All posts by Keir Breitenfeld
More than ever before, there may now be credence in the view that the majority of consumers’ personally identifiable information (PII), user names and passwords, and even some authentication tokens have been, or are, at risk of compromise. Between sophisticated hacking schemes and regularly reported and sometimes unreported data breaches, those charged with implementing and maintaining identity authentication and management systems must assume this to be true. In doing so, the need for layered authentication becomes readily apparent. Layered authentication can mean many things to many people, but I would offer it up as diversifying authentication and risk assessment techniques and processes across multiple elements and attributes throughout the customer lifecycle. These elements and attributes corresponding techniques can include: traditional PII validation and verification identity transaction link analysis and risk attribute derivation credit and non-credit data and risk attributes identity risk scores knowledge-based authentication question performance device intelligence and risk assessment credentials biometrics and should be layered proportionally by inherent risk per application, addressable population, transaction history and types, current transaction, and access channel for example. Industry guidance such as the FFIEC Guidance of Authentication in an Internet Banking Environment is a solid foundational direction that calls out the need for institutions to move beyond simple device identification — such as IP address checks, static cookies and challenge questions derived from customer enrollment information — to more complex device intelligence and more complex out-of-wallet identity verification procedures. I would suggest that while this is a great start, it is by no means comprehensive. Institutions across all markets, both private and public sectors, should be exploring all available services and technologies in an effort to reduce reliance on one or only a few methods of authentication and identity management. Particularly, again, assuming that the one method an institution may rely on could be greatly weakened or without value if subject to mass compromise. Make sure to read our Comply whitepaper to gain more insight on regulations affecting financial institutions and how you can prepare your business. Learn more about how your business can authenticate consumers confidently.
As I’m sure you are aware, the Federal Financial Institutions Examination Council (FFIEC) recently released its, \"Supplement to Authentication in an Internet Banking Environment\" guiding financial institutions to mitigate risk using a variety of processes and technologies as part of a multi-layered approach. In light of this updated mandate, businesses need to move beyond simple challenge and response questions to more complex out-of-wallet authentication. Additionally, those incorporating device identification should look to more sophisticated technologies well beyond traditional IP address verification alone. Recently, I contribute to an article on how these new guidelines might affect your institution. Check it out here, in full: http://ffiec.bankinfosecurity.com/articles.php?art_id=3932 For more on what the FFIEC guidelines mean to you, check out these resources - which also gives you access to a recent Webinar.
Lately there has been a lot of press about breaches and hacking of user credentials. I thought it might be a good time to pause and distinguish between authentication credentials and identity elements. Identity elements are generally those bits of meta data related to an individual. Things like: name, address, date of birth, Social Security Number, height, eye color, etc. Identity elements are typically used as one part of the authentication process to verify an individual’s identity. Credentials are typically the keys to a system that are granted after someone’s identity elements have been authenticated. Credentials then stand in place of the identity elements and are used to access systems. When credentials are compromised, there is risk of account takeover by fraudsters with mal intent. That’s why it’s a good idea to layer-in risk based authentication techniques along with credential access for all businesses. But for financial institutions, the case is clear: a multi-layered approach is a necessity. You only need to review the FFIEC Guidance of Authentication in an Internet Banking Environment to confirm this fact. Boiled down to its essence, the latest guidance issued by the FFIEC is rather simple. Essentially it’s asking U.S. financial institutions to mitigate risk using a variety of processes and technologies, employed in a layered approach. More specifically, it asks those businesses to move beyond simple device identification — such as IP address checks, static cookies and challenge questions derived from customer enrollment information — to more complex device intelligence and more complex out-of-wallet identity verification procedures. In the world of online security, experience is critical. Layered together, Experian’s authentication capabilities (including device intelligence from 41st Parameter, out-of-wallet questions and analytics) offers a more comprehensive approach to meeting and exceeding the FFIEC’s most recent guidance. More importantly, they offer the most effective and efficient means to mitigating risk in online environments, ensuring a positive customer experience and have been market-tested in the most challenging financial services applications.
