If you were at the K(NO)W Identity Conference last week in Washington, DC, you would know. In a Tuesday morning keynote address, David Birch of Hyperion Consulting not only entertained the audience, but talked about the real risks and opportunities of our overly-connected world, and how the notion of identity needs to be thought about in a new context. Rather than focus on the internet of things, David posited that we should focus on the identity of things.
This of course raises many questions. How to manage identity across such a broad spectrum? What constitutes identity and how to ensure that the person transacting is really the right person when so much PII is out there for fraudsters and hackers to use?
Having been in the biometrics industry for close to 20 years, these questions have been in my mind for some time. One major challenge is identity vetting. Prior to handing a credential, how can one be sure that it is given to a person that is not stealing or making up an identity, and that a fraudster’s fingerprint or face is not attached to someone else’s record. And then once the credential has been provided and the person provisioned, how to make sure it is not handed over to someone else or a session in use with that credential is not usurped.
In the world of behavioral biometrics, this problem is translated into two main use cases: new account fraud and account takeover. In new account fraud, patterns of behaviors that are more common to fraudsters are recognized without the need for any existing enrollment. These are things related to how information is entered, how familiar a user is with an application or certain computer functions. For fraudsters, time is money and so they become experts at filling applications and trying to bypass identity vetting procedures. Just yesterday, it was announced that a database containing 560 million passwords was discovered on Gizmodo. According to news reports, it seems that most of the information contained was compromised during other incidents at sites such as this one (LinkedIn). It is therefore not hard to surmise that in accessing people’s accounts, fraudsters will then gain the other information they need to impersonate them during some kind of an identity vetting procedure, whether for a bank loan, credit card application, etc.
In the account takeover use case, the person is typically fooled into either downloading malicious software on their machine that will allow a remote access or will be tricked into logging in to their account and then allowing a “shared” access. The challenge in this case is that the traditional authentication methods will have worked and the hackers will have just gone around them. The standard tools that we are using would not detect this threat.
So, back to underpants. Most of us would agree that we need them. Just like most of us would agree that we like the convenience of banking online, shopping online, managing electronic health records from the comfort of our living rooms, conducting classes remotely and everything else that we do via our mobile devices and our computers. We do so with an expectation of trust in the handling of our personal information. There are many ways to fortify our networks and try to prevent intrusions. But the ransomware attack from last weekend should have been a real wake-up call for institutions and organizations that manage our records that humans are ultimately where the rubber meets the road and we ought not to be caught with our underpants down.