Another example of information that could be part of an identity hub is the attributes of operating systems. What if the language of the device’s operating system does not match what is expected for that specific identity? If one unique device is associated with different locations and languages, in addition to different personally identifiable information, there’s a clear problem, he said.
“So, this information, combined with their regular habits, creates a baseline of what people typically use their device and then compares that data to identify deviations. Everything from the resolution of the screen to the exact version of an operating system are device attributes that can help identify if an account is being used fraudulently,” Breitenfeld noted.
Multi-factor authentication is a common method of verification that uses step-up authentication treatments. These include knowledge-based authentication questions (such as security questions), one-time passwords and document verification such as selfies, e-signatures or application form fills to certify that a user is authorized to conduct a transaction.
While this method has been used for years, traditional multi-factor authentication is not as secure as some might think, Breitenfeld said. For example, when a code is sent via text, there is no way to know if the correct user is seeing the text. The phone may have been stolen or a criminal could be using a technique called mirroring to receive texts sent to a cell phone. This authentication method can be improved by adding more dynamic data, such as a selfie, to the process.
The selfie example would work such that when someone fills out an application for a product or service, he or she submits a picture of his or her driver’s license, displaying the driver's name, date of birth and address. This information is scraped from the photo and used in the application form, and it is verified by capturing the static ID info. Later, if someone has trouble logging in and fails to answer security questions, the system could ask for a selfie to compare to the user's photo already on file.
Experian also uses fraud models that enable verification processes to run a user through a variety of known fraud patterns and determine if there should be additional verification prior to confirming the person’s identity. For example, the model takes into account multiple factors that are common among cybercriminals to create profiles that help identify potential fraudsters. A consumer’s identity elements are compared to this model to determine risk for companies. A fraud model can also be adjusted to meet a company’s desired risk threshold; this frequently occurs during the holidays when consumers are making more purchases, and companies do not want to be a barrier to transactions – although the purchase behavior is abnormal for the individual.
Sign up for CIO Asia eNewsletters.