Article

Technological arms race against identity fraud

Companies are struggling to maintain a great digital experience while preventing identity fraud, but security and assurance need not be blockers to speed and convenience online

Understanding identity is crucial to any business or personal interaction. In the digital age, it’s a necessity to being able to consume a service or complete a transaction. But when the key information typically required to verify an identity – name, date of birth and address –  can be easily obtained, consumers are highly vulnerable to fraud.

The threat of identity theft has driven greater customer demands for more privacy and security when it comes to their personal data. High-​profile data breaches have fuelled a fear among consumers about how their information will be used and driven a desire for more control.

While the internet has opened up a multitude of new ways for fraudsters to steal information, identity requirements in the UK have been slow to evolve in line. Many companies still just ask for that trio of identity markers, which are also the standard information required to sign a contract, to obtain someone’s sensitive details.

“We’re so reliant on those pieces of information to define who we are that it has put us in a situation where your name, date of birth and address become very valuable for someone to steal,” says Paul Weathersby, senior director of product management at LexisNexis Risk Solutions UK. “This has driven the rise in the theft of information online. If you rely only on that information, it’s self-​fulfilling in terms of the problems it causes.”

Part of the challenge relates to consumers who don’t perceive their identity as having any value. Most people expect the identity verification aspect of accessing services to happen in the background and certainly don’t think it’s something they should pay for. To that extent, identity has become something of a commodity, yet one under constant threat.

More than nine billion consumer identities were stolen in the last five years and identity fraud represents half of all consumer fraud, according to LexisNexis Risk Solutions.

While new regulations, such as the European Union’s eIDAS set of standards for assurance checks related to electronic transactions, are beginning to recognise that identity needs to evolve for the online world, they still don’t allow different signifiers to identify a human being outside of name, data of birth and address. It’s clear this needs to change.

The route to success is providing added security and identity assurance without harming the user experience

Internal processes at companies must evolve too. Before the internet transformed commerce and vital services such as banking, requesting name, date of birth and address was sufficient in preventing identity theft because they were very difficult to guess. Nowadays, however, obtaining that information is simply too easy for fraudsters, through either the details people willingly share online or from prior data breaches.

“The data breaches that have occurred have almost allowed the bad people to know that information,” says Mr Weathersby, “and it allows them to go and commit other frauds. Because data has been breached, and digital services and information are easier to pass between two people, companies need to do more than just check that those pieces of information are real. They need to ensure who they’re transacting with is that same person.”

“Banks are already doing this, but because everyone isn’t meeting a high standard, names, date of births and addresses are still valuable to fraudsters. We’ll still experience other data breaches or fraudsters trying to obtain that information until everyone is ensuring it is not just correct, but also belongs to the person they’re engaging with.”

Stephen Topliss, vice president of product strategy at LexisNexis Risk Solutions, says: “There is so much of our data in the public domain, and the digital age provides such easy access to services and products, which are still generally relying on you validating basic identity information – name, address, date or birth – or other personal information. That means identity data is available and very useful, which is why the threat is so prevalent.”

The greatest challenge companies face is balancing this need for secure identity verification and control over personal data with consumer expectations for a faster and more convenient digital experience. Simply adding barriers to authentication will do nothing to enhance the user journey at a time when customers are more likely than ever to abandon a transaction and buy somewhere else if their expectations aren’t met.

This creates a very difficult situation for organisations and a hesitancy to implement additional security and assurance checks, for fear of jeopardising sales and product adoption. Consumers expect their data to be kept secure and they won’t accept a slower or more complicated service to ensure that. The route to success is providing added security and identity assurance without harming the user experience.

“The journey of digital transformation that’s occurring across businesses really needs to touch all parts of the organisation,” says Dr Topliss. “If a new website is being launched, new services are being created online or a new app has been developed, they need to take the opportunity to embrace all the latest digital fraud prevention technologies as well.”

LexisNexis Risk Solutions is a leading provider of such innovation, harnessing the power of data and advanced analytics to provide insights that help organisations reduce risk and prevent fraud. It advocates a layered approach, through a broad range of protection, acknowledging that no single method can stop identity fraud.

By implementing complex combinations of technology, including biometrics and passive authentication, companies such as LexisNexis Risk Solutions could make identity fraud nearly impossible. Those who do find a way will be deterred by the complexity, while consumers continue to enjoy speed and convenience because the technology is invisible to them.

