EMV Chips, Unintended Consequences, and the Need for Stronger Identity Proofing

In response to the widely publicized point-of-sale based breaches at Target, Home Depot, and other retailers in the early 2010's, international payment network operators (EuroPay, Visa, MasterCard) announced the introduction of an enhanced payment security technology, called EMV, in 2012. EMV (also known as the "credit card chip" technology) closes longstanding vulnerabilities in point-of-sale transactions by introducing new layers of security.

Before, all a fraudster had to do to steal your credit card information was scan the static magnetic strip, which they could do with a handheld device, or by placing an inconspicuous card scanner on an ATM. EMV chip technology eliminated this vulnerability by introducing a 2-way mathematical handshake between the physical card reader and your credit card, eliminating the static approach of traditional magnetic strips. This approach is set to save the US up to $700 million per year in credit card fraud costs (Group, '14.) So, are we expecting the fraudsters to file for unemployment and move to a van down by the river?

Introduction of EMV drives New Account Fraud

With the increased difficulty in credit card skimming, fraudsters had to go “back to the drawing board.” They quickly reemerged refocused on a new type of attack known as New Account Fraud (NAF.) With NAF, attackers acquire a user's personally identifiable information, and use this information to open new credit cards on their behalf. According to Javelin Strategy, the introduction of EMV chips "drove a 113 percent increase in incidents of new account fraud, which now accounts for 20 percent of all fraud losses." It is estimated that new account fraud will hit $2.1 billion per year by 2020. What are financial institutions to do?

Traditional KYC requirements not good enough

As of 2014, financial institutions are required to comply with Know Your Customer (KYC) and Anti Money Laundering (AML) laws, which require said institutions to verify a person's digital identity before providing banking or financial service. While correct in spirit, the unfortunate truth is that a lot of the sensitive PII data is not as secure as it used to be. This is due to an increasing number of companies having their systems hacked, like Experian's loss of 15 million T-Mobile records, or Anthem's loss of millions of full PII records (both including social security numbers.) Fraudsters are also highly motivated to keep this going - in some cases, they can get up to $100 a pop for "Fullz," which is hacker terminology for "full data required to open an account," including SSN.

Multi-layered approach to ID proofing

To combat the ever-decreasing reliance of PII, Gartner, in their paper “Absolute Identity Proofing is Dead, use dynamic identity assessment instead”, recommends to "acknowledge that data privacy is dead, hence the need for a layered identity proofing and fraud prevention approach." Unfortunately, this is a complex problem, which requires integration of multiple vendors, technologies and regulations. Gartner also recommends in this same document to "favor vendors that combine multiple layers of identity assessment."

IDW's Four tier identity proofing

ID DataWeb's Attribute Exchange Network provides a 4-tier approach to identity proofing, which includes Human identity verification, affiliation verification, and device/location verification. We believe that our offerings on identity verification provide the fullest featured, most complete solution on the market, by verifying who your customers are and their backgrounds, what relationships they have with other entities, and their physical context (device, application,  location, network, IP address.)

  1. Human identity proofing - Verify the identity of over 4 billion people in over 80 different countries. Choose from PII verification, document scan, and/or challenge/response questions.
  2. Affiliation verification - Verify a person's affiliations, including employment, educational background, government affiliation, industry certifications, or criminal background.
  3. Physical context - Verify a person's device to ensure they are coming from a trusted location, on a non-fraudulent IP range, and that their device is not being used to open multiple accounts in the same time period (fraud.)
  4. Location - Detect malicious IP ranges, or users hiding their location behind proxies/VPN. Know precise geo-location and leverage machine learning to correlate patterns and identify anomalies.

Adaptive authentication - extending the trust beyond day zero

In addition to the four-point identity verification service described above, ID DataWeb's Attribute Exchange Network also provides Adaptive Authentication. This includes transparently reverifying attributes on a per-login basis, and responding to anomalies with two factor authentication, or other out of band challenges. This would prevent account takeover, credential theft, or phishing attacks from having the desired effect.

Summary

Financial institutions should anticipate higher volume of New Account Fraud (NAF) attacks in the coming years, as the 2015 introduction of EMV chips forced hackers to go "back to the drawing board," eventually leading them to change their target from the card to the underlying identity and account. Security minded executives should look to partner with vendors who provide multi-layered identity verification approaches, and extend the trust beyond the initial account opening. ID DataWeb's Attribute Exchange Network provides a 4-tier identity proofing service, including human, affiliation, device, and location verification, as well as Adaptive Authentication, which can reverify and trigger "step up" challenges to catch changes or anomalies.  This provides massively heightened security, while staying out of the way of innocent end user's experience.

 

Meet the author:

Matt Cochran

Director of Product & Operations

Matt Cochran is an enterprise IT expert with experience leading strategy, architecture and design of internet scale, cloud based identity management systems.
Posted in Uncategorized.