Tag: authentication

Sometimes logging into an account feels a bit like playing 20 questions. Security is vital for a positive customer experience, and engaging the right identity verification strategies is essential to proactive fraud prevention. For financial institutions and businesses, secure authentication is more important than ever. It is imperative for customer safety – which drives retention and loyalty – and your bottom line – as fraud has determinantal effects on and off the balance sheet. Information sharing has proliferated, as has the number of times consumers are prompted to provide access to sensitive information. While today’s consumer has grown accustomed to providing such information, there’s also a heightened demand for security. According to Experian’s 2023 U.S. Identity and Fraud Report, nearly two-thirds (64%) of consumers say they’re very or somewhat concerned with online safety, listing identity theft, stolen card information and online privacy as top concerns. Customers want to know who they are providing access to and whether that entity will have their safety in mind. From a business perspective, one way to ensure that only the right people can get in is by using (KBA). KBA takes traditional authentication methods, like passwords and Personal Identification Numbers (PINs), one step further by creating an additional layer of security through collecting private facts from each user. In this post, we'll look at how KBA works, what its benefits are as a form of identity verification, and how it can improve customer trust. Introducing Knowledge Based Authentication (KBA): What it is and how it works Knowledge Based Authentication can be part of a multifactor authentication solution and is one way to stay on top of privacy and security for your customers – existing and new. KBA is a feature designed to protect online accounts by verifying the account holder’s identity. It involves answering a series of personal questions, such as mother's maiden name or first pet's name, that only the account holder should know. This system has become increasingly popular due to its effectiveness in preventing fraud and identity theft. With KBA, businesses and individuals can have peace of mind that their information is protected by a reliable authentication system that is difficult for unauthorized users to breach. Benefits of implementing KBA and a multifactor authentication strategy By implementing KBA into your business, customers experience an additional layer of security by verifying the identity of users through personalized questions. This reduces the risk of fraud and enhances customer trust and confidence. Secondly, it improves the customer experience by making the authentication process faster and user-friendly. Lastly, KBA reduces costs by automating the authentication process and reducing the need for manual intervention. However, KBA is just one facet of an ideal strategy. Multifactor authentication provides confidence while reducing friction. Risk-based authentication tools allow organizations to assess risk to apply the appropriate level of security. Factors to consider adding to your authentication processes include: Generating unique one-time passwords (OTPs): By creating a new OTP for each transaction, you can increase the level of security. Confirm device ownership: A multifactored approach applies device intelligence checks to increase confidence that the message is reaching the correct user. Maintain low friction with secondary options: If the OTP fails or can’t be attempted by the user, working with a provider who allows an automatic default to another authentication service, such as a knowledge-based authentication solution, decreases end-user friction. Identifying potential security risks associated with KBA KBA relies on personal information that may easily be discovered via social media and other public records, which makes it vulnerable to fraud and identity theft. This highlights the need for a multilayered fraud and identity solution. The landscape of digital security is constantly changing, leveraging an arsenal of fraud and identity prevention strategies, like document verification, one-time passcode, and various identity authentication and verification measures, is critical for keeping your customers and business safe. Commonly used technologies for enhancing KBA security With the rising need for secure authentication, KBA systems have become increasingly popular. However, cyberthreats evolve at an alarming rate, making it imperative to stay current with the latest fraud schemes and how to enhance and supplement your security. Biometrics, like facial recognition and fingerprint scans, as a tactic is gaining traction, as evidenced by “85% of consumers report physical biometrics as the most trusted and secure authentication method they have recently encountered,” according to Experian’s 2023 U.S. Identity and Fraud Report. Additionally, machine learning algorithms detect patterns and anomalies in user behavior and flag any potential security breaches. Multi-factor authentication is another tool that adds an extra layer of security by requiring users to provide multiple forms of identification before logging in. Keeping up with these and other technological advancements can help ensure your KBA system stays one step ahead of potential cyberattacks. Interestingly, there’s a disconnect between the technologies consumers feel safe with and/or are prepared to use versus the technologies and strategies that organizations implement. According to the U.S. Identity and Fraud Report, biometrics are only currently used by 33% of businesses to detect and protect against fraud. An opportunity for business differentiation and driving customer loyalty through a better customer experience may be tapping into some of these lesser used – but sought after – technologies. Compliance with industry standards regarding KBA Ensuring that your system complies with industry standards regarding KBA is crucial for protecting sensitive information from unauthorized access. By implementing the following tips, you can stay ahead of the game and safeguard your organization's data. Analyze your system's current authentication methods and evaluate if they meet industry standards. Additionally, follow standard guidelines for data storage and encryption, limit access to only authorized personnel, and y current with regulations. Lastly, conduct frequent security audits and perform vulnerability tests to identify and address any potential threats. Knowledge-based authentication offers a robust security solution for businesses of all sizes, and incorporating KBA as part of a multifactor authentication strategy is a winning course of action. It provides an added layer of protection for personal data, encourages user accountability, and safeguards against unauthorized access. By leveraging appropriate KBA technologies and maintaining compliance with industry standards, it is possible to create a secure system for customers that gives you peace of mind for your business and bottom line. Experian can help you with knowledge-based authentication offerings, a multifactor authentication strategy and everything in between to enhance your existing authentication process without causing user fatigue. Increase your pass rates, confirm device ownership and add security to risky or high-value transactions, all while executing identity verification and fraud detection to protect your business from risk. The most important step is getting started. Learn more