Many compliance regulations such the Red Flags Rule, USA Patriot Act, and ESIGN require specific identity elements to be verified and specific high risk conditions to be detected. However, there is still much variance in how individual institutions reconcile referrals generated from the detection of high risk conditions and/or the absence of identity element verification. With this in mind, risk-based authentication, (defined in this context as the “holistic assessment of a consumer and transaction with the end goal of applying the right authentication and decisioning treatment at the right time\") offers institutions a viable strategy for balancing the following competing forces and pressures: Compliance – the need to ensure each transaction is approved only when compliance requirements are met; Approval rates – the need to meet business goals in the booking of new accounts and the facilitation of existing account transactions; Risk mitigation – the need to minimize fraud exposure at the account and transaction level. A flexibly-designed risk-based authentication strategy incorporates a robust breadth of data assets, detailed results, granular information, targeted analytics and automated decisioning. This allows an institution to strike a harmonious balance (or at least something close to that) between the needs to remain compliant, while approving the vast majority of applications or customer transactions and, oh yeah, minimizing fraud and credit risk exposure and credit risk modeling. Sole reliance on binary assessment of the presence or absence of high risk conditions and identity element verifications will, more often than not, create an operational process that is overburdened by manual referral queues. There is also an unnecessary proportion of viable consumers unable to be serviced by your business. Use of analytically sound risk assessments and objective and consistent decisioning strategies will provide opportunities to calibrate your process to meet today’s pressures and adjust to tomorrow’s as well.
Experian’s Fraud and Identity Solutions team recently conducted a webinar entitled: “A risk-based approach to finding opportunity in today’s market: New approaches to fraud, compliance, and operational efficiency in an evolving economy.” I specifically discussed the current business drivers and fraud trends we, as a consumer and commercial authentication services provider, hear most often from our existing and potential clients. I was encouraged to have the following forces validated by our audience, and I thought they’d be worth sharing with you via this forum. In what I believe to be rank order with most influencing first: Customer experience is king. The addressable market for most of our clients is effectively an ever more limited pool of viable consumers. From the consumer’s perspective it’s a ‘buyer’s market’. ‘Good’ consumers know they are ‘good’ and those 750 scorers don’t tolerate poor customer service. Risk seeking credit policies may be making a comeback. Many of our clients are starting to heal from the past few years, and are ready to get back on the bike. However, this does open the door more widely for application fraud activity and risk. New products and associated solicitations and access channels translate to higher risk as fraud prevention and fraud detection processes may be less robust in the early launch stages and certainly less time-tested. Human & IT resources are still in short supply. As these new channels open and fraud risk increases, necessary fraud prevention and authentication oriented resources are still overly constrained and often significantly lagging in proportionality behind the recovery-minded marketing minds. Regulatory pressures continue to equate to higher operational costs, in the form of fraud referral rates, in process engineering and human intervention and activities, not to mention the opportunity costs associated with denial of service to those ‘good’ consumers I just mentioned. So, hosted services and solutions are where it’s at these days. Our clients want their vendors, including us at Experian, to save their IT resources, deliver quicker to market services, such as fraud models, knowledge based authentication, and other authentication tools, and provide collective capabilities that would otherwise be years away if left to the mercy of their internal development queues. All products and processes are under review, as you might imagine. Cost control is no longer a back-burner policy and focus. ROI is the key metric these days, and likely above any other. Our clients demand flexible tools that can be deployed in multiple process points and across multiple business units. Blanket policies (including fraud prevention and authentication) are no longer good enough. Our clients’ tailored products, access channels, and market segmentations require the same level of unique design in the products we deliver.
