Many prognosticators have pronounced privacy a pipe dream. With the mountains of personal information on social networks and the lack of security awareness by many users, cybercriminals have more than a snowball’s chance to grab anyone’s identity.
However, there are new ideas for counteracting identity theft that would take into account a person’s physical attributes to add another layer of security. The idea of using a fingerprint reader to log on to a smartphone isn't new, but the latest wrinkle is to incorporate the pressure with which that finger types on the phone.
More than 41 million Americans have had their identities stolen, and millions more have had their personally identifiable information (PII) placed at risk through a data breach, according to a Bankrate.com survey of 1,000 adults conducted last month.
Keir Breitenfeld, senior business consultant at Experian, said that the continued use of “shared secrets” or static data points, such as Social Security numbers, usernames and passwords, to verify identities and authenticate consumers creates a clear problem for users and companies alike – the perpetuation of fraud. “These pieces of PII are highly valuable making them a top target for cybercriminals. A solution to this problem is the use of dynamic data, either on its own, or in combination with static factors,” he said.
Currently, 1.9 million records containing PII are compromised every day, leaving millions of people vulnerable to fraud. Additionally, according to Javelin’s 2017 Identity Fraud Study, identity fraud impacted 15.4 million victims in the United States in 2016, with the incidence rate increasing by 16 percent from 2015.
Breitenfeld said many companies use a form of authentication called identity element verification and validation. This traditional approach to authenticating individuals uses identity elements (for example Social Security number, date of birth, name, address) provided by an applicant and then compares these data points to data from trusted sources, such as credit bureaus. “Problematically, most of this data has already been stolen, making this form of authentication unreliable,” he said.
Ryan Zlockie, global vice president of authentication at Entrust Datacard, noted that an example of continuous authentication is the amount of pressure applied when typing, scrolling and swiping, which could be matched against the user’s typical behavior. Another authentication pattern could be the time spent on a session or transaction. For example, the timing of the session contrasted with the actions completed can indicate whether answers are quickly being cut and pasted or typed out by hand. Or the cadence of typing can be used as a behavioral authentication tool that collects timing information describing exactly when each key was pressed and released as a person is typing at a computer keyboard. This cadence can be captured continuously, not just when a user first logs into a system or service.
Sign up for CIO Asia eNewsletters.