Experian recently announced Experian Identity and published an advertorial in American Banker outlining the integrated approach to identity that recognizes the full breadth of the company’s authoritative data solutions that help businesses better connect with their consumers in more personalized, meaningful and secure ways. The efforts address the rapidly changing definition and landscape of identity and take on the importance and needs for identity which span across the entire customer journey. From marketing to a specific consumer’s needs, to facilitating a friction-right customer experience, to protecting personal information. As such, there’s a gap for single-partner providers to help businesses navigate this change, while also putting the needs of the consumer first. “Identity data sets are constantly growing with inputs from new interactions. Many future sources of data have yet to be even conceived or developed,” said Kathleen Peters, Chief Innovation Officer, Experian Decision Analytics. “Staying ahead of the identity market curve is vital, and it requires building and continually evolving an enterprise-scale identity solution that interconnects with your own unique data and systems to create attribute-rich profiles of your customers that work across any identity application. That’s Experian Identity.” Experian Identity underscores the need businesses have to respond to increasing identity needs with interconnected, scalable technology, products and services that optimize the consumer experience.       While the integrated approach announcement is new, the capability is not. Experian has been trusted for decades to secure individuals’ identity around the most important decisions in their lives – think purchasing a car or home, being identified at the doctor’s office, and more. As such, consumers remain at the center of every action. Experian Identity offers identity resolution, verification, authentication and protection, and fraud management solutions that include first- and third-party fraud, account takeover, credit card verification, identity resolution and restoration, risk-based authentication, synthetic identity protection and more. Additionally, we’ve included a special blog post introducing Experian’s identity capabilities from Kathleen Peters on the Experian Global News Blog and additional coverage. Stay tuned for more updates. Experian Global News Blog - Making Identities Personal: Experian Helps Businesses Build Consumer Trust American Banker – Making Identities Personal: Building Trust and Differentiating Your Brand Experian White Paper - Making Identities Personal For more information about Experian Identity, visit www.experian.com/identity-solutions.

Preventing account takeover (ATO) fraud is paramount in today’s increasingly digital world. In this two-part series, we’ll explore the benefits and considerations of a Defense in Depth strategy for stopping ATO. The challenges with preventing account takeover Historically, managing fraud and identity risk in online banking has been a trade-off between customer experience and the effectiveness of fraud controls. The basic control structure relies on a lock on the front door of online banking front door—login—as the primary authentication control to defend against ATO. Within this structure, there are two choices. The first is tightening the lock, which equals a higher rate of step-up authentication challenges and lower fraud losses. The second is loosening the lock, which results in a lower challenge rate and higher fraud loses. Businesses can layer in more controls to reduce the false positives, but that only allows marginal efficiency increases and usually represents a significant expense in both time and budget to add in new controls. Now is the perfect time for businesses reassess their online banking authentication strategy for a multitude of reasons: ATO is on the rise: According to Javelin Strategy & Research, ATO increased 72% in 2019.1 Users’ identities and credentials are at more risk than ever before: Spear phishing and data breaches are now a fact of life leading to reduced effectiveness of traditional authentication controls. Online banking enrollments are on the rise: According to BioCatch, in the months following initial shelter-in-place orders across the country, banks have seen a massive spike in first time online banking access. Users expect security in online banking: Half of consumers continue to cite security as the most important factor in their online experience. Businesses who reassess the control structure for their online banking will increase the effectiveness of their tools and reduce the number of customers challenged at the same time – giving them Defense in Depth. What is Defense in Depth? Defense in Depth refers to a strategy in which a series of defense mechanisms are layered in order to protect data and information. The basic assumptions underlying the value of a Defense in Depth strategy are: Different types of transactions within online banking have different levels of inherent risk (e.g., external money movement is considerably higher risk compared to viewing recent credit card transactions) At login, the overall transaction risk associated with the session risk is unknown The risk associated with online banking is concentrated in relatively small populations – the vast majority of digital transactions are low risk This is the Pareto principle at play – i.e., about 80% of online banking risk is concentrated within about 20% of sessions. Experian research shows that risk is even more concentrated – closer to >90% of the risk is concentrated in <10% of transactions. This is relatively intuitive, as the most common activities within online banking consist of users checking their balance or reviewing recent transactions. It is much less common for customers to engage in higher risk transaction. The challenge is that businesses cannot know the session risk at the time of challenge, thus their efficiency is destined to be sub-optimal. The benefits of Defense in Depth A Defense in Depth strategy can really change the economics of an online banking security program. Adopting a strategy that continuously assesses the overall session risk as a user navigates through their session allows more efficient risk decisions at moments that matter most to the user. With that increased efficiency, businesses are better set up to prevent fraud without frustrating legitimate users. Defense in Depth allows businesses to intelligently layer security protocols to protect against vulnerability – helping to prevent theft and reputational losses and minimize end-user frustration. In addition to these benefits, a continuous risk-based approach can have lower overall operational costs than a traditional security approach. The second part of this series will explore the cost considerations associated with the Defense in Depth strategy explored above. In the meantime, feel free to reach out to discuss options. Contact us 1Identity Fraud in the Digital Age, Javelin Strategy & Research, September 2020

