Cybersecurity

Multi-layered approach to security key to protecting consumers

In recent weeks, there has been a lot of discussion on Capitol Hill about the problem of data breaches and the likelihood that consumers will fall victim to identity theft.

Members of Congress on both sides of the aisle have called for hearings and investigations. Some have proposed legislation, much of which has focused on different ways to allow consumers to freeze their credit to prevent identity thieves from opening accounts in their names.

While these are important topics for debate, they don't address the real problem: how to prevent a stolen identity from being used to commit fraud. This is a large and costly problem for consumers, businesses and government alike.

Javelin Strategy & Research estimates that identity fraud, which at its root is about monetizing identity theft, cost 15.4 million U.S. consumers a total of $16 billion in 2016 alone.

That's where Congress comes in. Congress must require government, financial services, retail, insurance, communications and other sectors to verify and authenticate the identities of their consumers on the front end of a transaction.

Simply put, they must make sure the individual on the other end of the computer or telephone line requesting a credit card, government benefit, purchase, etc., is who he or she says they are.

That begins with requiring the private sector to use information security best practices to safeguard the identities of the consumers with whom they carry out transactions.

The current security best practice for verifying and authenticating identities is to do so using multiple layers of security, called multi-layer authentication or multi-factor authentication (MFA). Multi-layer authentication requires using two or more of the following to verify and authenticate identities:

One-time password sent to a verified user's cell phone: For example, we've all lost an account password and had to click on the "forgot password" link to reset it. When we do, a box pops up telling us that if we want to reset our password, a code will be texted to us. When we successfully enter the code, the organization accepts that we are the true identity.

Device ID technology that is linked to an individual and flagged for suspicion: Every device - phone, laptop, iPad, etc., - has a unique identification number coded into its settings. Using device ID technology, the organization can track how the device is being used.

For example, if an organization was using device ID technology, it could tell if one device had submitted 20 different applications for food stamps benefits.

Identity authentication quiz based upon a diversity of data sources: Everyone has been presented with a quiz to access an account. This technology, commonly referred to as knowledge-based authentication (KBA), enables the true user to authenticate himself/herself by answering a series of short questions that only the true individual should be able to answer.

However, it is important that the data upon which the quiz relies to generate its questions is from a diversity of data sources, rather than one source (e.g., credit report data). The reason for this is simple: The criminal may have stolen the data from one source to answer the quiz, but is unlikely to have all the data from multiple sources and will, therefore, be unable to pass the quiz.

National Institute of Standards and Technology (NIST) Level of Assurance (LOA) 3-compliant solutions that do not leverage known compromised data sources: Any identity authentication program should include these solutions, which fall into three categories: 1. something you have (e.g., device), 2. something you know (e.g., password), 3. something you are (e.g., fingerprint).

The unfortunate reality is that everyone's identity has most likely already been stolen. The criminals who buy the stolen identities on the dark web decide where and when to use them for fraud, while citizens, companies and government agencies are left to deal with the serious real-world consequences.

Consumers need Congress to require industry to step up and require multi-layer authentication to protect their identities. Will Congress answer the call?

Haywood "Woody" Talcove is CEO for LexisNexis Special Services Inc. and CEO for Government, LexisNexis Risk Solutions. LexisNexis Special Services Inc. and LexisNexis Risk Solutions sell solutions that prevent fraud in government programs, as well as other industries.

Outbrain
View desktop version