In the first half of 2016 alone, there were more than one million incidents of financial fraud, an increase of 53 per cent on the same period last year; with identity fraud against individuals costing an estimated five billion pounds last year.
Identity fraud occurs when an imposter pretends to be someone else. To prevent this, banks ask customers for passwords, but judging from the fraud figures, this isn’t working and things are getting worse. The reason is simple: data cannot differentiate. A password provided by the true customer is exactly the same when that same password is provided by an impostor.
Banks need to reconsider the security practices they put in place so as to allow consumers to tackle this fraud. Rather than continuing to impose a practice that everyone acknowledges is fundamentally flawed, banks need to reach out to consumers for help.
Why banks are not doing enough
Over the past ten years or so, the response to the rise in identity fraud has exemplified Einstein’s definition of insanity: keep doing the same thing, just more of it. Passwords had to be longer, then they had to contain numbers, then with upper and lower case letters, and symbols. Along the way we had to provide random characters from a ‘memorable’ word, and ‘secret’ answers to an array of personal questions.
To be fair, banks are not alone in persisting with this broken method. They inherit an information technology practice that has persisted for fifty years. Passwords were first used in a system called CTSS developed at MIT in 1961, and we’ve barely moved ever since.
Attempts to try something different have involved the introduction of card readers, dongles and using your phone to send you a PIN. This so-called two factor authentication (2FA) is intended to make it harder for those secrets to fall into the hands of impostors. The problem is that ultimately it’s still just data, to which the golden rule applies: if you can know it, a fraudster can know it too.
Although 2FA represents an improvement, it is not widely adopted. This has been highlighted in the last month, with five of the UK’s biggest banks scoring poorly in security tests and failing to invest in systems to better protect their customers. This is not without reason: apart from the weakness inherent in using data to distinguish between customers and impostors, these methods are costly and require customers to perform awkward tasks, such as fiddling with card readers and copying PINs from one device into another.
I believe banks have been trying to solve the problem, but in the wrong way. Attempts to fix it to date have made a bad situation worse. Consumers are unwilling or unable to remember long and complex passwords and instead choose to use the same password for everything, or write it down. Consumers are also warned not to put information on social networks, such as their date of birth, where they were born, went to school… But why shouldn’t they? The real question is this: Why is any bank using personal information as a guarantor of personal identity? The current system has always been destined to fail.
Banks can help not hinder
To increase identity protection, detect imposters and make consumers lives easier, banks need to disrupt the security industry, turn it on its head and drive change towards a better system. To do this, they need to consider the origins of identity itself.
People already have an excellent identity system that has been refined over thousands of years of human evolution. The ability to tell friend from foe has been a matter of survival. When someone comes in your house and you see your partner, you know it’s them. You don’t need them to wear a badge or give a password. It is all based on visual identity – our inbuilt facial recognition software, if you will.
Remarkably, information technology has overlooked this natural capability. By capitalising on visual identity, banks can help transform the practices around online identity and leave our broken system behind. A few years ago it would have been impossible to do online identity visually. However, with almost every consumer having a digital camera connected to the internet in the form of a mobile, now is the perfect moment to put this practice into place.
People know people
This means that a person requesting access can present themselves to the camera on their mobile, so allowing natural, real-world identity to be brought into play. Verifying identity becomes a social activity – as it always has been. If the account holder shows up they will be recognised, but if anyone else shows up, the imposter will be detected. This not only prevents fraud from occurring, it also catches the criminal in the act – a significant deterrent.
By relying on visual identity, banks can help people protect one another from fraud using the identity system they have been using for millennia – their eyes. The reality is that organisations don’t know people, people know people. When it comes to personal identity, the customer really does know best.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.