I’ve attended many security conferences over the course of my career in cybersecurity, but this was my first time at Money20/20 USA. I had to blink a few times when I stepped onto the show’s Expo floor. Did I take the wrong flight and end up at a security conference — or, to be more specific, an Identity conference?
I was surprised to see so many identity protection vendors were represented. Also unexpected was the number of financial vendors now wearing a new hat and emphasizing the need to protect digital identities. Vendor messages ranged from identity verification to biometric authentication to identity risk assessment and, finally, to identity management.
Why is it that, at a conference all about the future of money, identity was such a big topic of discussion, alongside financial, political and regulatory trends?
Digital Transformation Changes Our Shopping Habits… and Introduces Risk
Digital transformation has introduced exponential opportunity in the financial space. The way we manage our money online, via banking, money transfers and shopping, has changed dramatically. We have moved away from a one-time, occasional transaction with a merchant, requiring several steps to checkout, to a continuous, connected relationship and quick, instant checkout. In the past week alone I have booked my flights in the Delta app, booked my hotel on the Expedia app, shopped for groceries on Instacart, shopped for presents on Amazon, purchased clothes on my favorite retailer app, and finally transferred money to our babysitter using Zelle while I was out of town. I also used Apple Pay whenever I could while at Money 20/20. All these purchases were so easy to make, and they all included providing personal information (most of it previously stored).
Digital identity is an essential part of the modern money lifecycle, bringing into the mix issues of securing personal data, privacy and more. At the same time, data breaches and phishing attacks have created an abundance of stolen credentials, turning identities into the most consequential attack vector in the financial world. Stolen identity information is available for sale on the dark web, including usernames and passwords to multiple accounts. But it doesn’t stop there. With resources moving to public clouds and so many more interfaces available to consumers to transact with, the attack surface is growing exponentially. New regulatory requirements mandating multi factor authentication controls have made things harder for adversaries, but their motivation is strong, so they innovate.
Synthetics IDs Are on the Rise, and Our Kids Might Be the Victims
Synthetic ID fraud is a crime in which fraudsters combine real and/or fictitious identifying information (ie. social security numbers (SSN) with names) to create new identities and defraud financial institutions. One formula is the following: a legitimate SSN with no credit history combined with a fictitious name and date of birth. The fraudster then used the synthetic identity to begin building a credit history. When credibility is established, they will open a line of credit or take out a loan — and then disappear (AKA “bust out”).
Synthetic ID fraud is a major concern for financial services. Staggering stats were presented at the FedPayments event: Over 10 years, a crime ring spanning 28 states and eight countries developed a network of more than 7,000 synthetic identities to fraudulently obtain more than 25,000 credit cards.
Social security numbers of children are for sale on the dark web, and according to the Child Identity Fraud Study conducted by Javelin Strategy & Research, more than a million children were victims of identity fraud in 2017. More information can be found in their recently published whitepaper from July 2019.
Even if the financial institution suspects a synthetic ID is used, they are stuck. Calling the user means ringing the fraudster’s phone. However, patterns do appear, and we as an industry need to look for these cases. For example, a 23-year-old with a FICO score of 800 or a 43-year-old applying for a $400 line of credit. The good news is that, recently, the social security administration announced the development of a portal that would allow financial organizations to use a real-time electronic system for verifying the identity of credit applicants. The new Consent Based Social Security Number (SSN) Verification (eCBSV) service will be an important tool in the fight against identity theft and other financial crimes. However, as usual, the fraudsters are a few steps ahead of us, creating repositories and digital trails of “valid” synthetic ID activity, being “legitimized” by fake “financial organizations.”
What Can We Do About Identity Challenges?
Here are a few key themes to sum up this Money20/20 USA recap:
- It’s all about collaboration – between and within financial institutions
- Motivation: Customer experience is the #1 priority, then fraud prevention
- Protections need to be implemented every step of the way, in a continuous, agile manner
The future of money relies on securing digital identities. Read more about these key themes and more in our next blog.