Experian’s Chris Ryan and Bobbie Paul recently re-joined David Mattei from Aite to discuss how emerging fraud trends and changes in consumer behavior will have long-term impacts on businesses. Chris, Bobbie, and David have combined experience of more than 60 years in the world of fraud prevention. In this discussion, they bring that experience to bear as they review how businesses should revise their long-term fraud strategy in response to COVID-19 and the subsequent economic shifts, including: The requirements to authenticate a digital customer Businesses’ technology challenges Differentiating between first party and third party fraud The importance of businesses’ technology investment How to build a roadmap for the next 90 days and beyond Experian · Make Your Fraud Plan Recession-Ready: Your 90 Day and Beyond Plan

This is the next article in our series about how to handle the economic downturn – this time focusing on how to prevent fraud in the new economic environment. We tapped two new experts—Chris Ryan, Market Lead, Fraud and Identity and Tischa Agnessi, Go-to-Market Lead, Decisioning Software—to share their thoughts on how to keep fraud out of your portfolio while continuing to lend. Q: What new fraud trends do you expect during the economic downturn? CR: Perhaps unsurprisingly, we tend to see high volumes of fraud during economic downturn periods. First, we anticipate an uptick in third-party fraud, specifically account takeover or ATO. It’ll be driven by the need for first-time users to be forced online. In particular, the less tech-savvy crowd is vulnerable to phishing attacks, social engineering schemes, using out-of-date software, or landing on a spoofed page. Resources to investigate these types of fraud are already strained as more and more requests come through the top of the funnel to approve new accounts. In fact, according to Javelin Strategy & Research’s 2020 Identity Fraud Study, account takeover fraud and scams will increase at a time when consumers are feeling financial stress from the global health and economic crisis. It is too early to predict how much higher the fraud rates will go; however, criminals become more active during times of economic hardships. We also expect that first party fraud (including synthetic identity fraud) will trend upwards as a result of the deliberate abuse of credit extensions and additional financing options offered by financial services companies. Forced to rely on credit for everyday expenses, some legitimate borrowers may take out loans without any intention of repaying them – which will impact businesses’ bottom lines. Additionally, some individuals may opportunistically look to escape personal credit issues that arise during an economic downturn. The line between behaviors of stressed consumers and fraudsters will blur, making it more difficult to tell who is a criminal and who is an otherwise good consumer that is dealing with financial pressure. Businesses should anticipate an increase in synthetic identity fraud from opportunistic fraudsters looking to take advantage initial financing offers and the cushions offered to consumers as part of the stimulus package. These criminals will use the economic upset as a way to disguise the fact that they’re building up funds before busting out. Q: With payment stress on the rise for consumers, how can lenders manage credit risk and prevent fraud? TA: Businesses wrestle daily with problems created by the coronavirus pandemic and are proactively reaching out to consumers and other businesses with fresh ideas on initial credit relief, and federal credit aid. These efforts are just a start – now is the time to put your recession readiness plan and digital transformation strategies into place and find solutions that will help your organization and your customers beyond immediate needs. The faceless consumer is no longer a fraction of the volume of how organizations interact with their customers, it is now part of the new normal. Businesses need to seek out top-of-line fraud and identity solutions help protect themselves as they are forced to manage higher digital traffic volumes and address the tough questions around: How to identify and authenticate faceless consumers and their devices How to best prevent an overwhelming number of fraud tactics, including first party fraud, account takeover, synthetic identity, bust out, and more. As time passes and the economic crisis evolves, we will all adapt to yet another new normal. Organizations should be data-driven in their approach to this rapidly changing credit crisis and leverage modern technology to identify financially stressed consumers with early-warning indicators, predict future customer behavior, and respond quickly to change as they deliver the best treatment at the right time based on customer-specific activities. Whether it’s preparing portfolio risk assessment, reviewing debt management, collections, and recovery processes, or ramping up your fraud and identity verification services, Experian can help your organization prepare for another new normal. Experian is continuing to monitor the updates around the coronavirus outbreak and its widespread impact on both consumers and businesses. We will continue to share industry-leading insights to help financial institutions differentiate legitimate consumers from fraudsters and protect their business and customers. Learn more About Our Experts [avatar user="ChrisRyan" /] Chris Ryan, Market Lead, Fraud and Identity Chris has over 20 years of experience in fraud prevention and uses this knowledge to identify the most critical fraud issues facing individuals and businesses in North America, and he guides Experian’s application of technology to mitigate fraud risk. [avatar user="tischa.agnessi" /] Tischa Agnessi, Go-to-Market Lead, Decisioning Software Tischa joined Experian in June of 2018 and is responsible for the go to market strategy for North America’s decisioning software solutions. Her responsibilities include delivering compelling propositions that are unique and aligned to markets, market problems, and buyer and user personas. She is also responsible for use cases that span the PowerCurve® software suite as well as application platforms, such as Decisioning as a ServiceSM and Experian®One.

