Moving From Static Identity To Digital Identity
Garret Gafke, President and CEO of IdentityMind Global, a BGV portfolio company, and member of the Forbes Finance Council, shared his insight to the current state of cybersecurity in Forbes magazine. The most recent Equifax data breach exposed the confidential and private information of some 143 million U.S. consumers to hackers and other nefarious users. This information includes consumer’s names, Social Security numbers, birth dates, addresses and, in some cases, driver’s license and credit card numbers. Essentially, this means that practically every adult consumer in the United States had their information stolen. While identity theft monitoring and insurance services can help to identify when your identity is being abused, this doesn’t solve the actual problem. The information taken was more than enough for identity theft (someone to impersonate you), to create synthetic identities (fake identities made using pieces of your real information) and to enable account takeovers (where fraudsters have your credentials and take over your online accounts). Given the breadth of the breach and the attack vectors, a credit freeze offered by credit bureaus will not fully protect anyone whose information has been compromised in the breach. And, when combined with the still-unwinding Yahoo breach and the long line of others, our data is increasingly exposed. The real solution to this problem starts by not relying only on the static identity data held by credit bureaus and most other identity data sources as means for verification of an identity. Static information is the most frequently used method for identifying someone and ostensibly providing security. Most every financial company or merchant where you have an account uses static information to verify your identity. Static information was thought to provide security because that information was supposedly outside of the hands of criminals and not guessable. This information might be your social security number, driver’s license, mother’s maiden name or other special security questions, generally referred to as knowledge-based authentication (KBA). However, identity verification databases that use static data don’t update very often. And, the longer data is out there, the more likely it is to become compromised. All it requires is one slip up with one of the multitudes of companies that hold your data, and your information is compromised. For Equifax, this may have been as simple as not installing a security update. However, the bottom line is that static information by itself was never a fit for the digital world, where information is easily shareable and readily accessible through normal or nefarious means. There is another fundamental problem with identity databases. They store our identity information in ways that can be utilized for identity fraud when they are compromised. Most identity databases have an unfortunate dual purpose; they are used for identity verification, but mostly, and by far more lucrative, they are used for marketing. Marketing applications require these databases to store lots of searchable user data. The more data they store, the more valuable they are in the marketing world. However, identity verification doesn’t need to store users’ data in a way that can be reused. Cryptographic technologies provide several mechanisms to match and compare data without the need for storing the actual identity data. The digital world can be rough on the old way of doing things, and it demands stronger solutions than the old static credit bureaus can provide. Digital identities are a stronger and more relevant solution for our ever-growing digital world. Digital identities are dynamic in nature. They merge the physical and the online aspects of a user’s identity. While digital identities do include some static elements (e.g., name and address, mobile device number, national ID, biometrics, etc.), they also include dynamic elements. They are fueled by alternative data sources that represent an individual’s behavior in the digital world. A digital identity is constantly updated based on the information available from each digital transaction. In addition, digital identities require a trusted method of authentication to enable authoritative identity proofing. These methods can’t easily be spoofed or subverted. And, with the right analytics, digital identities can be scored to determine the risk that they pose to your business. This analysis looks at the correlations of the data inside and outside of the identity to establish whether the data goes together, whether it is connected with known risky people, whether there have been issues in the past and more. The use of digital identities solves two fundamental problems: static data and identity data storage. The adoption of digital identities results in a secure way of understanding who you are doing business with and the elimination of massive data repositories that put us all at risk. This breach has put the old way of understanding identity on notice. And, ultimately, it exposes us all to a better way that fits the needs of online users and online businesses. The consequences of identity fraud are frustrating, terrifying and costly to all. Stolen identities end up being used in the world financial system to fund terrorism, human trafficking, drug cartels and money laundering. This is no joke. It’s time to move beyond the credit bureau static information approach to digital identities.