Webinar Recap: Secure ID Verification in a Digital World
In our recent webinar, Urjanet’s VP of Product, Matt Kuo, and Kevin King, Director of Product Marketing at ID Analytics, discussed the evolution of digital fraud and the latest tactics to fight it. Each brought their unique expertise into navigating the delicate intersection of security and user experience with secure ID verification. You can watch the full webinar replay here, or catch up on the key takeaways below.
Evolution of Identity Theft
Previously, verifying a consumer’s identity was simple. A customer would visit a lender in person and present their government-issued ID. But now, everyone operates digitally, which has ushered in a new era of fraudulent activity.
- PwC found that 46 percent of consumers use digital-only banking.
- Nearly 40 percent of respondents to an Urjanet survey want to open an account with a desktop or mobile device.
- Over 50 percent want mobile or desktop account support.
Of course, this shift to digital channels gave rise to new potential for fraud. Globally, we saw a 40 percent rise in data breaches from 2015 to 2016. Research from JAVELIN and ID Analytics found that for every new fraudulent transaction — such as opening an account under a false identity — it costs an average of $400 to the consumer and $3,200 to the lender. As Kevin said:
“The online channel has become this haven for fraud attempts.”
As a result, the demand for secure ID verification methods is higher than ever. The market for digital identity verification is estimated to grow nearly $10 billion by 2021.
Friction Between Security & User Experience
Financial institutions are now at a crossroads between security and user experience. More often than not, neither of these requirements are met to the satisfaction of the consumer. According to Matt:
“On one end of the spectrum, there’s really heavy-handed fraud deterrence, but it sacrifices the convenience of the user experience. I think we’ve all had experiences where we wanted to do something, but there were too many steps, so we gave up and decided to come back later.”
Many lenders strive to avoid this issue with two-step verification and multi-factor authentication (MFA). Two-step verification is based on data from the big three credit bureaus, asking a series of “challenge questions” to verify a consumer’s identity. MFA goes one step further, asking the user to provide two pieces of information — something they possess and something they know.
MFA, however, is far from foolproof. Fraudsters have developed a technique called SIM swapping. They request a new SIM card from the victim’s mobile service provider and intercept verification codes sent from the lender. Kevin wasn’t surprised to see fraud tactics evolve so quickly. He argues that “no two-factor or multi-factor authentication process is fraud-proof. Nothing on the market is 100% guaranteed to prevent fraud.”
The Future of Secure ID Verification
Hence, the future of secure ID verification has to rely on more than just MFA. It needs a combination of direct-from-source data, including biometrics, utility bill data, and real-time verification. How is this implemented, you ask? People attending the webinar had the same question. Check out Kevin and Matt’s answers below.
What sort of pitfalls should I be aware of in this process?
Matt: It’s really about striking that balance between user experience and the deterrence of fraudulent activity. Don’t be too heavy-handed in implementing these technologies. You have to be very cognizant of that user experience, ensuring that you understand your different types of customers and the precise touch points where fraudulent activity is more prevalent. That’ll indicate how to implement the right tactics at the right places.
Another common pitfall is thinking that one method is going to fix the problem overall, and then you can walk away from it and never have to worry about it again. This is an ongoing initiative for most organizations. As fraud tactics continue to evolve and fraudsters get smarter, you have to continue to build your arsenal and evolve your experience from a long-term perspective. It’s something you should always be watching.
Do you have an example of a good implementation or a bad implementation?
Kevin: I’ll give an example of a good one first. I think back to about 18 months ago to a large online lender who was revamping their identity verification process. This is a fintech-oriented company. They were moving away from some of the super heavy-handed approaches that Matt warned about. You see, very often, good implementations are inspired and informed by some not-so-good ones. They had realized what was and wasn’t working. So when it came down to implementation, they were very thoughtful about a lot of the best practices we’ve touched on in this webinar. They looked through their various customer touch points where authentication was needed, and looked at the importance of security vs. convenience at each point.
For example, this lender had a need to authenticate new investors to the site as well as new loan seekers. So not only were people coming to this website to potentially get a new loan, but people were also coming to this website to invest money that could be loaned out to people, so kind of a peer-to-peer process. And the lender saw the risk vs. convenience calculus being very different for each audience.
They really thoughtfully and carefully weighed the risks of friction against the risks of being too lenient.
With investors, they were a little bit less worried about fraud threats, and more worried about getting interested people into the door and investing. So their strategy lever moved a lot more towards a frictionless experience and was a little more lenient when it came to security. On the flip side, with credit seekers, they were really worried about fraud. They were willing, because the losses were potentially so high, to be really friction-intense. In that particular moment, they felt a more heavy-handed approach was appropriate.
For each touch point, whether it was someone trying to change their password or someone trying to transfer money in and out, they really thoughtfully and carefully weighed the risks of friction against the risks of being too lenient. And once they had their priorities straight, it became really easy to get the right tools in there and improve the way they were running secure ID verification.
Matt: That’s a great example, Kevin. I’ll give a bad example (without naming any names). Because we work with multiple utilities around the world, in some implementations that are very heavy-handed, two-factor authentication is implemented on the login page. And it’s implemented across the board. Really every single customer has to go through this process. So if you think about that, even the good customers are being impacted by having to take out their phone and input the code that’s sent via SMS, when they’re really not a risk at all.
Something as heavy-handed as that is one of the bad examples we often see where the understanding of the customer journey isn’t optimal. If we look at where a better place would be to implement that: a reset password page would make sense. If a fraudster were coming to that site, it’s likely that the first thing they would do is try to reset the password so they could access that account.
What sort of scope or timeline do these implementations typically have? What does a typical process look like?
Kevin: In terms of timeline, it really varies. First on the scope of the project. Are you trying to just tweak one thing — like more secure ID verification at login — or are you doing a wholesale restructuring of each customer touch point? A customer will really dictate the scope and to some degree the timelines.
The mantra we have at ID Analytics is: We’ll run this as fast as you want us to, when it comes to the technical piece. We’ve seen implementations go as fast as 2-3 weeks for a startup that had a really tight deadline, and we’ve also had companies where it stretched out 7-8 months, due to their own timelines and preferences. But once you have your priorities clearly defined and you have the right partners, you’ll be able to stick to the timeline you set.
Still have questions about implementing secure ID verification with direct-from-source data? Reach out to us today.
- GDPR’s Resounding Impacts on Identity Verification
- Data Leaks Can Happen, Just Ask HBO
- Solving for Simplicity and Security: ID Verification for Alias-Based Transactions
If you like what you’re reading, why not subscribe?
About Andrea Duke
Andrea is a former Marketing Communications Manager at Urjanet. She is an experienced writer and content strategist, and is passionate about sustainability.