In the real world, proving your identity is pretty straightforward. When you show up in person to open a bank account, rent a car, book a hotel room, gamble at a casino or purchase alcohol, you present your government-issued ID, proof of address or whatever else might be required for the transaction, and the company you’re doing business with can physically see that you are who you claim to be.
This process gets far more complex in the digital world. Now, these same companies must find a way to verify you are who you say are, even though you aren’t physically there to present your ID or documentation. Companies must find a way to assure your digital identity matches your real-world identity.
So, what is a digital identity?
In simple terms, your digital identity is the compilation of information about you that exists in digital form — this can be everything from your date of birth to something you like on Facebook.
What Makes Up a Digital Identity?
The information that forms your digital identity can be grouped into two broad categories: your digital attributes and your digital activities. These pieces of information, either alone or combined together, can be used to identify you.
Here are some examples of each:
|Digital Attributes||Digital Activities|
|Date of Birth
ID Numbers (SSN, driver’s license)
Government Issued ID (passport, driver’s license, etc.)
Login Credentials (username & passwords)
Biometrics (fingerprint, eye scan, 3D face map)
Badges and Tokens
|Likes, Comments and Shares on Social Sites
Photos on Facebook, Instagram, etc.
Cell Phone Usage
Digital Identity: Currency for Fraudsters
Your digital identity acts as a sort of currency on the web. In your favor, your digital identity can give you access to your accounts, allow you to open new accounts and give you credibility to engage in a trustworthy way with people, products and services online. On the flip side, the fact that your personal information exists online means that it is subject to hacks, breaches, copycating and theft. And with 4,000 publicly disclosed data breaches and 4.1 billion exposed records in the first six months of 2019 alone, much of that previously personal information is now public information.
How Digital Identity Information is Exposed:
- Public Wi-Fi networks
- Unsecured websites
- Third-party data breaches
- Phishing attempts
- Weak or limited number of passwords
- Deepfake videos, voice and graphics
- Location sharing settings
- Adding strangers to social media accounts
“All the information is available if you know where to look,” explained Robert Prigge, Jumio president, in a keynote on the lasting impact of data breaches at the Sibos London 2019 event. “There’s a very vibrant marketplace for identity information that can be resold and used against you.”
This “vibrant marketplace” is known as the dark web — a network of sites within the deep web, not accessible by search engines or through normal web browsing means. On the dark web, identity data is acquired, sold or dumped.
While people tend to think of Social Security numbers as valuable, they can be purchased on the dark web for as little as a dollar. Banking information can garner $15 to $20, credit card details can range from 25 cents to $60, and at $350 a pop, medical records are among the most valuable.
These marketplaces don’t just have individual identity data — they have bundles that combine a passport, a selfie and a utility bill to make the job of a fraudster that much easier.
Just having one or two pieces of someone’s digital identity can have a cascading effect that leads to an even more complete digital identity that can be used to access more and more secure, valuable accounts. Your pet’s name? Right there on Instagram. Your mother’s maiden name? Available on Facebook. Your date of birth and email address? Pretty darn easy to track down.
POV of the Modern Organization
Let’s put our business hats on. Operating in an increasingly digital world, many organizations must be able to verify the identities of their customers and users online. Bad actors don’t belong in the online ecosystems of financial institutions, the sharing economy, online gaming, mobility services, dating sites and elsewhere. Organizations have a business imperative to care about and verify the digital identities of their users.
This imperative is driven by three key issues:
Your customers and online users trust that you will protect their data. But there’s another side to trust. In many industries, your customers or online users are interacting with one another. Whether a buy-sell-trade exchange, ridesharing, house rental, dating site or other similar online platform, trust is the linchpin of it all and the foundation of trust is establishing that the person on the other end of the transaction is who they say they are.
The recent Jumio Global Trust and Safety Survey found that only two-thirds of U.S. adults and one-half of U.K. adults feel “very safe” or “somewhat safe” using online sharing services. Furthermore, the study revealed that a combined 64.4% of U.K. and U.S. consumers feel it’s important for online sharing services to verify the identity of new users.
2. Fraud Risk
Hand in hand with the increasing array of identity information housed online is the risk that this information will fall into the hands of fraudsters. Case in point: account takeover fraud is one of the fastest-growing types of fraud. This fraud doesn’t just hit your customers in the pocketbook — corporate losses from fraudulent online transactions are expected to reach $25.6 billion by 2020, according to Juniper Research.
Existing and evolving compliance mandates bring digital identity to the forefront of the minds of compliance managers and executives. KYC and AML compliance mandates are probably the most well known when it comes to their direct impact on online processes and especially, account opening. But there are others, including California’s upcoming CCPA compliance rules and Europe’s GDPR mandates that are driving the need for companies to establish a strong link between digital and real-world identities of their online customers.
What’s Wrong with Traditional Approaches to Online Identity Verification?
Most businesses currently use some combination of a classic security paradigm to gain an appropriate level of assurance that the identity of their online customer matches the real-world identity of the customer. This paradigm includes:
- Something the customer knows (e.g., security question, password)
- Something the customer has (e.g., ID badge, cryptographic key)
- Something the customer is (e.g., 3D face map, biometric data)
The problem with this model, however, is that organizations rely disproportionately on the first two categories — what people know or what they have. Unfortunately, things you know, like passwords and security questions, can be easily gleaned from the internet (or dark web) and things you have, such as a cell phone number or SIM card, are increasingly problematic because they can be damaged, lost or stolen.
At Jumio, we contend that businesses still asking only for a passport and utility bill are asking for the wrong information. They’re merely asking if a person is who they say they are versus who they really are. But what if that person has a legitimate, yet stolen, ID document? Likewise, looking at an account record is no longer helpful. Companies need to know that the person interfacing with them online is who they purport to be at that very moment.
In fact, in its 2019 Market Guide for Identity Proofing and Corroboration, Gartner now recommends that organizations move away from identity proofing solutions that rely on shared secret verification, such as out-of-wallet knowledge questions or memorable personal data (often used as part of knowledge-based verification solutions).
Asking the Right Questions
Are you really who you say you are?
Are you still really who you say you are?
If you think about, these are the two questions companies should care most about when it comes to digital identity. The answers to those questions come through two interconnected processes: upfront identity verification and ongoing user authentication. Identity verification confirms the link between the digital and real worlds on the outset of the customer relationship — during account opening or enrollment. Authentication maintains that that the person who later logs into the account is the same person who initially opened the account.
For these processes to work, however, you need to establish the connection by verifying who the person really is by verifying something the customer is.
The Future of Identity Security? Things They Are.
Increasingly, modern enterprises are turning to biometrics for identity verification and authentication in order to answer the burning questions we posed above. Companies are using biometrics, alongside more traditional ID verification, to strengthen their defenses against online fraud, maintain compliance with AML and KYC, and to build trust in their online ecosystems.
At Jumio, we recommend a best-practice online identity verification process that ties the digital identity to a government-issued ID and after the ID is proven to be authentic, the digital identity is further corroborated with a selfie and certified liveness detection to ensure that the user is physically present. This powerful combination of verifying who someone is, binding that person to face-based biometrics and further securing the transaction with certified liveness detection allows modern organizations to operate more securely in the digital world.
To learn more, we invite you to read Trusted Identity From Start to Finish, A FindBiometrics white paper.