In an increasingly digital world, we’re constantly being
hamstrung by analogue thinking. As
individuals, our data has been given away quite freely by governments and
organisations. It would seem a huge invasion
of our privacy if our mobile phone provider told anyone who wanted to know our
personal information without any checks and balances being in place. Yet for years our fixed line provider
published huge paper directories with our names, addresses and telephone
numbers; and governments happily share our personal details through electoral
and other public registers.
In the digital age, this becomes a huge problem. The ability to link disparate data sets together
to create a rich picture of our identity makes us vulnerable to fraud. Add to this data breaches that spew further
details of our lives. The response is to tell us to change our password, or cancel our credit cards. Whilst we can fairly easily change these
attributes that create links to us, we can’t change the fundamental core of our
existence.
Synthetic identity, the process of amalgamating fake
information with real identity data, is today involved in 80% of all credit
card fraud. The true scale of the problem
is likely to be far greater as fraudsters are happy to play the long game. The effort involved in creating and growing a
synthetic identity is relatively little, because of the data that is
available. Taking information that is in
the public domain, linking it with information that shouldn’t be – either from
data breaches, phishing scams, or careless social media postings – isn’t
sophisticated. The same technology that
organisations use in their CRM systems allow fraudsters to link this to create
a “good enough” essence of identity from which to grow their synthetic version
of a real-world entity.
For example, social media companies don’t offer much in the
way of a barriers to their customers creating a profile. An email and password is a fairly standard
way to get started. From this, real
world identity attributes can be linked.
In a couple of minutes I can be anyone I want to be. At this point, I’ve done nothing illegal (I
may have breached the T&Cs) though if I know the real-world identity I’m
targeting, I can lay the first foundations of my synthetic identity. If I know where my target lives, I can even
use a VPN to link the social media profile to the right location.
With bot technology, my social media profile can happily go
off and make friends, have opinions, and most importantly build lineage of my
synthetic identity. Depending on how successful
my bot is at making friends, and how much other data I can link to it from real
identity information, I can start to do other more interesting things. I might for example want to get pre-pay
mobile SIM. For a few bucks I can use my
social media profile to get a mobile number to associate to my synthetic
identity. I have now built a footprint
that others trust. A few messages from
my mobile, and I can decide that it’s time for my synthetic identity to get a
credit footprint. Migrating from pre-pay
to post-pay is unlikely to trigger any fraud alerts – real people do it every
day.
Of course, at this point we do have controls. Post-pay means credit, and credit means
regulation. As my synthetic identity isn’t
real, here’s where it will fall down.
The credit check will fail – and a handy marker will be raised against
it. So now my synthetic identity has a
credit file too. More applications, more
failures, more footprint. Now I can apply
to the credit card companies who are designed for people just like my synthetic
identity. “Poor or no credit rating? Minimal
identity footprint? No problem.” Sound familiar?
At some point the fraudster needs to make money. Today, we can see that credit card fraud is
where the burst-out moment comes. Take
the cards, max the limits, burn the identity.
Yet what we don’t know is how many other identities are still being
percolated. The fraudsters may be using
their synthetic identities to make phone calls with their mobile and buy things
with their credit cards; paying their bills off each month like model credit
citizens.
The good news is that all the organisations mentioned above,
and many more besides, are tackling this problem. Technology, processes and controls are
continually evolving ways of spotting the synthetic identities amongst the real
ones. This will always be an ongoing
battle. The other issue to address, is to bring about standards and interoperability for identity across these
different nation, sector and organisational boundaries.
There will always be varying requirements for identity. What I need to prove, and how much assurance
is required in order to post a photo of what I had for dinner varies greatly from
the requirements for me to walk into the cockpit of the plane. Where standards are invaluable, is that the
reliance placed upon a low-level process and the increment to a higher-level of
assurance are understood, controlled and properly mitigated. If all parties adhere to interoperable
standards we can have progressive assurance of identity.
