You, Yourself and Your ID
by Rajeev Yadav, CISO, Fraud.net
Back in the ‘90s, my college used to issue email ids with student initials and last four digits of their Social Security Number. Furthermore, student grades used to get posted on the classroom walls on dot matrix wide computer paper with these ids. It wasn’t very hard for any student to figure out which smart fellow busted the curve, and who really slumped it and deserves the stare next morning while walking into the classroom. A lot has changed since the 90s. Now you can tap your phone at a gate device while checking into Amazon Go grocery store, buy the goods and simply walk out. You will get a bill in the mail or email, just as you do now at automated toll booths on many national highways.
“Institutions using high-assurance ID for registration could see up to 90 percent cost reduction in customer on-boarding, with the time taken for these interactions reduced from days or weeks to minutes.”
In both the use cases, there exists a ‘trust’ model with reference to available complexity, risk, and its related productivity loss (or gain). Imagine the steps required in issuing the email id in 90s use case, its related processes to publish the test scores, and then compare the same to Amazon Go model. It is a day and night difference, one might argue. And they would be correct. The real goal in both cases is to get to the desired data with the least friction possible. The institute is dealing with education and wants to rate student with their scores. The grocery store is interested in letting customers buy what they want and let them pay for the same with least effort and risk possible. Herein lies a great opportunity. “Institutions using high-assurance ID for registration could see up to 90 percent cost reduction in customer on-boarding, with the time taken for these interactions reduced from days or weeks to minutes.”, finds a recent McKinsey study.
Just imagine the amount of effort required in getting you a drivers license or a passport, or even that email id you are using at your company. In New Jersey you have to give 6 point ID verification while getting a new a drivers license. The DMV agent will ask you for such items and look at them visually, not knowing or ignoring the fact that those papers can be counterfeited as well. DMV further breaks them down into primary identity and secondary identity categories, with the primary being state issued IDs like Passport (foreign or domestic), Birth-Certificate and secondary being like Employment Authorization and Social Security Numbers. A simple record pull on Social Security Benefits administration will tell you that it has 6 million living subscribers drawing benefits over the age of 112. 6 million residents over the age of 112!!! Do you believe it? The real count is 5. How about % error rate on such an outcome!? There! So much for the trust in Social Security Number. We at Fraud.net track Synthetic Identities and SSN is clearly not a reliable proof for the reasons just mentioned. So if one gets a drivers license based on such 6 points of verification, then is it truly indicative of the person carrying the same!!? Well, if you go by DMV systems, such will be the expected outcome. You passed 6 points of ID check, got issued a Driver License and can roam about the country, and maybe open a bank account too. Little does the bank know that your DMV license was generated from counterfeited 6 points of IDs, unless of course, they are doing more ID verification themselves. Oops again!! You mean DMV proof is not good enough anymore? Obviously not! Otherwise why would the bank have its own!?
Now what if Bank’s ID verification is marred with similar flaws as DMV’s? It’s probable, but if they are doing their homework right, one or two strong ID verifiers will be hard to spoof, though any security professional will tell you that given time, anything is possible but most banks take state issued IDs to be sufficient. Hopefully you now get the drift that we are caught in the web of constant ID verifiers and then reverifiers because there exists no single authoritative source to verify IDs with a strong assurance in the first go. This is an opportunity and complex problem to resolve. This is why few nation states have embarked upon issuing strong citizen identifiers based on biometric verification, also known as Digital ID. The expectation is that you shall not be able to spoof your biometric information such as fingerprints, retina, voice, or facial patterns. As you might have guessed, all such methods are susceptible to spoofings and can’t always be trusted 100%. In a study, researchers in China and the US have found that 70% of the time facial recognition systems can be beaten as long as it resembles some features of the subject, and are far off from being perfect assurance against an ID check. That said – Digital IDs have been very effective in their intended use cases. For example, McKinsey study finds that “the Indian telecom provider Jio onboarded some 160 million new customers in less than 18 months using e-KYC, enabled by India’s national digital ID system, Aadhaar.” It is a super productivity output given the size of the rollout against time taken to implement the same.
