Exploring your options for online identity verification.
If you’ve seen Catfish: The TV Show, you know that people are not always whom they claim to be.
Catfishing refers to a scam where someone, the ‘catfish,’ creates a fictitious online identity often using someone else’s pictures and false biographical information to pretend to be someone other than themselves. Online dating websites and cell phone dating apps are fertile hunting grounds for catfish.
Catfishing involves significant deception – it’s not just someone fudging his or her height and weight in a Match.com profile and using a three-year-old photo. A catfish will be far more deceptive. Often, he or she will use someone else’s photos; grab personal details such as work, educational history, and personal histories off of the Internet; and invent an entirely fictitious life for his or her fictitious identity.
Catfishing comes as no surprise to companies that do business online as most have had to contend with some flavor of online fraud, credit card fraud, and phishing/imposter scams. So, how do modern enterprises actually verify that the people creating online accounts are who they say they are — short of sending people to their home to verify their legitimate identities?
There’s a variety of methods in practice, each with their pros and cons, that can help identity proof your customers. To better understand the pros and cons of each type of identity verification, we put together a handy table. Check it out here.
Knowledge-Based Authentication (KBA)
KBA verifies customers by asking them to answer specific security questions in order to provide accurate authorization for online or digital activities. We’re all familiar with these questions and often have to struggle to remember the right answers. The bad news is that it might be easier for the fraudsters to get a hold of those supposedly secret questions. Thanks to global data breaches, a lot of the data that you thought was private is now common knowledge and available for pennies on the dark web. And in some cases, it’s even easier than that. Unfortunately, many KBA questions are based on information that criminals can easily find on social media sites or through other sources of publicly available information that they can then use to pass these security tests and access consumers’ accounts.
To learn more, check out our infographic: Top 10 Signs Knowledge-Based Authentication is Going Extinct.
Two-factor authentication is an extra layer of security that requires not only a password and username, but also something that that the user has on them (i.e. a piece of information only they should know or have immediately on hand, such as a physical token or a numeric code delivered via text message). Nearly all major web services now provide some form of two-factor authentication, but they vary greatly in how well they protect accounts.
Unfortunately, dedicated hackers have little problem bypassing the weaker implementations, either by intercepting codes or exploiting account-recovery systems. Criminals targeting Bitcoin services were finding ways around the extra security, either by intercepting software tokens or more elaborate account-recovery schemes. In some cases, attackers went after phone carrier accounts directly, setting up last-minute call-forwarding arrangements to intercept codes in transit. Drawn by the possibility of thousand-dollar payouts, criminals were willing to go further than the average hacker.
Credit Bureau-Based Solutions
Many online identity verification systems call out to one of the big three credit bureaus, Experian, Equifax, and TransUnion, who then search for an identity match within their vast repositories of consumer credit data.
The good news is that these sources are often authoritative databases that provide a wealth of information based on first and last name, address, and social security number. But, the biggest downfall with credit-bureau based solutions is that they do not actually verify that the person providing the information is the actual person behind the transaction. Plus, people with thin credit files, usually young people, recent immigrants, or people who for some reason have very rarely used mainstream financial services, often cannot be matched.
These solutions leverage online, social media, and offline data (and sometimes behavioral patterns) to detect if an online ID is authentic, a fraudster or a bot. Unfortunately, these solutions can be spoofed because of the ease of creating fake online identities (e.g., synthetic identity fraud) and bogus social profiles. And like credit bureau-based solutions, their biggest weakness is not being able to definitively verify that the person providing the information is the actual person behind the transaction.
Online Identity Verification
New online identity verification solutions often leverage a mix of artificial intelligence, computer vision, biometrics and verification experts to determine if a government-issued ID is authentic and belongs to the user. Some solutions, like Jumio’s Trusted Identity as a Service, also require the user to take a selfie to ensure that the person holding the ID the same person shown in the ID photo. These solutions have proved more reliable in ensuring that the person behind an online transaction is the same person behind the driver’s license (or passport) and the selfie.
In fact, banks have reported that when such biometric authentication is used, customers are much more inclined to go through with their purchase. The abandonment rates can drop by up to 70% compared to other methods like two factor authentication which reflects the much improved user experience.
Clearly, you need to maintain a healthy level of skepticism about the identities of your customers. But, at the same time, you need to make sure that your legit customers can still sail through the onboarding or account set-up process with ease and as little friction as possible.
Increasingly, today’s enterprises are turning to online identity verification to better detect bad actors and increase conversion rates by leveraging smart technology and better processes that lead to much higher levels of assurance.
To learn more about the characteristics of an enterprise-class identity verification solution, I encourage you to check out our Buyer’s Guide for Online Identity Verification.