Too often, the “not invented here” attitude, or competitive
advantage through a lower assurance standards serve to undermine the entire
system. Standards that allow for
innovation must become the benchmark for organisations whose data is trusted by
others within the marketplace. As digital
identity schemes become more prevalent there is an opportunity to evolve away
from the analogue processes that blight the digital world. A collective and collaborative push is
required to accelerate the rate of adoption.
If we’re to prevent fraudsters targeting the weaknesses, we need to have
collective responsibility to drive standards upwards.
The digital age allows fraudsters to play the long game – we
need to think ahead.
Unexpected Customer Behaviour - The role of self-service in your customer service strategy
Rip it up and start again - The successful Business Transformation
Too Big To Fail - Keeping the heart of your business alive
The upstarts at the startups - How startups are changing big business
One Small Step - The practice of greatness
In pursuit of mediocrity - Why performance management systems drive mediocrity
About me
Bryn Robinson-Morgan is an independent Business Consultant with interests in Identity Assurance, Agile Organisational Design and Customer Centric Architecture. Bryn has near 20 years experience working with some of the United Kingdom's leading brands and largest organisations.
Follow Bryn on Twitter: @No1_BA
Connect with Bryn on Linked In: Bryn Robinson-Morgan
Read my other posts
Let's get physical - how to get fit for the digital era by leveraging the offline world
Trust me, I know a shortcut - Digital identity is hard. Take shortcuts at your own risk
Just in Case - From early adoption to maturity
I have control - Can we truly own our identity
Tipping the balance - Getting the right balance between security and user experience
You don't know what you're doing - Poor security practices are putting users at risk
I didn't say you could touch me - Biometric authentication and identity
You don't need to tell me - Impacts of the EU General Data Protection Regulations
Coming together on being alone - The need for a clear government digital strategy
I'm not the person I used to be - Authentication for real world identities
Distributed Identity has no clothes - Will distributed ledger technology solve identity
Bring Your Own Downfall - Why we should embrace federated identity
Unblocking Digital Identity - Identity on the Blockchain as the next big thing
Tick to Agree - Doing the right thing with customer's data
The Kids Are All Right - Convenient authentication: the minimum standard for the younger generation
The ridiculous mouse - Why identity assurance must be a rewarding experience for users
Big Brother's Protection - How Big Brother can protect our privacy
I don't know who I am anymore - How to prove your identity online
Three Little Words - What it means for your business to be agile
Defining the Business Analyst - Better job descriptions for Business AnalysisTrust me, I know a shortcut - Digital identity is hard. Take shortcuts at your own risk
Just in Case - From early adoption to maturity
I have control - Can we truly own our identity
Tipping the balance - Getting the right balance between security and user experience
You don't know what you're doing - Poor security practices are putting users at risk
I didn't say you could touch me - Biometric authentication and identity
You don't need to tell me - Impacts of the EU General Data Protection Regulations
Coming together on being alone - The need for a clear government digital strategy
I'm not the person I used to be - Authentication for real world identities
Distributed Identity has no clothes - Will distributed ledger technology solve identity
Bring Your Own Downfall - Why we should embrace federated identity
Unblocking Digital Identity - Identity on the Blockchain as the next big thing
Tick to Agree - Doing the right thing with customer's data
The Kids Are All Right - Convenient authentication: the minimum standard for the younger generation
The ridiculous mouse - Why identity assurance must be a rewarding experience for users
Big Brother's Protection - How Big Brother can protect our privacy
I don't know who I am anymore - How to prove your identity online
Three Little Words - What it means for your business to be agile
Unexpected Customer Behaviour - The role of self-service in your customer service strategy
Rip it up and start again - The successful Business Transformation
Too Big To Fail - Keeping the heart of your business alive
The upstarts at the startups - How startups are changing big business
One Small Step - The practice of greatness
In pursuit of mediocrity
Connect with Bryn on Linked In: Bryn Robinson-Morgan
No comments:
Post a Comment