Can We Secure Online Identities?

The infrastructure of identity is proving shaky in the digital world. We’re all complicit. The ease of electronic existence makes sharing our data all but irresistible—social security number, date of birth, address, mother’s maiden name. However, “the digital world can be rough on the old way of doing things,” Forbes says. “Static information by itself was never a fit for the digital world, where information is easily shareable and readily accessible through normal or nefarious means.”

Cryptographic tools have eliminated the need to store identity data, but companies are loath to give up their databases because, Forbes continues, “they are used for identity verification, but mostly, and by far more lucrative, they are used for marketing,” The microtargeting that enables is core to the digital economy, but it leaves us with a vulnerable system.

That profound fragility led to a cri de coeur from TechCruch predicting (or hoping) that new technology, including blockchain—the encrypted ledgers that power bitcoin—will allow us to reclaim our digital identities from the many third parties that currently control who we are and how we are treated in the digital world.

For now, the cutting edge is to verify identities by drawing on a mix of static and dynamic data. To get a better picture of the cybersecurity landscape, Yale Insights talked with Sunil Madhu, CEO and co-founder of Socure, a cybersecurity startup that uses machine learning to provide digital identity verification for financial institutions.

Q: What is the scope of identity fraud in the U.S.? What are the chances that any given individual has had their data stolen?

As of 2016, about six times the U.S. population’s data had already been stolen. While the Equifax breach made big news, it was the 23rd publicly disclosed breach this year. Many more happen that we just don’t know about. It’s probably safest to assume that everybody’s data has already been stolen. Fraud is obviously on the rise as a result.

The problem with things like Social Security numbers being stolen is that it leaves you at risk indefinitely. Ten years from now, someone can use your information to commit fraud, pretending to be you. And unfortunately, we can’t change our Social Security numbers.

Q: Are there issues with the traditional ways of verifying identity?

There are a number of problems with using credit bureau data as a mechanism for identity verification. I’m an immigrant to the United States. I came here 16 years ago. I had plenty of credit history back in the UK, but I couldn’t port it with me when I moved here. I didn’t change as a person, yet I had to start from scratch, which I thought was odd. It’s one of the reasons why we started this company.

Of the 7.5 billion people on the planet, about 5 billion live on cash. Credit is only available in 14 countries; 180 countries do not have credit. Beyond that, millennials, the 18- to 34-year-old demographic, have moved away from traditional credit behaviors. In the United States, millennials are poised to be 75% of the workforce by 2025. They live in a shared economy. They’re riding around in Ubers and Lyfts, not buying cars. They’re staying at home, paying off student loans, and not buying homes as early.

The average 30-year-old in the United States lives off debit cards, not credit cards. Many don’t even have credit cards. Using credit as a mechanism for identity verification is a problem for people, like the millennial demographic, that the credit bureaus don’t cover effectively. The bureaus actually put many millennials in the same bucket with the nearly 50 million adults in the United States who live on cash. They are called thin-file populations because they don’t have enough information to be able to risk score them.

The consequence of that is that as these young people start to look for financial inclusion, they’re rejected outright or subjected to a lot of friction, such as having to bring physical documentation to branch locations. Millennials don’t have the patience to do that, especially when they see their mobile phone as their bank branch.

Recognizing this problem, some lenders and financial institutions have started to create alternative credit risk models that are not reliant on the traditional credit bureau data. The credit bureau data continues to exist because of regulatory compliance. The Fair Credit Reporting Act stipulates the use of credit-based data. The Patriot Act requires, for anti-money-laundering purposes, validating customers’ name, Social Security number, date of birth, and address against bureau data.

I believe that the existing credit models are going to have to change. The assumptions they are built on worked well in the past, but are no longer accurate. Beyond that, they’re ineffective—you could pass a KYC [Know Your Customer] check by spending four bucks on the internet to buy stolen data.

Q: Do businesses, governments, and other institutions appreciate the gravity of the cybersecurity situation?

I think they appreciate the gravity of the situation because it’s not just the data loss. It’s the reputational harm. Every public and private sector organization has compliance pressure. They don’t take it lightly.

You might think that by now, all data would have been encrypted, but many of these institutions have built up enormous IT infrastructure over 20 or 30 years. Data is spread across the infrastructure. Because of the historical nature of building up and cost-control choices, not all of it’s encrypted. Combined with the full range of attack factors, including social engineering attacks that take advantage of human beings as a weak link, it’s a complex and serious problem.

The Equifax breach is a classic example. I think they understand the gravity of the situation. It’s just that it’s a very hard problem to solve for them.