The company’s ThreatMetrix solution, in particular, looks at the digital identity of a person, including the device they’re using, the location they connect from and the information they pass, such as user name and email addresses, enabling companies to perform both physical and digital identity verification. If the physical and digital identity don’t match, organisations can quickly and easily identify suspicious activity that could be fraud.

Digital intelligence and the concept of digital identities in particular, is still relatively unknown among the general public. Without the knowledge to understand how this technology works and what the benefits can be, some consumers are suspicious of the process.

“We have a responsibility to educate consumers and make them aware of the threats online,” says Dr Topliss. “A lot of the tension over the last couple of years has been placed on marketing companies using digital data to track consumers to learn their spending habits online and then generate targeted adverts for them. This has influenced public opinion negatively around the use of digital data.”

“It’s important for consumers to realise a combination of this digital data, together with traditional identity data, can also be used effectively to combat identity fraud in the digital space and that their favourite shopping sites, services and social media networks are often making use of this type of fraud prevention services. This can help customers make a more informed decision around what data to share, or permissions to allow to a website, to help provide a safer and more secure online environment to transact in.”

For more information please visit risk​.lexisnexis​.co​.uk

 

Attack vectors evolve as fraudsters move to mobile

New research has exposed just how vulnerable the financial services, ecommerce and media industries, and more importantly their customers, are in the digital age, with cybercrime shifting towards cross-​organisational fraud and mobile-​first attacks

Companies across sectors that enjoy the most engagement with consumers online are struggling to keep up with fast-​evolving attack patterns from fraudsters and the ever-​growing networked footprint of cybercrime. ThreatMetrix, a LexisNexis Risk Solutions company, recorded 244 million human-​initiated attacks and three billion bot attacks in the second half of 2018, according to its biannual Cybercrime Report. This included 189 million mobile bot attacks, a 12 per cent increase on the first half of 2018.

While new account creations have the highest attack rate of all use-​cases analysed by ThreatMetrix, with one in eight rejected as fraudulent, the most noticeable growth in mobile attacks is on account logins. Attempts by fraudsters to infiltrate user accounts by brute force, with mobile bots, or stealth, using mobile remote access attacks, contributed to 107 per cent growth in mobile account takeovers in the period examined.

With consumers increasingly opting to bank online and using mobile apps, financial services firms are under pressure to ensure integrated and low-​friction digital authentication capabilities form part of the customer experience. Aligning security with the online experience that customers expect is crucial for the sector to advance.

Ecommerce is another industry where achieving that alignment is important while also maintaining effective fraud control, particularly during busy shopping periods such as Black Friday. This might mean accepting a higher percentage of fraudulent transactions to accept more genuine orders from good customers, which is a difficult decision to make.

ThreatMetrix detected and stopped 2.1 billion bot attacks on ecommerce merchants in the second half of last year, 142 per cent growth compared with the previous year. Although sophisticated attacks dropped, the impact of high-​volume bot traffic continues to disrupt the sector. Identity-​testing bot attacks often make up considerably more of an ecommerce merchant’s daily transaction volume than good traffic, making a low-​friction experience for trusted customers all the more challenging for merchants.

Businesses must be able to piece together digital identity intelligence on a per-​user basis so departures from trusted customer behaviour can be identified in near-​real time

The media industry, which includes social networks as well as streaming, gaming and gambling sites, sees the highest penetration of new account creation attacks of all sectors, with one in six found to be fraudulent. Low barriers to creating and accessing accounts, along with less-​stringent security measures, have made media a prime target for testing identities, so companies must be extra vigilant against fraudulent attacks.

In the period analysed, ThreatMetrix found the media industry was hit by 211 million bot attacks, 16 per cent growth compared with the first half of last year. The sector also saw 7 per cent growth in mobile new account creation attacks year on year, as well as an increase of 24 per cent on mobile payments transactions.

Fraudsters are master manipulators, with constantly shifting tactics, according to Alisdair Faulkner, chief identity officer at LexisNexis Risk Solutions. “They adapt their attack patterns and modus operandi to take advantage of shifting customer trends, evolving regulations and technological changes, always attempting to stay one pace ahead of businesses,” he says.

“We see this through the way in which attack patterns evolve and morph over time. Businesses must be able to piece together digital identity intelligence on a per-​user basis so departures from trusted customer behaviour can be identified in near-​real time, before a transaction is processed and before fraudsters can operationalise new attack methods.”

For more information please visit risk​.lexisnexis​.co​.uk