Beefing Up Identity Verification
News broke recently that yet another data breach leaked possibly billions of records. Starting in April, a hacker known as USDoD leaked data containing Social Security numbers, emails, mailing addresses and phone numbers stolen from a Florida data broker, National Public Data. But the information contains discrepancies, and some records are tied to deceased individuals, according to security expert Troy Hunt, who runs the website HaveIBeenPwned.com, which allows users to check if their emails have appeared in breaches.
Unfortunately, Social Security numbers haven’t been secure for a long time. Almost a decade ago, a Verizon Communications analyst told National Public Radio that 60% to 80% of Social Security numbers had been stolen by hackers. That number will have climbed. They’re also easy to figure out using basic public data, according to a 2009 study by Carnegie Mellon University researchers.
Luckily, Alloy CEO Tommy Nicholas says banks don’t tend to rely on the Social Security number as a sole form of identification, but rather one of many records used to confirm identity. “We have established and been telling our clients for a long time, verifying the SSN is the starting point upon which you can provide identity validation and verification, but it is, in and of itself, to no extent identity verification,” he says.
There are gaps, he adds. If a criminal accesses a customer’s email, for instance, they could intercept a so-called magic link that is part of a multi-factor authentication process — think of any link you have received when you forgot a password.
The SSN is just one form of knowledge-based authentication, along with questions such as your mother’s maiden name or the street you grew up on. Criminals have those answers at their fingertips through social media, public information and stolen records. Despite this, financial institutions have increased their reliance on knowledge-based authentication, according to Alloy’s 2024 State of Fraud Benchmark Report.
Behavioral biometric tools that monitor keystrokes “can detect whether you're typing [knowledge-based information] like somebody who knows it or somebody who doesn't know it,” Nicholas says. That can help banks combat fraud attempts that use information like the SSN — but it’s just one tool in the increasingly complex toolkit institutions will need to battle fraudsters.
• Emily McCormick, vice president of editorial & research for Bank Director
|