If you’ve seen an uptick in photos of friends and celebrities looking older with wrinkles on your social media feeds, you’re not alone. A new free photo editor has taken the internet by a storm, featuring an AI-powered image-altering application that allows users to see their “future self.” All you have to do is upload a single photo (or few) from your camera roll to be enhanced. While this may seem like harmless fun, the app is now making headlines over increased privacy concerns about what occurs behind the scenes once users submit their selfies. Red flags were raised when multiple alleged negative implications were connected to the app – including the app’s ownership and the potential risk that the app downloaded a user’s entire photo album onto their database. In fact, the privacy concerns also prompted Democratic Party officials to implore federal agencies, including the FBI, “to look into the potential national security and privacy risks the phone app poses to the United States.” Since then, the app’s creators have addressed these concerns, stating most of the photo processing occurs in the cloud and most photos are deleted within 48 hours. Additionally, the only photos uploaded are ones that have been personally submitted by the user. Regardless, a database of user-submitted photos could be seen as a goldmine to fraudsters. In a time where personal and biometric data (including facial recognition) are some of the key ways to validate security, it’s important for consumers to be aware of how and where they’re sharing their data, whether it’s for an age-progression photo app, or their financial accounts. Consumers, businesses, financial institutions – everyone – should exhibit caution and take measures to ensure personal information remains secure and is not being used for nefarious reasons. While consumers may be aware that businesses are collecting data, companies should take steps to form digital trust with transparency. This could be achieved by: Educating consumers on how their data is being used Effectively communicating privacy policies and service terms more concisely Helping consumers feel in control of their information To learn more about research that indicates a shift to advanced authentication methods (including biometrics), fraud trends and how to combat them, download our e-book. Download Now

Perhaps more than ever before, technology is changing how companies operate, produce and deliver products and services to their customers. Similarly, technology is also driving a shift in customer expectation in how, when and where they consume products and services. But these changes aren’t just relegated to the arenas where tech giants with household names, like Amazon and Google, play. Likewise, financial institutions of every size are also fielding the changes brought on by innovations to the industry in recent years. According to this report by PWC, 77% of firms plan on dedicating time and budgets to increase innovation. But what areas make the most sense for your business? With a seemingly constant shift in consumer and corporate focus, it can be difficult to know which technological advancements are imperative to your company’s success and which are just the latest fizzling buzzword. As you evaluate innovation investments for your organization in 2019 and beyond, here’s a list of four technology innovations that are already changing the financial sector or will change the banking landscape in the near future. The APIs of Open Banking Ok, it’s not a singular innovation, so I’m cheating a bit here, but it’s a great place to begin the conversation because it comprises and sets the stage for many of the innovations and technologies that are in use today or will be implemented in the future. Created in 2015, the Open Banking Standard defined how a bank’s system data or consumer-permissioned financial data should be created, accessed and shared through the use of application programming interfaces or APIs. When financial institutions open their systems up to third-party developer partners, they can respond to the global trends driving change within the industry while greatly improving the customer experience. With the ability to securely share their financial data with other lenders, greater transparency into the banking process, and more opportunities to compare product offerings, consumers get the frictionless experience they’ve come to expect in just about every aspect of life – just not necessarily one that lenders are known for. But the benefits of open banking are not solely consumer-centric. Financial institutions are able to digitize their product offerings and thus expand their market and more easily share data with partners, all while meeting clients’ individualized needs in the most cost-effective way. Biometrically speaking…and smiling Verifying the identity of a customer is perhaps one of the most fundamental elements to a financial transaction. This ‘Know Your Customer’ (KYC) process is integral to preventing fraud, identity theft, money laundering, etc., but it’s also time-consuming and inconvenient to customers. Technology is changing that. From thumbprint and, now, facial recognition through Apple Pay, consumers have been using biometrics to engage with and authorize financial transactions for some time now. As such, the use of biometrics to authenticate identity and remove friction from the financial process is becoming more mainstream, moving from smartphones to more direct interaction. Chase has now implemented voice biometrics to verify a consumer’s identity in customer service situations, allowing the company to more quickly meet a customer’s needs. Meanwhile, in the US and Europe, Visa is testing biometric credit cards that have a fingerprint reader embedded in the card that stores his or her fingerprint in order to authenticate their identity during a financial transaction. In China, companies like Alipay are taking this to the next level by allowing customers to bypass the phone entirely with its ‘pay with a smile’ service. First launched in KFC restaurants in China, the service  is now being offered at hospitals as well. How, when and where a consumer accesses their financial institution data actually creates a digital fingerprint that can be verified. While facial and vocal matching are key components to identity verification and protecting the consumer, behavioral biometrics have also become an important part of the fraud prevention arsenal for many financial institutions. These are key components of Experian’s CrossCore solution, the first open fraud and identity platform partners with a variety of companies, through open APIs discussed above. Not so New Kid on the Block(chain) The first Bitcoin transaction took place on January 12, 2009. And for a number of years, all was quiet. Then in 2017, Bitcoin started to blow up, creating a scene reminiscent of the 1850s California gold rush. Growing at a seemingly exponential rate, the cryptocurrency topped out at a per unit price of more than $20,000. By design cryptocurrencies are decentralized, meaning they are not controlled or regulated by a single entity, reducing the need for central third-party institutions, i.e. banks and other financial institutions to function as central authorities of trust. Volatility and regulation aside, it’s understandable why financial institutions were uneasy, if not skeptical of the innovation. But perhaps the most unique characteristic of cryptocurrencies is the technology on which they are built: blockchain. Essentially, a blockchain is just a special kind of database. The database stores, validates, transfers and keeps a ledger of transfers of encrypted data—records of financial transfers in the case of Bitcoin. But these records aren’t stored on one computer as is the case with traditional databases. Blockchain leverages a distributed ledger or distributed trust approach where a full copy of the database is stored across many distributed processing nodes and the system is constantly checking and validating the contents of the database. But a blockchain can store any type of data, making it useful in a wide variety of applications including tracking the ownership digital or physical assets or the provenance of documents, etc. From clearing and settlements, payments, trade finance, identity and fraud prevention, we’re already seeing financial institutions explore and/or utilize the technology. Santander was the first UK bank to utilize blockchain for their international payments app One Pay FX. Similarly, other banks and industry groups are forming consortiums to test the technology for other various uses. With all this activity, it’s clear that blockchain will become an integral part of financial institutions technology and operations on some level in the coming years. Robot Uprising Rise in Robots While Artificial Intelligence seems to have only recently crept into pop-culture and business vernacular, it was actually coined in 1956 by John McCarthy, a researcher at Dartmouth who thought that any aspect of learning or intelligence could essentially be taught to a machine. AI allows machines to learn from experience, adjust to new inputs and carry out human-like tasks. It’s the result of becoming ‘human-like’ or the potential to become superior to humans that creeps out people like my father, and also worries others like Elon Musk. Doomsday scenarios a la Terminator aside, it’s easy to see how the tech can and is useful to society. In fact, much of the AI development done today uses human-style reasoning as a model, but not necessarily the ultimate aim, to deliver better products and services. It’s this subset of AI, machine learning, that allows companies like Amazon to provide everything from services like automatic encryption in AWS to products like Amazon Echo. While it’s much more complex, a simple way to think about AI is that it functions like billions of conditional if-then-else statements working in a random, varied environment typically towards a set goal. Whereas in the past, programmers would have to code these statements and input reference data themselves, machine learning systems learn, modify and map between inputs and outputs to create new actions based on their learning. It works by combining the large amounts of data created on a daily basis with fast, iterative processing and intelligent algorithms, allowing the program to learn from patterns in the data and make decisions. It’s this type of machine learning that banks are already using to automate routine, rule-based tasks like fraud monitoring and also drive the analytical environments used in their risk modeling and other predictive analytics. Whether or not you’ve implemented AI, machine learning or bot technology into your operations, it’s highly likely your customers are already leveraging AI in their home lives, with smart home devices like Amazon Echo and Google Home. Conversational AI is the next juncture in how people interface with each other, companies and life in general. We’re already seeing previews of what’s possible with technologies like Google Duplex. This has huge implication for the financial services industry, from removing friction at a transaction level to creating a stickier, more engaging customer experience. To that end, according to this report from Accenture, AI may begin to provide in-the-moment, holistic financial advice that is in a customer’s best interest.   It goes without saying that the market will continue to evolve, competition will only grow more fierce, consumer expectation will continue to shift, and regulation will likely become more complex. It’s clear technology can be a mitigating factor, even a competitive differentiator, with these changing industry variables. Financial institutions must evolve corporate mindsets in their approach to prioritize innovations that will have the greatest enterprise-wide impact. By putting together an intelligent mix of people, process, and the right technology, financial institutions can better predict consumer need and expectation while modernizing their business models.