“While financial firms’ average costs to meet their obligations are $60 million, some are spending up to $500 million on compliance with KYC and Customer Due Diligence (CDD).”
Unfortunately, even a Digital ID platform as big as Aadhar has a risk tolerance of 5%, and carries names of Jambul trees, Cows etc. as humans. Go figure! In my conversation with Aadhaar’s authoritative sources, I came to know that the current error tolerance of 5% is still better than 25% as observed in previous platforms. So it is still an improvement and worth the risks against the rewards. However, 5% error rate on a 1.3 billion population comes to 65 million. It is roughly the population of the UK or France, and is clearly not acceptable in our book. So while India is happy with the error rate and can focus on the positives, we in Machine Learning and Artificial Intelligence can’t. It is just too big of an error rate for digital platform and identity assurance. So what should we do now!? You guessed it. Reverify again. You are truly getting the hang of the article theme by now. “How many times do we really have to do this song and dance?”, is an ask from your curious frustrated mind by now. But such is the reality around us. We are constantly verifying ourselves, being redundant and causing huge productivity losses in due process. Thomson Reuters study covering 800 financial institutions finds that “the costs and complexity of KYC (Know Your Customer) are rising, and are having a negative impact on businesses. While financial firms’ average costs to meet their obligations are $60 million, some are spending up to $500 million on compliance with KYC and Customer Due Diligence (CDD).” Ladies and gentlemen, welcome to this lack of trust sphere along with its associated regulatory requirements and costs. No one believes anyone, and it is a sound strategy given the lack of trust assurances coming out from such identity verifiers. It is just not credible enough. Risk officers would rather ask you to reverify the identities, limit their liabilities, and take a hit on productivity loss, than not. It is an unfortunate reality most of the CIOs and CISOs deal with on a daily basis. There has to be a solution.
One hopes and expects that we should now have figured out a decent true universal ID verification by now. It is not yet fully solved, and Digital ID platforms are indeed showing positive results. However, we believe that it needs to be augmented with a better real time verifying intelligence which is irrefutable by nature and extremely complex to spoof. Instead of verifying you at a point in time and look at just half a dozen static proofs which can be counterfeited, imagine a shadow angel that can pull up your exact time of birth, your highschool grades, your favorite crush in college, the name of your second cousin, your second salary, first bonus amount, your mouse clicks, your browsing patterns, the way you walk, the way you talk, your facial patterns, the number of visits you made to Macy’s to buy smart outfits, or fancy sandals, your favorite airline, gas provider, shopping clubs, library, doctor or simply put – a constant shadow that cares about your hard earned transactions from falling into fraudsters. The ‘angel’ shadow knows your profile on a timeline, and can map every transaction against the same. It is verifying you everytime, non-stop and getting to know you a bit better in due process as well on a timeline, hence is not static. This would be our Machine Learning component of Identity verification services.
“Between December 2016 and May 2018 there was a 136% increase in identified global exposed losses due to the Email to Wire Transfer scam, to $12.53 billion”
A fraudster who has a bank account in your name, is pretending to be you and is trying to wire your life’s savings into such an account. “Using its own data and statistics from international law enforcement and financial institutions, IC3 (FBI’s Internet Crime Complaint Center) found that between December 2016 and May 2018 there was a 136% increase in identified global exposed losses due to the Email to Wire Transfer scam, to $12.53 billion”, suggests the FBI report.
We believe that a constant realtime verifier is hard to spoof and offers much advance protection and verification services when compared to their static counterparts. It might be relatively easy to spoof predictable and static 6 points of ID as asked by DMV or a bank, but not over 2000 identity variables and their interdependent correlations.
You heard it right. On Fraud.net platform, its well over 2000 possible digital identity signals and their unique co-relations with each other. We have made it mathematically extremely complex to spoof our smart AI, and given the amount of effort required to brute force the same, the fraudster will most likely focus on other easy target than you. For those of you really concerned about privacy, please be rest assured that we are not after your privacy per se. Our goal is to prevent your transaction from falling into the wrong hands. So it’s the transaction that acts as our primary key and trail for subsequent entity correlations. Furthermore, fraud and legal use cases, including GDPR, have explicit exceptions in regulatory expectations which Fraud.net complies with.
