Reimagining identity in the post-data breach era

Data breaches have become commonplace among global headlines and newsfeeds, a painful fact of life until you become a victim yourself, and realise the wholescale devastation breached identity data can reap on your day-to-day life. The onus is squarely on businesses to ensure they have the appropriate defences in place to protect their customers, as well as safeguard their own reputation.

However, keeping personal data safe has become increasingly challenging for businesses, who must contend with the evolving demands of the digital economy amid ever more savvy, global cybercriminals. Businesses are tasked with having to stay one step ahead of the fraudster, no easy task when cybercriminals are launching increasingly sophisticated and organised attacks, using near-perfect identities created from piecing together breached credentials so readily available on the Dark Web.

The intrinsic link between stolen identity data and attacks is clearly evident through analysis of the ThreatMetrix Identity Abuse Index. With the largest spikes in the index associated with the biggest breaches reported in the news, the Index is a clear indicator of how the exploitation of stolen identity information is impacting the size and scale of global attacks. These volatile attacks are deployed to give cybercriminals access to everything they need in order to turn a profit with stolen credentials. Whether it be opening fraudulent new accounts, taking over existing ones, applying for fraudulent loans, making illegal payments or going on illicit shopping sprees, fraudsters are not only making a monetary impact on the businesses they target, but also threatening brand, reputation, and customer loyalty. Perhaps the clearest indicator of the impact of breached identity data is the fact that around one in ten new account creations in the ThreatMetrix Network is fraudulent, and for some industries this figure can be even higher.

Thus, identity has become central when talking about success in the digital economy. In a post-data breach era, businesses must strive to re-establish trust online and gain insight into the true identity of customers.

However, with consumers moving seamlessly between their offline and online personas, across both their corporate and personal lives, businesses are faced with a myriad of challenges in ascertaining the true identity of transacting users. Muddying the waters further is the fact that individuals can behave differently and show different offline personas depending on the circumstances, for example, subscribing for media services online versus applying for a business loan.

Traditional fraud and identity management is failing to keep pace with this evolving fraud landscape – siloed and disjointed technologies built to defend against various threat vectors introduce unnecessary friction for the user, at excessive cost to the enterprise. Different ways of assessing users at different customer touchpoints often means asking customers to jump through multiple hoops to prove who they are – again adding friction to the overall user experience.

Businesses can meet these competing priorities – protecting against fraud while providing a frictionless user experience – by having a complete 360-degree understanding of who they are transacting with – anywhere, anytime, and via any channel.

But how can this be achieved? The secret to success is linking the multi-faceted parts of an individual’s true identity in a way that is actionable across multiple channels. The ability to join the dots between a person’s offline and online identity requires access to the most comprehensive sets of data and sophisticated technology to create and analyse linkages to form actionable intelligence that can be used in real time.

Digital Assessment: To gain a truly 360-degree view of identity, businesses should incorporate identity attributes seen during digital touchpoints such as username and passwords, email addresses, online account history and behaviours, social networks, device identification, and geo-location.

Identity Verification: Involves linking attributes of an individual’s digital identity to authoritative data sources from a person’s offline records. This includes identity verification based on utility bills, car registrations, and government-issued identifiers such as social security numbers.

Analyse Fraud Risk: Advanced linking technologies and machine learning can then correlate these disparate data points and turn this into actionable intelligence on risk through fraud scores and reason codes; determining velocities and frequencies that are indicative of trusted versus suspicious behaviour.

Step-Up Authentication: For activity that shows elevated risk analysis the final step is deploying step-up authentication, for example knowledge-based authentication, secure notifications, or biometrics. Strong customer authentication that integrates seamlessly with risk-based authentication, based on identity assessments, is key to delivering maximum security with minimal customer intervention.

The combined understanding of physical and digital identity interactions allows businesses to respond quickly and more comprehensively to the vast number of threats facing the global economy. Solving the problem of identity in the digital age will enable a seamless and comprehensive approach to fraud and identity risk management to help companies drive online revenues by making faster decisions, reducing online fraud and combating emerging threats.

This editorial was first published in the Web Fraud Prevention, Identity Verification & Authentication Guide 2018-2019. The Guide covers some of the security challenges encountered in the ecommerce and banking, and financial services ecosystems. Moreover, it provides payment and fraud and risk management professionals with a series of insightful perspectives on key aspects, such as fraud management, identity verification, online authentication, and regulation.

About Alisdair Faulkner

Alisdair Faulkner leads the commercial markets and strategy function for fraud and identity management at LexisNexis Risk Solutions, Business Services. He was co-founder and Chief Products Officer for ThreatMetrix culminating in the 2018 acquisition by LexisNexis Risk Solutions. He now oversees the combined fraud and identity solutions for LexisNexis Risk Solutions and the ThreatMetrix Digital Identity Network.

About ThreatMetrix

ThreatMetrix, A LexisNexis Risk Solutions Company, empowers the global economy to grow profitably and securely without compromise. With deep insight into hundreds of millions of anonymized digital identities, ThreatMetrix ID delivers the intelligence behind 110 million daily authentication and trust decisions, to differentiate legitimate customers from fraudsters in real time.