It’s the holiday season — time for jingle bells, lighting candles, shopping sprees and credit card fraud. But we’re prepared. Our risk analyst team constantly monitors our FraudNet solution performance to identify anomalies our clients experience as millions of transactions occur this month. At its core, FraudNet analyzes incoming events to determine the risk level and to allow legitimate events to process without causing frustrating friction for legitimate customers. That ensures our clients can recognize good customers across digital devices and channels while reducing fraud attacks and the need for internal manual reviews. But what happens when things don’t go as planned? Here’s a recent example. One of our banking clients noticed an abnormally high investigation queue after a routine risk engine tuning. Our risk analyst team looked further into the attacks to determine the cause and assess whether it was a tuning issue or a true fraud attack. After an initial analysis, the team learned that the events shared many of the same characteristics: Came from the same geo location that has been seen in previous attacks on clients Showed suspicious device and browser characteristics that were recognized by Experian’s device identification technology Identified suspicious patterns that have been observed in other recent attacks on banks The conclusion was that it wasn’t a mistake. FraudNet had correctly identified these transactions as suspicious. Experian® then worked with our client and recommended a strategy to ensure this attack was appropriately managed. This example highlights the power of device identification technology as a mechanism to detect emerging fraud threats, as well as link analysis tools and the expertise of a highly trained fraud analyst to uncover suspicious events that might otherwise go unnoticed. In addition to proprietary device intelligence capabilities, our clients take advantage of a suite of capabilities that can further enhance a seamless authentication experience for legitimate customers while increasing fraud detection for bad actors. Using advanced analytics, we can detect patterns and anomalies that may indicate a fraudulent identity is being used. Additionally, through our CrossCore® platform businesses can leverage advanced innovation, such as physical and behavioral biometrics (facial recognition, how a person holds a phone, mouse movements, data entry style), email verification (email tenure, reported fraud on email identities), document verification (autofill, liveliness detection) and digital behavior risk indicators (transaction behavior, transaction velocity), to further advance their existing risk mitigation strategies and efficacy.   With expanding partnerships and capabilities offered via Experian’s CrossCore platform, in conjunction with consultative industry expertise, businesses can be more confident during the authentication process to ensure a superb, frictionless customer experience without compromising security.