Q: Where do we look for solutions?

As consumers, whenever we make an e-commerce purchase, our data is stored by the merchants. It goes into various databases and tools they use to know who their customers are. Because the sector includes everything from mom-and-pop companies to large firms, they aren’t necessarily all at the same level of maturity and understanding of IT and compliance processes. Since many don’t know how to protect data, all of the data is at risk.

This is one of the reasons why e-commerce generally is moving towards tokenization of data. That is, your card information and your cardholder identity information are obscured into random numbers that are a reference point for the actual data. When you make a purchase, the merchant doesn’t actually get the raw information about the credit card that was used, or the identity behind that credit card. Instead, they get obfuscated pieces of information that are useless if breached.

Q: Is tokenization a real solution?

It is. It is relatively new, so there will be more to learn, but it is definitely more robust than letting every merchant store the raw information.

At the same time, we’ve always had fraud. It’s never going to go away. It’s just going to transform. Every crime has motive, means, and opportunity. If the motive is to make money, and the means in this case is technology, then you are left with opportunity.

I’d contend that given the right circumstances every good person, every law-abiding citizen, would commit fraud given the opportunity. A simple way to analogize that is if a malfunctioning ATM is spitting money into the street, how many people are going grab some cash and stick it in a pocket as opposed to running into the bank and saying, “Hey, your ATM is malfunctioning?” That’s the nature of fraud.

Q: What are the key challenges?

Fraud can be segmented into three main vectors: site attacks like malware and viruses; account takeover; and identity verification. With malware and viruses, well, that will continue to persist and grow because it’s a cat-and-mouse game for the most part.

Account takeover refers to guessing a password to take over an already established account. Probabilistic responses have matured over the last decade, using behavior to guess whether or not it’s the authorized owner of the account performing a transaction. For example, given enough history, a bank could look at a transaction and say, “It’s outside of your normal habits to spend $2,000 on this item this time of year.” Or, a merchant could look at website click-through behavior and say, “Given the cohort of 100% of the visitors on my website, it’s likely someone filling their shopping cart with five televisions and immediately checking out without any searching or comparing needs extra scrutiny.”

I think the account takeover problem is going to diminish as commerce shifts from the web to mobile. There’s no guest checkout on a mobile device like there is in the web, and mobile devices increasingly have biometric sensors, so users are increasingly authenticated by one or more biometric confirmations that are absolute, not probabilistic.

Identity verification refers to dealing with a new customer for whom you have no prior history. It’s what Socure is focused on, and we have created a considerable barrier for the fraudsters to overcome. We use a predictive analytics platform. It’s a real-time system that uses machine learning to combine online, offline, and social data to help businesses figure out if their customers are who they say they are. We allow businesses to sign up new customers without friction, faster, and include those that traditional credit bureau-based checks would reject.

Q: How do you verify someone’s identity using social media?

It’s very easy for someone to steal our identity, alter it, and use it to commit fraud. It is much more difficult for someone to synthesize the network connections around identities, because those online connections in these networks represent the connections between us and the people we know in the real world.

If a fraudster had to not only steal your identity, alter it, and create a fake profile, but also surround that profile with authentic social proof, then the burden in terms of time, effort, and cost, to create not one profile, but hundreds of profiles in multiple social networks, just to vouch for that one profile, that becomes a barrier. Normal use of social networks creates a human psychographic behavioral pattern that’s next to impossible to replicate, even if they have access to botnets.

Q: Is the data from social networks useful to criminals?

We’ve done studies of how fraudsters are using fake profiles. It turns out that they can monetize a profile 10 times over by not actually selling the fake profile itself, but the artifacts from it. That means they make more money selling the likes, shares, and followers from each fake identity that they create than by selling the actual fake identity.

Q: Who are the major actors engaged in cybercrime?

We see 16-year-old kids doing it for laughs. We see criminal groups. We see state actors engaging in cyber warfare. Given the resources that they have, state actors have the largest impact. Our government does that. Other governments do that. The problem is that many of the tools that they create find their way into the hands of the fraudsters, one way or another. A lot of the worms and crypto tools that we’re seeing right now go back to the tools that our government, the Israeli government, European governments, and others have collaborated on.

Unfortunately, the public sector doesn’t seem to want to work with the private sector to stop the exploitation of bugs and weaknesses in software. When they find a weakness, instead of telling the community about it so that we can fix the problem, they keep it secret, so they can exploit it. But any back door for the good guys can be used by the bad guys too. We need better partnerships between governments and private sector, but I don’t see that happening any time soon.