When you think of ‘you’, it’s probably the physical you; the person who eats, sleeps and gets up, goes to work, feels good or tired, hungry or full. You probably don’t think of the digital ‘you’, your cyber identity that helps you buy and sell things online, your digital persona across social media that establishes your online reputation and whether or not you can be trusted. That is until your digital identity is hacked or otherwise compromised, in which case, all of a sudden your digital identity has a major impact on your actual existence and livelihood.
Welcome to the 21st century where modern technology allows you to transact around the globe in near-instantaneous speeds, but also makes you vulnerable to hackers and criminals who exploit cracks in technology and processes to steal your identity for financial gain or other nefarious activities.
While it’s problematic for affected individuals, identity hacks put businesses between a rock and a hard place; on one side they want to ensure consumers enjoy a smooth, frictionless user experience, on the other, they need to protect the business from fraud and ensure that they take every reasonable step to protect the customer.
With the multitude of hacks happening, governments are stepping up the privacy protection requirements, such as the General Data Protection Regulation (GDPR) in Europe. Not only are there huge potential fines for non-compliance, breaches or lapses in protecting identities lead to a loss of confidence by customers.
Consider Equifax, one of the three largest credit bureaus in the U.S., and its recent data breach. In that situation, announced on September 7, but discovered on July 29, 143 million accounts had their personal information compromised, including names, birthdates, addresses and, most troubling, social security numbers. Even some driver’s license numbers and credit card numbers were accessed.
There are ongoing lawsuits, and congressional investigations under way. In addition to the public relations disaster that cost the company loss in consumer trust, there are the costs of cleaning up the compromised accounts and offering various compensations.
As Zac Cohen, General Manager at Trulioo, states “looking toward the future, this breach will surely bring to the surface more security-related questions from the various regulators around the world and very likely [create] an intense ripple effect. This reaction is likely to be twofold: ensuring data protection standards are amplified and increasing the punishment for those who do not meet the necessary requirements and suffer breaches as a result.”
Unfortunately, there are many others. Yahoo was hacked for usernames and passwords of all of their three billion users. eBay was hacked in 2014 and the hackers could access information for 145 million users a copied “a large part” of them. Target was attacked at the point of sale and those hackers got information on 70 million users. JP Morgan, the largest bank in the US, was hacked of personally identifiable information (PII) for 76 million customers.
The perpetrators are becoming increasingly sophisticated. For example, two-factor form authentication (2FA), often considered a powerful way to add a security layer to interactions, is also vulnerable to hackers if it’s using a phone. Exploiting a security hole in Signalling System No. 7 (SS7) — part of the telephone system backbone — allows the hacker to intercept SMS, calls and data, thereby allowing them to passwords, permissions and other activities to compromise accounts.
Identity Risk Mitigation
We could go on, but you get the point; even the biggest, supposedly sophisticated operations are susceptible to these attacks, let alone the many, smaller companies. So, what can you do to protect your organization and your customers?
In our post Identity Fraud: Fraud Prevention and Risk Mitigation, we laid out five steps:
- Do your customer due diligence; understand the nature of the customer and the potential threat they pose.
- Know the techniques that identity fraudsters are using, both overall trends and specific procedures.
- Review and adjust your security processes on an ongoing basis and stress-test them to ensure they are capable of defending your business.
- Establish and maintain proper training and ongoing rules for all employees.
- There are numerous suspicious patterns that ongoing monitoring can detect.
Expanding on this last point, by watching Identity & Access Metrics, you can cut down on potential breach points and notice any spike or unusual activity:
- How many people have admin or super-admin access? How many should?
- How many devices and what kind should be accessing your secure resources?
- What’s a normal amount of password changes?
- How long does it take to remove someone from the system?
- How many accounts are no longer active?
- What’s a normal amount of bad logins?
- How many open TCP/UDP ports are normal?
In regards to implementing a successful, ongoing identity management program, understand that it won’t be quick and easy; there are lots of factors to consider and, as noted above, consequences of failure are high.
Do you have the dedicated staff who have the expertise in all the variety of technologies necessary to create a robust security program? If not, do you have a trusted third-party under contract?
Is your security design actually usable for your team and customers? Creating a digital Fort Knox is great for security purposes, but if it slows down your teams' operations and customer acquisition and/or experience is it adding value? Careful tradeoffs between security and usability, on an ongoing basis, is key to an effective system.
What information do you need, when do you need it, and how long do you need to keep it? Just because you gather information, doesn’t mean you should keep it. By mapping out your information use, understanding how that information is used throughout your organization and implementing strategies you can maximize the value of the information while minimizing the risk.
At Trulioo, we gather the information required to verify identities in a secure, encrypted manner, run the matches and then return the result as a binary code – match or no match. We don’t store any PII data.
For any business handling PII data, some considerations include; what are your policies, procedures, training, and administration of handling digital identities? Digital identities are real and their handling has real-world consequences. Through careful and continual awareness, your organization can avoid the risks and pitfalls and thrive in the new global marketplace.