Identity-related fraud exposure and losses are increasing, and the underlying schemes are becoming more complex. To make better decisions on the need for step-up authentication in this dynamic environment, you should take a layered approach to the services you need. Some of these services include: Identity verification and reverification checks for ongoing reaffirmation of your customer identity data quality and accuracy. Targeted identity risk scores and underlying attributes designed to isolate identity theft, first-party fraud and synthetic identity. Layered, passive or more active authentication, such as document verification, biometrics, knowledge-based authentication and alternate data sources. Bad guys are more motivated, and they’re getting better at identity theft and synthetic identity attacks. Fraud prevention needs to advance as well. Future-proof your investments. More fraud prevention strategies to consider>

The sheer range of dynamic and emerging fraud tactics can impede agencies from achieving security. These threats must be met with a variety of identity proofing and management tactics. Without monitoring, performance assessments and tuning, a singular and static identity proofing strategy can be exposed by evolving schemes and the use of high-quality compromised identity data. Traditional verification and validation parameters alone are simply too obtuse and can be circumvented easily by those with criminal intent. Static rules based on overly simplistic verification and validation checks can be outsmarted by intelligent fraudsters. Conversely, those same static rules must also have built-in mechanisms to accommodate true-name users who initially may not meet that criteria for identity proofing. Vast and diverse user populations, more arduous — and arguably more difficult to achieve — digital identity guidelines put forth by the National Institute of Standards and Technology, and operational constraints all pose significant challenges for government. But there are ways for government to modernize identity proofing successfully. Modern fraud and identity strategies There are many emerging trends and best practices for modern fraud and identity strategies, including: Applying right-sized fraud and identity proofing solutions. To reduce user friction or service disruption and manage fraud risk appropriately, agencies need to apply fraud mitigation strategies. Such strategies reflect the cost, measured risk and level of confidence, as well as compliance needed, for each interaction. This is called right-sizing the fraud solution. For example, agencies can cater a fraud solution that ensures a seamless experience when a citizen is calling a service center, versus an online interaction, versus a face-to-face one. Maintaining a universal view of the user. Achieved by employing a diverse breadth and depth of data assets and applied analytics, this tactic is the core of modern fraud mitigation and identity management. Knowing the individual user extends beyond a traditional 360-degree view. It means having knowledge of a person’s offline and online behavior, not only with your agency, but also with other agencies with which that user has a relationship. Expanding user view through a blended ecosystem. Increasingly, agencies are participating in a blended ecosystem — working with vendors, peer agencies and partners. There exists a collaborative culture in identity and fraud management that doesn’t exist in more competitive commercial environments. Fraudsters easily share information with one another, so those combatting it need to share information as well. Achieving agility and scale using service-based models. More agencies are adopting service-based models that provide greater agility and response to dynamic fraud threats, diverse population changes, and evolving compliance requirements or guidance. Service-based identity proofing provides government agencies the benefit of regularly updated data assets, analytics and expertise in strategy design. These assets are designed to respond to fraud or identity intelligence observed across various markets and industries, often protecting proactively rather than reactively. Future-proofing fraud solution choices. Technical and operational resources are always in relatively short supply compared to demand. Agencies need the ability to “code once” in order to expand and evolve their fraud strategies with ease. Future-proofing solutions must also be combined with an ever-changing set of identity proofing requirements and best practices, powered by a robust and innovative marketplace of service providers. The future of identity proofing in the public sector is more than just verifying individual identities. New standards in digital identity proofing are a responsive result of mass data compromise and failures in legacy techniques. Achieving compliant and confident identity assurance requires a layered approach, flexibly designed and orchestrated to accommodate diverse identity assertions, evidence, and contextual invocation of technologies and data assets. Government must now use risk-based approaches and mitigation strategies to identity threats quickly and determine the type of fraud before damage is done. Download our recent report in which we discuss the primary challenges of identity proofing in the public sector and what modernization of identity proofing looks like.

