ID Dataweb named technology leader in Kuppinger Cole Fraud Reduction Leadership Compass

ID Dataweb named technology leader in Kuppinger Cole Fraud Reduction Leadership Compass

Kuppinger Cole’s recently released Leadership Compass on Fraud Reduction Intelligence Platforms (FRIP) names ID Dataweb as arguably THE technology leader when accounting for innovation and product capabilities. With an estimated worldwide cost expected to reach $10.5 trillion (yes, trillion) by 2025, cybercrime prevention should be the #1 focus for any publicly facing application. If there is a way to reduce that risk while maintaining customer experience, a business can drive their customers to a safe secure digital experience, thus increasing revenue while limiting risk. Kuppinger Cole’s FRIP Leadership Compass recommends ID Dataweb’s AXN platform as one of the most, if not THE most, innovative and capable platforms for solving this fraud problem. 

Below I will talk about the most common types of fraud and recommended solutions, but to read exactly what Kuppinger Cole is talking about and compare vendors in the space, please download the free report here. 

 

How are fraudsters costing businesses $10,500,000,000,000 through fraud?

According to Kuppinger Cole’s report, the three most common types of fraud are: 

  • Account Takeover Fraud (ATO) 
  • New Account Fraud (NAF) 
  • Sim Swap Fraud (subset of ATO) 

In Account Takeover Fraud, a fraudster will use breached passwords and credential stuffing attacks to execute unauthorized transactions. Everyone now knows that passwords (what you know) are the weakest of all of the authentication factors. In fact, there are only two types of passwords in the world, those that have been breached and those that are about to be (I can’t find the citation for this but trust me!). The solution for this is weirdly simple, use the other two factors – what you have and what you are. But you need to be certain that you know exactly who the user is when assigning those factors to a credential. 

In New Account Fraud, a fraudster will open accounts using a collection of stolen PII (Personally Identifiable Information) to execute transactions or transfer money. This is particularly insidious because the victim won’t know until it shows up on their credit report often at an innopportune time. To solve this problem, the account registration process needs to properly prove and verify an identity upon account creation without being so onerous that legitimate customers stay away. Being able to prove the identity outside of the stolen PII is key, it has to be independent and impossible to fake. 

SIM Swap Fraud is a subset of account takeovers. By pointing a customer’s legitimate phone number to the fraudster’s device, many of the fail-safes that companies use to determine if a customer is legitimate are sidestepped. A One Time Password (OTP) goes to the bad guy’s phone so the bad guy gets to vouch for themselves = not good security. Again, simple fix, check for SIM swaps or recent ports on a device before even sending the OTP. 

Why is ID Dataweb so well suited to solve fraud?

As Kuppinger Cole reports, ID Dataweb’s AXN (Attribute Exchange Network) “facilitates orchestration of identity attributes and risk factors for analysis.” By orchestrating signals about the user, their devices, their risk data, their credit bureau data and creating a single trust score, the AXN provides a standards-based way for an application to easily verify a user’s identity or risk at the time of account creation, authentication or transaction. ID Dataweb has built a series of commonly used templates that can be inserted into any process for one time or ongoing identity verification.

Specifically for ATO fraud, ID Dataweb can provide risk analysis on the user or the device at time of authentication or before a high value transaction, determining how likely that user is who they say they are. Additionally, for the organization that utilizes the other factors (what you are, what you have), ID Dataweb can verify the user’s identity at the time of credential issuance or recovery, making that biometric or device authentication that much more secure. 

New Account Fraud is one of the most common problems ID Dataweb solves. By integrating with all of the major customer identity platforms, we insert a verification workflow directly into the account creation process. This workflow is designed to be as frictionless as possible by first verifying a user’s phone possession and ownership, orchestrating data signals from many sources. If that isn’t sufficient or the user doesn’t pass that verification, we can step up to verifying that data against a selfie and government ID, again orchestrating the collection of data across up to a dozen sources invisibly to the end user. The organization is going to have a much better assurance that their new user is who they say they are. 

SIM Swap fraud is ridiculously easy to solve. When verifying an identity or using MFA, simply check with the appropriate Telco to see if the SIM card has been swapped since the last verification. If it has, step the user up to a more stringent verification like checking their government issued ID against a selfie. 

There is a reason Kuppinger Cole rates ID Dataweb so highly in this report, we are very well positioned to solve the most common cybercrime and fraud issues. Identity verification and risk detection are the cornerstone of a successful customer facing application. As the Leadership Compass explains, ID Dataweb has a “strong positive” on the product capabilities and innovation needed to solve this growing fraud problem. 

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest

Edward Killeen

Vice President of Marketing

Identity Verification Orchestration: Solving for Too Much Data

Identity Verification Orchestration: Solving for Too Much Data

There are a million use cases where you need identity verification. You need to know who your user is when setting up an account, you need to assess risk when granting access, you need to verify identity when recovering credentials, you need assurance of an identity when setting up MFA….the list is endless. 

Just as endless is the array of attribute providers and credit bureaus and risk services. Each use case listed above needs to call data from multiple sources to truly verify the user’s identity. You need to be able to verify phone possession and ownership. You need a risk score from a credit bureau and the ability to triangulate data about the user. You need to be able to scan a government ID and match its data to DMV data and a biometric. 

There are use cases where you need next to no friction while still having a reasonable idea that the user is who they say they are. There are highly secure use cases where you need undeniable proof of the user’s identity. You need to be able to design a system that checks three factors: what you know, what you have and what you are. And be able to mix and match with all of those attribute providers in the background.

Orchestration and Policy: Workflows Save the Day

An orchestration layer within your identity verification system simplifies this process, I’ll give an example. A gaming company is setting up accounts for their loyalty program; security is obviously paramount because money is involved, but ease of use is essential because customers are involved. And this is happening digitally so the old paradigm of showing an ID doesn’t work. 

The policy is set up in three phases:  

  1. Prove possession and ownership of the device being used. If not, 
  2. Answer dynamic knowledge-based questions. If failed, 
  3. Scan government ID and match to a selfie. 

There are legitimate reasons for not being able to pass each but if you do pass it, we have very good certainty that the user is who they say they are. You might be using a friend’s phone, you might not know how much your mortgage is, but if you don’t have a valid ID you should not get to have an account. 

The reason that the orchestration layer is so important is that process is fantastic for the customer and their users, but it requires a LOT of data from a lot of vendors. Having a single API to call into an orchestration network erases that complexity for the customer while retaining all of the benefits. 

The orchestration layer coordinates all of the backend attribute providers and feeds, streamlines the data, and gives back a very simple response as to the user’s identity. The enterprise only needs a single API and interface to verify the identity, despite all of the complexity happening behind the scenes. ID Dataweb’s Attribute Exchange Network (AXN) has built in templates to simplify the process and build the exact identity verification policy you need for the use case. 

The Power of a Network: Dynamic Backup of Attribute Providers

Guess what? Attribute providers go down. You don’t want to have your customer onboarding halted when that happens. By having a network of attribute providers, you can failover to a backup vendor for that data without missing a beat…or a customer. ID Dataweb’s Attribute Exchange Network (AXN) allows for having backup providers for almost every identity attribute that you are verifying. As an enterprise, you get the benefit of a single interface, a single contract, and dynamic backups with all of these attribute providers and feeds.  

Between the policy engine consolidating all of the varied attribute providers into a single interface and the exchange network providing backup vendors, the AXN platform makes a complex identity verification problem very simple. You get to know who your customers are when you need to. 

Between the policy engine consolidating all of the varied attribute providers into a single interface and the exchange network providing backup vendors, the AXN platform makes a complex identity verification problem very simple. You get to know who your customers are when you need to. 

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest

Edward Killeen

Vice President of Marketing

Securing Passwordless Credentials with Identity Verification

Securing Passwordless Credentials with Identity Verification

When an enterprise is offering passwordless authentication, they are offering convenience and usability without sacrificing security. The user’s phone becomes the user’s identity — this is smart because users protect their phone and protect its contents. It really is the user’s identity. 

Think about the three main authentication factors (what you know, what you have and what you are)….a password is usually the “what you know” factor, which is inherently the weakest. Passwords are re-used, written down, phished, stolen, and overly complicated or otherwise painfully easy to guess. Furthermore, with the growth of single sign-on (SSO), oftentimes, if the password is stolen, all systems are compromised. 

By utilizing the other two factors and going passwordless, security is increased while simultaneously increasing security. Win-win doesn’t even begin to describe this situation, it’s WIN-WINTo steal the other factors requires levels of felony that most hackers don’t want to do, stealing personal property and/or body parts. Tying the authentication to possession of a phone verified to be the user’s or a verified face biometric solves all of this. 

 

Vulnerability at Time of Passwordless Credential Issuance

But there is a fundamental vulnerability early in this process when pairing the phone with the user. It is during this critical phase that you NEED to ensure that the user pairing the device with the identity is the correct user. Identity verification during this phase ensures that the user pairing the phone is the correct user.  

Depending on the security needs, this can be a simple mobile match (the identity is the user who owns this phone) or KBA challenge (does the user pairing know what they should) or a government ID match (does the user pairing have an ID and matching biometrics for the identity). Ideally, a solution will step up a policy that checks each more secure method depending on the profile of the user or the ability to pass the earlier stages. 

When to Apply Identity Verification to Passwordless Credential Process

This verification process to pair the credential to the user happens during two lifecycle eventszero day onboarding and credential recovery. During zero day onboarding, the most stringent identity verification template should be used – MobileMatch and BioGovID Verify the user’s possession and ownership of the mobile device being used for the credential, then verify their identity with a government issued identification and matching selfie – you hit the two most secure factors in one flow. 

During credential recovery, you have already established the identity of the user during onboarding, now you can use a more streamlined template and just check MobileMatch. Determine that the user is indeed the legal owner of the phone, that it hasn’t been used for fraud, and that the user has actual possession of that phone. Then you can re-issue the credential. 

Passwordless is the wave of the future both for workforce and consumers. It is easier for the user, more secure for the enterprise, and intuitive and fast for authenticationThe important part is that you establish the match between the physical identity, the digital identity and the mobile device being used as an authenticator at the initial point of vulnerability. 

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest

Edward Killeen

Vice President of Marketing