When Good Enough isn’t Good Enough

Good Enough?

Think back to the last online account you created. It may have been a new bank account, or perhaps a new social media or online dating profile. Chances are you were asked questions like “Which of the following addresses have you resided at in the last five years?” This is part of the identity proofing process — the goal is to ask questions that only the person answering should know. So if someone is impersonating an identity, it’ll be pretty hard for them to come up with the correct answer on the spot.

Or so the theory goes.

According to the 2019 Gartner Market Guide for Identity Verification and Corroboration: “This premise was never sound; but, for years, it served as nearly ‘good enough.’ When limited static data verification proved insufficient, knowledge-based verification (KBV) was introduced. This prompted a user to answer questions based on more extensive public records or credit history. Even when this method was new, it was highly problematic as legitimate customers frequently failed these questions, and it introduced a high rate of friction and abandonment.”

Thanks to large-scale data breaches, static data and knowledge-based methods of verification and authentication have outlasted their usefulness.

Boatloads of Data Breaches

Over the last year alone, billions of records have been compromised across a number of large-scale data breaches. A record often contains a combination of first name, last name, address, phone, email address, username, password and other PII (personally identifiable information).

 

Breach Date Records Breached
Facebook April 2019 540 million
Marriott/Starwood September 2018 500 million
Exactis June 2018 340 million
Fortnite January 2018 200 million
Quora December 2018 100 million

 

The largest data breach of 2019, dubbed Collection #1, wasn’t even a single data breach — it was the name given to the large sets of email addresses and passwords that appeared on the dark web around January 2019. According to Wikipedia, the database contains over 773 million unique email addresses and 21 million unique passwords, resulting in more than 2.7 billion email/password pairs. The list contained exposed addresses and passwords from over 2,000 previous data breaches as well as an estimated 140 million new email addresses and 10 million new passwords from previously unknown sources, and collectively makes it the largest data breach on the internet.

As a result of these data breaches and so much of our PII being leaked to the dark web, Gartner now recommends that “identity proofing solutions that rely on shared secret verification, such as out-of-wallet knowledge questions, or memorable personal data, be phased out. The concept of high memorability, low availability data has become archaic since the rise of social media and the subsequent plethora of breached data available through underground organizations.”

The National Institute of Standards and Technology released a draft of its new proposed Digital Authentication Guidelines, and whereas the previous revision listed “pre-registered knowledge tokens,” or security questions, as a recommended authentication technique, the new draft eliminates any mention of such measures. NIST, in other words, no longer endorses security questions as a measure for protecting federal accounts.

The Current State

Despite Gartner’s recommendations, many organizations still rely heavily on knowledge-based verification and static data. In June, the U.S. Government Accountability Office (GAO) released a report stating that several prominent government agencies still rely on the three major credit agencies (Equifax, Experian and TransUnion) to verify a person’s identity with KBV. The government must find a way to eliminate KBV methods to avoid having the individuals they serve become increasingly vulnerable to identity fraud.

But, this goes well beyond government agencies.

Many organizations around the globe looking to comply with regulatory requirements such as know your customer (KYC) still require verification of static data, and the concept of identity proofing is frequently tied to these activities. According to Gartner: “Enterprises with a remote business presence (digital or contact center) have had to continually add new approaches and technologies to detect anomalies that may indicate that individuals are not who they say they are. This is occurring despite the correct recitation of credentials and/or PII.”

Other Emerging Threats to your Online Ecosystem

While data breaches and the dark web are threatening KBV, phishing attacks and credential stuffing are threatening password-protected websites. This means that organizations need to ensure that users are who they claim to be when they’re creating new accounts, but they now must also ensure that existing users are who they claim to be when logging into their accounts.

Phishing Attacks: Over the last two years, many organizations saw a shocking increase in social engineering and most of this was executed through email-based phishing attacks targeting end users. More than a third of all phishing attacks launched last year were aimed at e-commerce organizations, banks and payment systems. Unfortunately, hackers are finding ways to exploit vulnerabilities with innovation at a terrifying speed.

Usually, the hacker will send out counterfeit messages to multiple individuals, requesting they take urgent action on something. In previous years, these messages were easy to detect and were often ignored and deleted. Nowadays, cybercriminals seem to be doing extensive research and getting to know their target, their weaknesses and online habits so that their urgent email is fitting for the receiver.

Credential Stuffing: Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application. Criminals can test and validate username and password combinations on thousands of different sites with high success rates.

Making matters worse, credential stuffing attacks are increasingly being automated and weaponized by bots. In fact, bots are capable of performing upwards of 100 attacks per second, making it easier and faster for fraudsters to commit nearly limitless account takeover (Source: Forter, 2019). PerimeterX research found that these types of automated credential stuffing attacks enjoyed a surprisingly high success rate of 8% per takeover attempt.

A Modern Approach

Instead of relying on static data, shared secrets or simple usernames and passwords, more and more companies are turning to online identity verification and biometric based authentication. This requires organizations to capture a picture of their government-issued ID and pairing that with a corroborating selfie and certified liveness detection when onboarding new users.

A trust anchor can be accomplished by establishing the authenticity of a government-issued identity document (e.g., a driver’s license). When the user takes a picture of their ID, solution providers such as Jumio can tell whether the ID is authentic or has been doctored. By further requiring new users to take a corroborating selfie, enterprises can ensure that the person pictured in the selfie matches the picture on the ID document. From there, enterprises can layer in biometrics and liveness detection to ensure that the person providing the ID credential is physically present.

Certified liveness detection often takes place during the selfie-matching process and confirms that the person is physically present and thwarts cybercriminals who are increasingly using spoofing attacks to acquire someone else’s privileges or access rights. They do this by using a photo, pre-recorded video, deepfake or a different substitute for an authorized person’s face.

Think about how different these two approaches are.

With knowledge-based verification, organizations are relying on a supposed shared secret, but that secret is no longer much of a secret, thanks to large-scale data breaches, identity theft and the dark web. This method provides the lowest level of identity assurance because it requires no corroboration with authoritative sources.

Now, compare this with modern online identity verification. These solutions deliver a significantly higher level of assurance because the digital identity is tethered to a government-issued ID. And after the ID is proven to be authentic, the digital identity is further corroborated with a selfie and certified liveness detection which ensures that the user is physically present. Given the recent increase in spoofing attacks and deepfake videos, liveness detection helps provides a powerful deterrent to cybercriminals and a crucial ingredient to a more reliable identity verification process.

The techniques used for identity verification are evolving, but, it’s clear that “good enough” methods of identity verification are no longer sufficient. Modern enterprises need to rely on methods that deliver much higher levels of identity assurance. Thanks to biometric-based verification solutions, enterprises now have a viable alternative. Plus, these newer solutions do a significantly better job at deterring online fraud (and account takeovers), optimizing conversions, and ultimately increasing revenues.

Get the 2019 Market Guide for Identity Proofing & Corroboration report for an in-depth look at representative identity proofing solutions and key buying considerations here.

email

Get the latest updates from the Identity and Beyond blog, delivered to your inbox.

    Yes, I would like to receive periodic updates from the Jumio blog as well as marketing communications regarding Jumio products, services, and events. I can unsubscribe at any time.

    Jumio values your privacy. To learn more, visit our Privacy Statement.