Many compliance regulations such the Red Flags Rule, USA Patriot Act, and ESIGN require specific identity elements to be verified and specific high risk conditions to be detected. However, there is still much variance in how individual institutions reconcile referrals generated from the detection of high risk conditions and/or the absence of identity element verification. With this in mind, risk-based authentication, (defined in this context as the “holistic assessment of a consumer and transaction with the end goal of applying the right authentication and decisioning treatment at the right time\") offers institutions a viable strategy for balancing the following competing forces and pressures: Compliance – the need to ensure each transaction is approved only when compliance requirements are met; Approval rates – the need to meet business goals in the booking of new accounts and the facilitation of existing account transactions; Risk mitigation – the need to minimize fraud exposure at the account and transaction level. A flexibly-designed risk-based authentication strategy incorporates a robust breadth of data assets, detailed results, granular information, targeted analytics and automated decisioning. This allows an institution to strike a harmonious balance (or at least something close to that) between the needs to remain compliant, while approving the vast majority of applications or customer transactions and, oh yeah, minimizing fraud and credit risk exposure and credit risk modeling. Sole reliance on binary assessment of the presence or absence of high risk conditions and identity element verifications will, more often than not, create an operational process that is overburdened by manual referral queues. There is also an unnecessary proportion of viable consumers unable to be serviced by your business. Use of analytically sound risk assessments and objective and consistent decisioning strategies will provide opportunities to calibrate your process to meet today’s pressures and adjust to tomorrow’s as well.
The U.S. Senate passed legislation recently that would exempt certain businesses from complying with the Red Flags Rule. Sponsored by Senator John Thune (R-SD), the bill (S. 3987) creates an exception to the Red Flags Rule for businesses that do not advance funds to a customer. The bill would, for example, redefine the term “creditor” as currently described under the Red Flags Rule guidelines, to apply only to those businesses who advance funds to, or on behalf of, a customer, and based upon an obligation to repay those advanced funds. The legislation also still provides the Federal Trade Commission with authority to require certain organizations to comply with the Red Flags Rule. The legislation now moves to the U.S. House of Representatives, where the chamber must approve the bill before the end of the year in order for the bill to become law. This may alleviate many businesses in industries such as law practices, healthcare providers (particularly solo practitioners), and perhaps some service providers in telecommunications and utilities. However, it is likely that many businesses in the utilities space will still fall under Red Flags Rule enforcement given their accessing of consumer credit profiles in many of their application processing procedures. Again, one has to wonder what the original intent of the Red Flags Rule was. If it was to protect consumers from identity theft and other fraud schemes via a robust identity theft prevention program, then vastly narrowing the businesses under which potential enforcement applies seems counter-productive. The advancement of funds or not doesn’t necessarily add to or reduce risk of fraud, as much as the actual obtainment of accounts and services with identity information…regardless of industry. More to follow…
As the December 31st deadline approaches for FTC enforcement of the Red Flags Rule, we still seem quite a ways off from getting out from under the cloud of confusion and debate related to the definition of ‘creditor’ under the statutory provisions. For example, the Thune-Begich amendment to “amend the Fair Credit Reporting Act with respect to the applicability of identity theft guidelines to creditors” looks to greatly narrow the definition of creditor under the Rule, and therefore narrow the universe of businesses and institutions covered by the Red Flags Rule. The question remains, and will remain far past the December 31 enforcement deadline, as to how narrow the ‘creditor’ universe gets. Will this amendment be effective in excluding those types of entities generally not in the business of extending credit (such as physicians, lawyers, and other service providers) even if they do provide service in advance of payment collection or billing? Will this amendment exclude more broadly, for example ‘buy-here, pay-here’ auto dealers who don’t extend credit or furnish data to a credit reporting agency? Finally, is this the tip of an iceberg in which more entities opt out of the requirement for robust and effective identity theft prevention programs? So one has to ask if the original Red Flags Rule intent to “require many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate the damage it inflicts” still holds true? Or is the idea of protecting consumer identities only a good one when it is convenient? It doesn’t appear to be linked with fraud risk as healthcare fraud, for example, is of major concern to most practitioners and service providers in that particular industry. Lastly, from an efficiency perspective, this debate would likely have been better timed at the drafting of the Red Flags Rule, and prior to the implementation of Red Flags programs across industries that may be ultimately excluded.
