Nearly two months after the Equifax data breach, the true extent of data stolen by hackers is emerging. In the meantime at HooYu Identify, we’ve been seeing more of our clients asking to use both the traditional database checks and our identity document authentication and digital footprint analysis. In this blog we examine the weaknesses of relying solely on the tried and tested means of database checking and ask if it’s time to go beyond traditional database checks to prove customer identity.

Now that the dust is starting to settle on the breach, here’s a few numbers in terms of impact

– 143 million Americans’ identity details including social security numbers, birth dates, addresses and driving licence numbers

– 400,000 UK customers’ identity details including phone numbers, driving licence numbers, email addresses, username and passwords

– …and one departed Chief Executive

A further impact is the erosion of confidence in deploying database checks as the only means of verifying customer identity and serving as the sole line of defence against fraudsters. The Equifax data breach is by no means the first, and it certainly won’t be the last, but the more data breaches that occur, the more data that is readily available for fraudsters to commit identity theft.

An arms race between fraudsters and fraud  / compliance managers..?

So how do regulated firms bolster their defences against the fraudsters?  As we have seen in recent regulatory texts such as PSD2, best practice is to move beyond static identity data (that might have already been compromised) towards a “strong authentication” approach that goes beyond something that the customer knows.  In the database check scenario, of course the customer knows their name, address and date of birth, but so too perhaps does the fraudster…

Moving forward, in the “strong authentication” scenario, customers are also challenged to provide something they have such as an identity document or a digital identity.

Gathering a customer’s ID document is of course one way to prevent & detect impersonation.  The fraudster applying for a financial instrument when prompted for an ID document will likely be deflected and try their luck elsewhere.  The fraudster that tries to use a fake ID document can be detected when the document they use fail security checks such as microprint, kineogram, pixel analysis and MRZ checks.

Asking the customer to assert their identity using their digital footprint is a low friction way to distinguish friend from foe, to stop fraudsters and allow legitimate customers to pass. Digital footprints from sources such as PayPal, LinkedIn, Facebook, Amazon or Google+ can be measured and interrogated to distinguish between fake profiles and identify profiles that have a real living person behind them.

The best approach of course is to bring together all these elements into a single verification process and this is exactly how HooYu Identify helps businesses to verify customer identity. Our approach is to blend and combine multiple identity technologies including social media and digital footprint analysis, identity document authentication, facial biometrics, database checks and PEPS & Sanctions watchlist checks to confirm identity.

HooYu Identify cross-references and analyses data from a person’s digital footprint to confirm their real-world identity. HooYu Identify also extracts and verifies data from ID documents at the same time as authenticating the ID document and conducting a biometric facial check comparing a selfie of the customer with the facial image on their ID document.

17th October 2017 - David Pope