Given 2000 identity attributes in real time, our simple assurance score can be summed up as:
Now let’s look at probability of spoofing even 10% of our verifiers, let alone 2000 attributes, with an assumption that it takes 1 in 100 chance to spoof one of our verifier.
Hence, spoofing all of our verifiers at the same time is fairly mathematically impossible or an extremely low likelihood. Even if you throw in the errors or false positives, the assurance is fairly irrefutable argument and will hold in any decent court or jurisdiction that values rational and scientific thinking. Hence, while you might be able to trick facial recognition by a high resolution photo or 3D printing mockup, or infrared patterns, or lift fingerprints from door knobs or glasses, guess passwords, bypass 2FA via man in the middle attacks, or obtain a fake drivers license; dodging 2000 identity attributes and their correlations in real time is near impossible. It is a sum of all parts argument. Hence, it is stronger by nature and adaptive.
New and upcoming models on identity creation and verifications are also on the horizon leveraging blockchain technology. In my view, it is more akin to PGPs Circle of Trust argument. The net result remains to be seen, but from the outset and first glance, it is a fundamentally flawed model because a fraudster can also set-up a fake identity on the same platform– as they are allowed to – and make circle of trusts or endorsements on the blockchain with other legit identities. Facebook recently dropped roughly 3 billion fake accounts from getting created, but still expects 5% (119 million) to persist amongst its 2.4 billion active users, and the number is only rising. Again, that is double the population of UK, give or take. PGPs Circle of Trust was marred with similar issues. Just because President Trump has a 1 million follower doesn’t make it the fact that he knows them all personally. Public endorsements are marred with similar logical flaws. Surely, it does give you the usage freedom as only the creator of the ID shall be able to unlock the system by its private key. However, entity endorsements at scale to make it a verified identity is yet to be proven on blockchain. It is indeed a good development, but still in its early stage. You won’t insure a person simply because Bill Gates said that the person doesn’t drink or smoke. Would you? On the same token, if 200 legitimate people are saying that the person is a heavy drinker and smoker, then you might want to put some weight to such an assessment and take is as a good indicator, but you will still end up verifying the same to your specifications for legal and liability purposes.
In Fraud.net’s model, blockchain entities become yet another Verifier to be leveraged. So Fraud.net’s real-time analytics will also scale accordingly and pull in such references as they become available. Hence, the collective Verifier is still stronger than its individual parts. Hence, such upcoming technologies become another Verifier on Fraud.net’s AI platform, making it future proof and ready to take on such inputs as they become available.
“In the United States, approximately 16.7 million Americans were victims of identity fraud in 2017, an increase of 8 percent from 2016.”
In summary, it pays to adapt and become a frictionless practitioner of commerce. In the UK, “nearly 25 percent of financial applications are abandoned due to difficulties in the registration process”, finds McKinsey study. We believe that with the increased Digital ID adaptation and strong identity verification assurances, businesses can start to leverage the true promise of digitization and help address such revenue losses. “Institutions using high-assurance ID for registration could see up to 90 percent cost reduction in customer on-boarding, with the time taken for these interactions reduced from days or weeks to minutes.”, asserts the same McKinsey study and we further believe that true power of AI on such assurances is just scratching the surface. Frictionless commerce is here to stay and will become a market differentiator for all industries. So whether you are a bank looking to combat AML(Anti Money Laundry) and KYC (Know Your Customer) challenges, or a Human Resources agency looking to hire the best talent with a verifiable background, or credit agency trying to provide authoritative scorecard on an individual, you need an irrefutable identity assurance model. Furthermore, you want it to be real time to help tap productivity and revenue drains.
Digitization with strong identity assurance services can significantly help reduce employee workload, paper and manual work flows, and allow businesses to focus on their core objectives, rather than managing identities and meeting regulatory requirements and obligations. Early adopters of such technology roadmaps are certainly bound to reap the benefits, not only in productivity gains, but also contributing in fighting fraud. We are witnessing the full spectrum of the same, and are in its epicenter to help address the challenges – collectively.