As E-Government customer demand and opportunity increases, so too will regulatory requirements and associated guidance become more standardized and uniformly adopted. Regardless of credentialing techniques and ongoing access management, all enrollment processes must continue to be founded in accurate and, most importantly, predictive risk-based authentication. Such authentication tools must be able to evolve as new technologies and data assets become available, as compliance requirements and guidance become more defined, and as specific fraud threats align with various access channels and unique customer segments. A risk-based fraud detection system allows institutions to make customer relationship and transactional decisions based not on a handful of rules or conditions in isolation, but on a holistic view of a customer’s identity and predicted likelihood of associated identity theft. To implement efficient and appropriate risk-based authentication procedures, the incorporation of comprehensive and broadly categorized data assets must be combined with targeted analytics and consistent decisioning policies to achieve a measurably effective balance between fraud detection and positive identity proofing results. The inherent value of a risk-based approach to authentication lies in the ability to strike such a balance not only in a current environment, but as that environment shifts as do its underlying forces. The National Institute of Standards and Technology, in special publication 800-63, defines electronic authentication (E-authentication) as “the process of establishing confidence in user identities electronically presented to an information system”. Since, as stated in publication 800-63, “individuals are enrolled and undergo an identity proofing process in which their identity is bound to an authentication secret, called a token”, it is imperative that identity proofing is founded in an approach that generates confidence in the authentication process. Experian believes that a risk-based approach that can separate valid from invalid identities using a combination of data and proven quantitative techniques is best. As “individuals are remotely authenticated to systems and applications over an open network, using a token in an authentication protocol”, enrollment processes that drive ultimate provision of tokens must be implemented with an eye towards identity risk, and not simply a series of checks against one or more third party data assets. If the “keys to the kingdom” are housed in the ongoing use of tokens provided by Credentials Service Providers (CRA) and binding credentials to that token, trusted Registration Authorities (RA) must employ highly predictive identity proofing techniques designed to segment true, low-risk identities from identities that may have been manipulated, fabricated, or in true-form are subject to fraudulent use, abuse or victimization. Many compliance-oriented authentication requirements (ex. USA PATRIOT Act, FACTA Red Flags Rule) and resultant processes hinge upon identity element (ex. name, address, Social Security number, phone number) validation and verification checks. Without minimizing the importance of performing such checks, the purpose of a more risk-based approach to authentication is to leverage other data sources and quantitative techniques to further assess the probability of fraudulent behavior.
Experian recently contributed to a TSYS whitepaper focused on the various threats associated with first party fraud. I think the paper does a good job at summarizing the problem, and points out some very important strategies that can be employed to help both prevent first party fraud losses and detect those already in an institution’s active and collections account populations. I’d urge you to have a look at this paper as you begin asking the right questions within your own organization. Watch here The bad news is that first party fraud may currently account for up to 20 percent of credit charge-offs. The good news is that scoring models (using a combination of credit attributes and identity element analysis) targeted at various first party fraud schemes such as Bust Out, Never Pay, and even Synthetic Identity are quite effective in all phases of the customer lifecycle. Appropriate implementation of these models, usually involving coordinated decisioning strategies across both fraud and credit policies, can stem many losses either at account acquisition, or at least early enough in an account management stage, to substantially reduce average fraud balances. The key is to prevent these accounts from ending up in collections queues where they’ll never have any chance of actually being collected upon. A traditional customer information program and identity theft prevention program (associated, for example with the Red Flags Rule) will often fail to identify first party fraud, as these are founded in identity element verification and validation, checks that often ‘pass’ when applied to first party fraudsters.
