The year has barely begun and we already have our contender for horror movie of the year - last Sunday’s episode of Carte Blanche. If you missed the episode, it featured a number of consumers who were victims of online identity fraud through no fault of their own.
Last week, I posted my list of key trends for 2019, one of which was the need for next-gen identity verification technologies and models. The segment showed exactly why I believe it’s so important for consumers and businesses both to have this discussion.
The episode pointed out that one of the major issues preventing victims from getting their case fairly appraised is the lack of clarity around who’s liable in online fraud cases. Many online banking terms and conditions shift the responsibility of not letting their accounts become compromised to the users themselves. In an age of major security breaches and sophisticated cybercrime syndicates, succumbing to fraud is no longer a case of clicking on a poorly-written spoof email.
Complicating the issue is the way physical and digital identities overlap, and how criminals can take advantage. Online banking doesn’t just exist online - your digital identity isn’t confined to a username and password or PIN. Who you are as a person outside of the context of online banking - a person who visits a cellphone shop and gets SIM swapped, posts a picture of a birthday celebration to their social media and reveals their birth date, or simply has their card spoofed at a point-of-sale is in as much risk as someone who opens Nigerian prince emails.
The Carte Blanche episode has highlighted something my industry has known for a while - online identity is encompassing more and more aspects of who we are and what we do outside of the digital realm - and vice versa. Staying safe means changing the way we think about cybersecurity, identity and personal information.
We all know the risks - it can take something as simple as a stolen wallet or a dodgy card machine to expose yourself to fraud. But there’s also a danger that doesn’t get highlighted as much yet has the potential to be far more damaging over the long term - of a criminal accessing personal information and using it for credit fraud. Unlike unusual card transactions, this can take a long time to discover - and by that time, your criminal alter-ego could have racked up major debt in your name and ruined your credit.
In a world where data is the new oil, not being careful with your personal information can be just as damaging as telling everyone your PIN. Just as businesses can create compelling pictures of their customers using data analytics, criminals can also use the wealth of information that’s out there to create a convincing false digital identity.
Many victims of identity fraud point to the theft of ID documents as the reason that their identity was compromised. It’s why we at TransUnion recommend keeping ID and other documents used to open accounts – bills that act as proof of address, for example – safe and away from situations where they might fall into the wrong hands. Yes, even that A4 copy of your ID you left in the photocopier.
There’s also the risk of fraudsters actively phishing on channels you might not expect. Many victims are caught out by calls, SMSs and emails requesting personal information such as addresses, phone numbers and dates-of-birth. Criminals can even get valuable information from your social media – people posting a happy birthday message on your timeline or the name of your primary school.
It’s important to be aware of their own data – from what privacy settings they have on their social media accounts to which websites they shop on and sign up for. While this won’t completely eliminate risk – we live in a digital society, after all – it can go a long way towards minimising exposure to it.
Finally, there’s an overlooked way of spotting identity fraud as it happens, by signing up for credit alerts and frequently checking your credit report. This is the first place fraud tends to show up, and you can set alerts to notify you of any suspicious activity such as a credit enquiry or new account opening in your name.
For businesses who work with personal data every day, the reality of identity fraud is even more complicated. It’s no longer enough to send out an alert warning of potential scams or advising customers not to give out their passwords. Instead, organisations need to adopt a multi-layered approach that leverages current fraud prevention and digital verification strategies with a third layer of verification like a one-time-pin and two-factor authentication.
That’s just the start – it’s also critical to incorporate non-traditional verification techniques into your security strategies such as knowledge-based authentication, digital verification and document verification. As clever as identity thieves may be, their chances of discovery drastically go up with each data set.
At TransUnion, we’ve had great success using this approach in our IDVision solutions. Using traditional data coupled with trended data that shows how a consumer has performed time, and combining it with deeper and broader forms of alternative data, we are able to build a clear, holistic digital identity that defies spoofing.
As the boundaries between digital and physical behaviour, as well as public and private data, continue to blur, it’s essential that we evolve as well. Forget legislation – it’s time to take the curation of digital identities – whether customers’ or our own – into our own hands.