempt to exploit vulnerabilities in identity verification and will focus on optimizing the right mix of identity attributes to avoid detection," she said. "Employing a layered approach that includes data, documents, biometrics, email and mobile intelligence can offer a comprehensive synthetic identity fraud risk assessment."

Affirming that risk scoring and machine learning are helping to reduce synthetic identity fraud, Luttrell proposed that agile, real-time technologies calculate risk scores and assess reputations faster than humans and deliver fast, accurate decisions. In fact, she said, IDology is seeing more data sources and risk signals deployed across identity verification and KYC processes.

Forewarned, forearmed

Luttrell further noted that numerous identity professionals have themselves been victims of identity theft or fraud and know firsthand how unpleasant and disruptive the experience can be. Putting forth the effort and determination to help eradicate fraud and see positive results, she added, can be extremely rewarding and helps contribute to a healthy, growing economy.

"Balancing security with a modern customer experience is a key challenge today and outdated methods of identity verification that rely on credit files or introduce too much friction will put businesses at a disadvantage," she said. "Consumers expect fast, secure, and trustworthy interactions and will walk away from anything less. Businesses must establish trust early in the customer life cycle, beginning with account opening and onboarding."

Reliable identity verification services help businesses build trust with customers by prioritizing security and identity verification, Luttrell stated, adding this approach can be a brand differentiator that helps attract and retain customers who value privacy and data protection.

Weaponizing AI, digital tools

Mansour-Aaron Karimzadeh, co-founder, president and COO at Vality Corp., pointed out that AI systems and new digital technologies are giving hackers new ways to steal identities, which is a growing problem in payments and financial services.

"For the payments market, the estimate for unresolved fraud paid out by online retailers is around $8 billion a year and growing," he said, maintaining that the largest part of this fraud is related to ID theft. The high cost of these crimes is due to actual fraud and the expense of managing the fraud, he noted, estimating that for every $1 of actual fraud, there is another $2.5 of costs to the retailer, which ratchets out-of-pocket costs up to around $28 billion.

While encouraged by security innovations, Karimzadeh warned strong authentication only stops a portion of fraud, which continues to scale. Modern identity solutions, at minimum, must be agile, always on and always connected, he noted, because legitimate players and fraudsters are deploying the same technologies, such as ChatGPT and other new AI applications, with different endgames in mind.

He believes that in this level playing field, stopping threats and staying ahead of well-matched adversaries will require a new mind-set and new technologies. "Next-gen authentication solutions must be on a different level than today's solutions," he said. "This will help accomplish secure authentication that current solutions are unable to achieve."

Integrating speed, security, compliance

Karimzadeh stated secure onboarding is critical for fighting fraud, because once a criminal gets through the front door, responses by adjacent fraud detection systems wouldn't matter much. Slow speed is a common flaw of mainstream onboarding systems, he added, and some can take up to 30 minutes to process a customer application or request, which can cause friction.

Businesses, he said, may hesitate to deploy such a system out of fear their customers might abandon their enrollments or purchases, but fast onboarding systems can solve for this, while keeping customers engaged and helping businesses onboard legitimate customers.

Reflecting on how global enterprises can achieve KYC compliance across fragmented regulatory jurisdictions, Karimzadeh advised multinational companies to use a common set of data across all of their regions. Once data is collected, he proposed, the KYC system can process according to specific guidelines of each regulatory landscape.

Luttrell noted that integrating disparate data into workflows can be complex and challenging for organizations. "Identity verification solutions that ease this process seamlessly in the background and provide a dynamic workflow, introducing additional checks only when necessary, keep it easy for companies requiring checks and friction-free for customers," she said.

Robinson stated about 49 percent of fraud occurs over the counter, and banks need systems that perform transaction, image, Bank Secrecy Act and Anti-Money Laundering analysis. To summarize, he named six assets that can help banks know their customers and fight fraud: identity authentication, fraud verification, compliance, data quality, risk assessment and customer knowledge. end of article

Dale S. Laszig, senior staff writer at The Green Sheet and founder and CEO at DSL Direct LLC, is a payments industry journalist and content strategist. Connect via email dale@dsldirectllc.com, LinkedIn www.linkedin.com/in/dalelaszig/ and Twitter https://twitter.com/DSLdirect.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing