How technology can help protect against identity fraud [Q&A]
The COVID-19 pandemic has led to a tide of cybercriminal activity seeking to exploit things like government payments.
We spoke to Michael Magrath, director, global regulations and standards at anti-fraud and digital identity solutions company OneSpan to find out how governments and enterprises can use technology to guard against the threat.
BN: Have we seen a COVID uptick where the pandemic has highlighted and brought to attention problems that already existed?
MM: The pandemic has really exposed, a lot of glaring holes we have in the US when it comes to identity and particularly online identity. I've been watching the news and I see people lined up to file for unemployment benefits.
From a public health standpoint you would expect more people to be doing that online and really what's happened online is, unlike in several countries that have national IDs, where you're using a smart card to log in or something like that, our system is very fragmented so the process can be pretty bad.
Some states may not be doing the normal due diligence to process the claims, because they're just so overwhelmed. They might be processing the applications without doing a thorough check on the person's identity.
I believe that the sheer numbers have kind of opened the floodgates to the fraudsters realizing that there's a lot of data out there. Some of the systems, they'll rely upon knowledge based authentication if they're doing an online application. In those instances where you know they'll be asking for information that's on your credit report, given the vast number of breaches that have occurred over the last few years that information is readily available. So people can either steal an identity, or they can kind of piece together a real identity and fictitious identity and create what they call a synthetic identity.
BN: How can systems be made safer to prevent identity fraud?
MM: I think what really needs to be done is that the process itself to apply for unemployment benefits needs to be improved. We do a lot of work with banks and we do a lot around digital account opening. Banks are always trying to be in the lead when it comes to these types of technology solutions, in part because they tend to the have money to implement them. But right now it really is on the state governments to improve their application process.
When you apply for benefits most people have a government ID -- not everyone -- but you see if you have a solution that meets the needs of 80 to 90 percent of the population that is applying for unemployment benefits that can be done remotely. So somebody could go to a website to apply, or they could download an app from the State, from a web store that's published by the by the state unemployment office, and then they could answer some KBA (Knowledge Based Authentication) questions on it.
What the banks are doing today is leveraging digital identity verification solutions with biometrics to check the identity of the individual. The same thing could be done for unemployment benefits so you have your your mobile phone, you can take a photo of your government issued ID, in most cases a driver's license or a passport. That ID would be verified on the back end, using some technologies that verify it is a real driver's licence a -- few security features that it has the same text the holograms are where they should be, etc. And then the photo itself could be matched to a selfie picture using biometric verification.
The end game would be having the states have their systems in place so that a driver's licence that's presented that has a unique identifier that the state issues and they could match that to their own or vehicle database to verify that that person is who they say they are. That would be a tremendous improvement I think that we would really cut down on a lot of the fraud. That can happen if it meets the needs of, 80, to 90 percent of the outcomes, you're not going to improve the process tremendously and can save taxpayers a lot of money.
BN: Could this type of process be used elsewhere?
MM: The process that I just described can be used for lots of different for markets. I read an article the other day about about companies that are hiring during the pandemic. They could use a similar process for remote onboarding of new employees to make sure the person is who they say they are. This could also be used in healthcare and tele-health for a new patient with a healthcare provider to prove who they are to that provider to make sure their records don't get confused with somebody else.
BN: Has GDPR and other similar legislation that's been introduced around the world made people focus more on privacy issues?
MM: It has paved the way for a lot of privacy legislation around the world. In the US we have the California Consumer Privacy Act which is due to go into effect in July. But in my opinion I think privacy laws fall tremendously short. When it comes to the protection aspect for example, there's really nothing in GDPR that requires anybody to protect personally identifiable information with, say two-factor authentication. I think that's a tremendous opportunity for governments around the world, to have technical standards that folks have to comply with and that does require two-factor authentication. It would be nice if GDPR and some of these other laws had technical standards that organizations had to comply with to at least set the floor.
BN: Will we see other US states introducing legislation similar to CCPA?
MM: In the US it's a bit of a mess, Washington State had a bill that didn't pass. I know New Hampshire has a bill, I believe the New York bill didn't pass either, but that doesn't mean they won't be reintroduced. It's going to create a real burden for organizations to comply with potentially 50 different privacy regulations, which will not all look the same.
What's happening right now in the US is that there is a couple of bills at the federal level. There was one introduced in the Senate, and similar bill in the House of Representatives. Those are of working their way through very slowly given the pandemic, but what folks are kind of hoping is that there will be federal legislation that would be overarching so organizations will not have to comply with many state laws.