The overarching ‘business driver’ in adopting a risk-based authentication strategy, particularly one that is founded in analytics and proven scores, is the predictive ‘lift’ associated with using scoring in place of a more binary rule set. While basic identity element verification checks, such as name, address, Social Security number, date-of-birth, and phone number are important identity proofing treatments, when viewed in isolation, they are not nearly as effective in predicting actual fraud risk. In other words, the presence of positive verification across multiple identity elements does not, alone, provide sufficient predictive value in determining fraud risk. Positive verification of identity elements may be achieved in customer access requests that are, in fact, fraudulent. Conversely, negative identity element verification results may be associated with both ‘true’ or ‘good’ customers as well as fraudulent ones. In other words, these false positive and false negative conditions lead to a lack of predictive value and confidence as well as inefficient and unnecessary referral and out-sort volumes. The most predictive authentication and fraud models are those that incorporate multiple data assets spanning traditionally used customer information categories such as public records and demographic data, but also utilize, when possible, credit history attributes, and historic application and inquiry records. A risk-based fraud detection system allows institutions to make customer relationship and transactional decisions based not on a handful of rules or conditions in isolation, but on a holistic view of a customer’s identity and predicted likelihood of associated identity theft, application fraud, or other fraud risk. To implement efficient and appropriate risk-based authentication procedures, the incorporation of comprehensive and broadly categorized data assets must be combined with targeted analytics and consistent decisioning policies to achieve a measurably effective balance between fraud detection and positive identity proofing results. The inherent value of a risk-based approach to authentication lies in the ability to strike such a balance not only in a current environment, but as that environment shifts as do its underlying forces.
Well, in my last blog, I was half right and half wrong. I said that individual trade associations and advocacy groups would continue to seek relief from Red Flag Rules ‘coverage’ and resultant FTC enforcement. That was right. I also said that I thought the June 1 enforcement date would ‘stick’. That was wrong. Said FTC Chairman Jon Leibowitz, “Congress needs to fix the unintended consequences of the legislation establishing the Red Flag Rule – and to fix this problem quickly. We appreciate the efforts of Congressmen Barney Frank and John Adler for getting a clarifying measure passed in the House, and hope action in the Senate will be swift. As an agency we’re charged with enforcing the law, and endless extensions delay enforcement.” I think the key words here are ‘unintended consequences’. It seems to me that the unintended consequences of the Red Flag Rules reach far beyond just which industries are covered or not covered (healthcare, legal firms, retailers, etc). Certainly, the fight was always going to be brought on by non-financial institutions that generally may not have had a robust identity authentication practice in place as a general baseline practice. What continues to be lost on the FTC is the fact that here we are a few years down the road, and I still hear so much confusion from our clients as to what they have to do when a Red Flag compliance condition is detected. It’s easy to be critical in hindsight, yes, but I must argue that if a bit more collaboration with large institutions and authentication service providers in all markets had occurred, creating a more detailed and unambiguous Rule, we may have seen the original enforcement date (or at least one of the first or second postponement dates) ‘stick’. At the end of the day, the idea of mandating effective and market defined identity theft protection programs makes a lot of sense. A bit more intelligence gathering on the front end of drafting the Rule may, however, have saved time and energy in the long run. Here’s hoping that December 31st ‘sticks’…I’m done predicting.