Reinventing Identity for the Digital Age Electronic Signature & Records Association (ESRA) conference I recently had the opportunity to speak at the Electronic Signature & Records Association (ESRA) conference in Washington D.C.  I was part of a fantastic panel delving into the topic, ‘Reinventing Identity for the Digital Age.’  While certainly hard to do in just an hour, we gave it a go and the dialogue was engaging, healthy in debate, and a conversation that will continue on for years to come.  The entirety of the discussion could be summarized as: An attempt to directionally define a digital identity today The future of ownership and potential monetization of trusted identities And the management of identities as they reside behind credentials or the foundations of block chain Again, big questions deserving of big answers. What I will suggest, however, is a definition of a digital identity to debate, embrace, or even deride.  Digital identities, at a minimum, should now be considered as a triad of 1) verified personally identifiable information, 2) the collective set of devices through which that identity transacts, and 3) the transactional (monetary or non-monetary) history of that identity. Understanding all three components of an identity can allow institutions to engage with their customers with a more holistic view that will enable the establishment of omni-channel communications and accounts, trusted access credentials, and customer vs. account-level risk assessment and decisioning. In tandem with advances in credentialing and transactional authorization such as biometrics, block chain, and e-signatures, focus should also remain on what we at Experian consider the three pillars of identity relationship management: Identity proofing (verification that the person is who they claim to be at a specific point in time) Authentication (ongoing verification of a person’s identity) Identity management (ongoing monitoring of a person’s identity) As stronger credentialing facilitates more trust and open functionality in non-face-to-face transactions, more risk is inherently added to those credentials.  Therefore, it becomes vital that a single snapshot approach to traditionally transaction-based authentication is replaced with a notion of identity relationship management that drives more contextual authentication.  The context thus expands to triangulate previous identity proofing results, current transactional characteristics (risk and reward), and any updated risk attributes associated with the identity that can be gleaned. The bottom line is that identity risk changes over time.  Some identities become more trustworthy … some become less so.  Better credentials and more secure transactional rails improve our experiences as consumers and better protect our personal information.  They cannot, however, replace the need to know what’s going on with the real person who owns those credentials or transacts on those rails.  Consumers will continue to become more owners of their digital identity as they grant access to it across multiple applications.  Institutions are already engaged in strategies to monetize trusted and shareable identities across markets.  Realizing the dynamic nature of identity risk, and implementing methods to measure that risk over time, will better enable those two initiatives. Click here to read more about Identity Relationship Management.

Payments and the Internet of things has been colliding for a while now – and it surfaced again recently with Mastercard announcing that it is working with an array of partners including Capital One to launch payments in connected devices. The thinking here seems to be that payments is a function in the Marlow’s pyramid of needs for any new consumer device. I am conflicted on this point – not that I don’t believe the Internet of Things isn’t important, but that we may be overthinking in how payments is important to be shoved inside everything that has a radio baked in. And not everything will have a radio in the future, and the role of a smartphone as the center of the connected device commerce universe isn’t going away. It is important to keep perspective here – as this announcement is less about coat sleeves hiding NFC chips with tokenized credit cards – rather it’s the commerce enablement of devices that we may carry on our person so that they can be armed for payment. Though I may disagree on whether a coat sleeve or jewelry are essential end-points in commerce, a platform of capabilities to challenge, authenticate and verify, and ultimately trust and provision a tokenized representation of something, whether its a card or a fragment of a consumer's identity, to a device that itself represents a collection of radios and sensors is very exciting. It is exciting because as device counts and assortments grow, they each have their own residual identity as a combination of things and behaviors that are either deterministic or probabilistic. The biggest shift we will see is that the collective device identities can be a far better and complete representation of customer identity that the latter will be replaced by the former. Name-centric identities will give away to algorithmically arrived ones. As Dan Geer puts it, no longer will I need to announce that I am Cherian, but my collection of devices will indeed do so on my behalf, perhaps in consultation with each other. More over, none of these devices need to replicate my identity in order to be trusted and tethered, either. Coming back to Payments, today my Fitbit’s claim to make a successful payment is validated way before the transaction, when I authorized provisioning by authenticating through a bank app or wallet. What would be interesting is when the reverse becomes true – when these class of devices that I own can together or separately vouch for my identity. We may forget usernames and passwords, fingerprints may prove to be irrevocable and rigid, but we will always be surrounded by a fog of devices that each carry a cryptographically unique and verifiable signature. And it will be up to the smartphone, its ecosystem and the devices that operate in its periphery to individually negotiate and establish trust among each of them. So this is why I believe the MasterCard effort in tokenizing devices is important when you view it in conjunction with the recent launch of SwiftID from CapitalOne. Payments getting shoved in to everyday things like wearables, disguises the more important effort of becoming a beachhead in establishing trust between devices, by using tokenization as the method of delivery. As you may have gathered by now, I am less excited of pushing cards in to devices (least of all – cars!) and more about how a trusted framework to carve out a tamper proof and secure cache within an untrusted device, along with the process to securely provision a token or a signed hash representing something of value, can serve as the foundation for future device – and by extension – user identity. On a side note, here’s a bit about pushing cards in to cars, and mistaking them for connected cars. To me there are only two connected car classes today. One is Tesla where each car on the road is part of the whole, each learning separately and together as they examine, encounter and learn the world around them to maneuver safely. The other is a button in an app that I hit to have a car magically appear in front of me. Other than Tesla and Uber, there are no other commercial instances of a connected car that appeals (Google has no cars you can buy, yet).

Electronic signatures and their emerging presence in our Internet-connected world I had the opportunity to represent Experian at the eSignRecords 2015 conference in New York City last week. The concept of electronic signature, while not new, certainly has an emerging presence in the Internet-connected world — as evidenced by the various attendee companies that were represented, everything from home mortgages to automobiles. Much of the discussion focused on the legal aspects of accepting an electronic signature in lieu of an in-person physical signature. The implications of accepting this virtual stamp of approval were discussed, as well as the various cases that already have been tried in court. Of course, the outcome of those cases shapes the future of how to properly integrate this new form of authorization into existing business processes. Attendees discussed the basic concept of simply accepting a signature on an electronic pad as opposed to one written on a piece of paper. That act alone has many legal challenges even though it provides the luxury of in-person authentication through a face-to-face meeting. The complexities and risk increase exponentially when these services are extended over the Internet. The ability to sign documents virtually opens up a whole new world of business opportunities, and the concept certainly caters to the consumer’s need for convenience. However, the anonymity of the Internet presents the everyday challenge of balancing consumer expectations of greater ease of use with necessary fraud prevention measures. Ultimately, it always comes back to understanding who is actually signing that document. All of this highlights the need for robust authentication and security measures. As more and more legal documents and contracts are passed around virtually, the opportunity to properly screen and verify who has access to the documents gets more critical. Many organizations still rely on the tried-and-true method of knowledge-based authentication (KBA), while many others have called for its end. KBA continues to soldier on as an effective way to ensure that people on the other end of the wire are who they say they are by asking questions that — presumably — only they know the answers to. In most cases, KBA is viewed as a “check the box” step in the process to satisfy the lawyers. In certain cases, that’s all you need to do to ensure compliance with legal policy or regulatory requirements. It starts to get tricky is when there’s more on the line than just “check the box” actions. When the liability of first- or third-party fraud, becomes greater than simple compliance, it’s time to implement tighter security, while at the same time limiting the amount of friction caused by the process. Many in attendance discussed the need for layers of authentication based on the type of documents that are being processed and handled. This speaks directly to the point that one size does not fit all. As the industry matures and acceptance of e-signatures increases, so too does the need for more robust, flexible options in authentication. Another topic — that was quite frankly foreign to everyone we talked to — was the need for security around the concept of account takeover. When discussing this type of fraud, most attendees did not even consider this to be a hole in their strategy. Consider this fictional scenario. I’m responsible for mergers and acquisitions for my publicly traded company. I often share confidential information via electronic means, leveraging one of the many electronic signature solutions on the market. I become a victim of a phishing attack and unknowingly provide my login credentials to the fraudster. The fraudster now has access to every electronic document that I have shared with various organizations — most of which have been targets for mergers and acquisitions. Fraudsters are creative. They exploit new technologies — not because they’re trendsetters, but because oftentimes these new technologies fail to consider how fraudsters can benefit from the system. If you are considering adopting e-signature as a formal process, please consider implementing: Flexible levels of authentication based on the risk and liability of the documents that are being presented and what they are protecting FraudNet for Account Takeover, which enhances security around access to these critical documents to protect against data breaches Not only the needs and experiences of your own business, but customer needs as well to enable to the best possible customer interactions If you haven’t considered implementing e-signature technology into your business process, you should — but be sure to have your fraud team present when considering the implementation.

Increased volume of fraud attempts during back to school shopping season Back to school shopping season will be the first time many consumers' use their chip-enabled credit cards and stores' new card readers. With the average K-12 family spending $630.36 per child in back to school shopping, and more than 1/3 shopping online, according to the National Retail Federation - is your fraud strategy prepared to handle the increased volume? And are you using a dynamic knowledge based authentication (KBA) solution that incorporates a wide variety of questions categories as part of your multi-faceted risk based authentication approach to fraud account management? Binary verification, or risk segmentation based on a single pass/fail decision is like trying to stay dry in a summer rain storm by wearing a coat. It’s far more effective to wear rubber boots and a use an umbrella, in addition to wearing a rain coat. Binary verification can occur based on evaluating identity elements with two outcomes –pass or fail – which could leave you susceptible to a crafty fraudster. When we recommend a risk based authentication approach, we take a more holistic view of a consumers risk profile. We advocate using analytics and weighting many factors, including identity elements, device intelligence and a robust knowledge-based authentication solution that work in concert to provide overall risk based decision.  After all, the end-goal is to enable the good consumers to continue forward based, while preventing the fraudster from compromising your customer’s identity and infiltrating you’re your business.

Lately there has been a lot of press about breaches and hacking of user credentials.  I thought it might be a good time to pause and distinguish between authentication credentials and identity elements. Identity elements are generally those bits of meta data related to an individual.  Things like: name, address, date of birth, Social Security Number, height, eye color, etc.  Identity elements are typically used as one part of the authentication process to verify an individual’s identity.  Credentials are typically the keys to a system that are granted after someone’s identity elements have been authenticated.  Credentials then stand in place of the identity elements and are used to access systems. When credentials are compromised, there is risk of account takeover by fraudsters with mal intent.  That’s why it’s a good idea to layer-in risk based authentication techniques along with credential access for all businesses.  But for financial institutions, the case is clear: a multi-layered approach is a necessity.  You only need to review the FFIEC Guidance of Authentication in an Internet Banking Environment to confirm this fact.  Boiled down to its essence, the latest guidance issued by the FFIEC is rather simple. Essentially it’s asking U.S. financial institutions to mitigate risk using a variety of processes and technologies, employed in a layered approach. More specifically, it asks those businesses to move beyond simple device identification — such as IP address checks, static cookies and challenge questions derived from customer enrollment information — to more complex device intelligence and more complex out-of-wallet identity verification procedures. In the world of online security, experience is critical.  Layered together, Experian’s authentication capabilities (including device intelligence from 41st Parameter, out-of-wallet questions and analytics) offers a more comprehensive approach to meeting and exceeding the FFIEC’s most recent guidance. More importantly, they offer the most effective and efficient means to mitigating risk in online environments, ensuring a positive customer experience and have been market-tested in the most challenging financial services applications.