Well, here we are about two weeks from the Federal Trade Commission’s June 1, 2010 Red Flags Rule enforcement date. While this date has been a bit of a moving target for the past year or so, I believe this one will stick. It appears that the new reality is one in which individual trade associations and advocacy groups will, one by one, seek relief from enforcement and related penalties post-June 1. Here’s why I say that: The American Bar Association has already file suit against the FTC, and in October, 2009, The U.S. District Court for the District of Columbia ruled that the Red Flags Rule is not applicable to attorneys engaged in the practice of law. While an appeal of this case is still pending, in mid-March, the U.S. District Court for the District of Columbia issued another order declaring that the FTC should postpone enforcement of the Red Flags Rule “with respect to members of the American Institute of Certified Public Accountants” engaged in practice for 90 days after the U.S. Court of Appeals for the District of Columbia renders an opinion in the American Bar Association’s case against the FTC.” Slippery slope here. Is this what we can expect for the foreseeable future? A rather ambiguous guideline that leaves openings for specific categories of “covered entities” to seek exemption? The seemingly innocuous element to the definition of “creditor” that includes “businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later” is causing havoc among peripheral industries like healthcare and other professional services. Those of you in banking are locked in for sure, but it ought to be an interesting year as the outliers fight to make sense of it all while they figure out what their identity theft prevention programs should or shouldn’t be.
The definition of account management authentication is: Keep your customers happy, but don’t lose sight of fraud risks and effective tools to combat those risks. In my previous posting, I discussed some unique fraud risks facing institutions during the account management phase of their customer lifecycles. As a follow up, I want to review a couple of effective tools that allow you to efficiently minimize fraud losses during post-application: Knowledge Based Authentication (KBA) — this process involves the use of challenge/response questions beyond \"secret\" or \"traditional\" internally derived questions (such as mother\'s maiden name or last transaction amount). This tool allows for measurably effective use of questions based on more broad-reaching data (credit and noncredit) and consistent delivery of those questions without subjective question creation and grading by call center agents. KBA questions sourced from information not easily accessible by call center agents or fraudsters provide an additional layer of security that is more impenetrable by social engineering. From a process efficiency standpoint, the use of automated KBA also can reduce online sessions for consumers, and call times as agents spend less time self-selecting questions, self-grading responses and subjectively determining next steps. Delivery of KBA questions via consumer-facing online platforms or via interactive voice response (IVR) systems can further reduce operational costs since the entire KBA process can be accommodated without call center agent involvement. Negative file and fraud database – performing checks against known fraudulent and abuse records affords institutions an opportunity to, in batch or real time, check elements such as address, phone, and SSN for prior fraudulent use or victimization. These checks are a critical element in supplementing traditional consumer authentication processes, particularly in an account management procedure in which consumer and/or account information may have been compromised. Transaction requests such as address or phone changes to an account are particularly low-hanging fruit as far as running negative file checks are concerned.
Account management fraud risks: I “think” I know who I’m dealing with… Risk of fraudulent account activity does not cease once an application has been processed with even the most robust authentication products and tools available. These are a few market dynamics are contributing to increased fraud risk to existing accounts: - The credit crunch is impacting bad guys too! Think it’s hard to get approved for a credit account these days? The same tightened lending practices good consumers now face are also keeping fraudsters out of the “application approval” process too. While that may be a good thing in general, it has caused a migratory focus from application fraud to account takeover fraud. - Existing and viable accounts are now much more appealing to fraudsters given a shortage of application fraud opportunities, as financial institutions have reduced solicitation volume. A few other interesting challenges face organizations with regards to an institution’s ability to minimize fraud losses related to existing accounts: - Social engineering — the \"human element\" is inherent in a call center environment and critical from a customer experience perspective. This factor offers the opportunity for fraudsters to manipulate representatives to either gain unauthorized access to accounts or, at the very least, collect consumer and account information that may help them perpetrate fraud later. - Automatic Number Identification (ANI) spoofing — this technology allows a caller to alter the true displayable number from which he or she is calling to a falsely portrayed number. It\'s difficult, if not impossible, to find a legitimate use for this technology. However, fraudsters find this capability quite useful as they try to circumvent what was once a very effective method of positively authenticating a consumer based on a \"good\" or known incoming phone number. With ANI spoofing in play, many call centers are now unable to confidently rely on this once cost-effective and impactful method of authenticating consumers.
Learn More Image
