Some form of identity theft is at the heart of most financially-motivated fraud. A proliferation of personally identifiable information (PII) available through social media and other public sources is easily accessible to aspiring fraudsters, while the anonymity of Internet commerce and communication gives them plenty of cover. Illicit call centers troll for private identity data from unsuspecting consumers and untrained customer service agents. Identity fraud is increasingly committed by sophisticated criminal organizations operating beyond the reach of outdated laws that do not address such crimes. “Mega-breaches” resulting in theft of vast quantities of identity information occur with regularity; many we surely never hear about. Synthetic identity fraud, based on skillful creation of fictional identities, is a significant and fast-growing source of losses to fraud. In short, identity fraud and its derivative crimes cost banks, retailers, healthcare providers, governments, and ultimately consumers and taxpayers around the globe hundreds of billions of dollars every year, and this figure continues to grow.
Biometrics are rapidly making their way into the mainstream as a means to help prevent identity theft and fraud. Most visibly, we see fingerprint sensors being integrated into smart phones as a more convenient mode of secure access to a device for its owner. These devices are increasingly enabling use of biometrics towards more secure mobile payment models that aim to avoid security pitfalls of credit cards. Biometric authentication functionality provided in the recent Microsoft Windows 10 release can be used to secure access to external systems and websites, supporting fingerprint, face, and iris modalities.
Use of biometrics is growing because our fingerprints, faces, irises, and voices have truly special properties that make them an effective barrier to fraudsters attempting to surreptitiously impersonate us. They are useful because unlike names, ID numbers, email addresses, and passwords, they are comparatively more unique, secret, permanent, consistent, difficult to reproduce, and—most notably—physically bound to us, which also happens to be very convenient.
Biometric authentication on smart phones and other devices is effective and particularly useful to their owners to prevent their fraudulent use; biometrics are the password of the future. But from the perspective of a bank, government agency, or any organization aiming to broadly reduce its exposure to identity fraud, a more universal approach is needed to have a broad impact. Here’s why:
- Much of identity fraud is committed using ‘synthetic’ identities that are not stolen but created. Authentication alone does not address this type of fraud.
- Biometric verification does not verify the authenticity of identity data; only that the person verifying is the same who registered the data. Biometric verification on a device helps prevent a fraudster from using a stolen device to falsely claim the identity of the owner, but does not prevent them from establishing accounts with fraudulent information.
- Penetration of smart phones is growing rapidly, but is still on the order of only 36% globally (GSMA Intelligence, 2015). In places where many people still don’t use smart phones, other mechanisms are necessary to prevent identity fraud more universally.
- Authentication on smart phones is device-specific and constrained to operate as implemented by device, OS, and application suppliers. While organizations aim to standardize architecture and interfaces, biometric functionality and performance will not be universal or configurable on these devices, and will not necessarily meet the security requirements of a particular application.
Fundamentally, there are many modes of identity fraud that simply can’t be addressed by password enhancement, and types of accounts, applications, and environments that require more robust security and more trustable identity verification.
More than just “something we are”, biometrics allow us to permanently bind ourselves physically to digital information; a powerful capability that enables us to not only biometrically authenticate, but also to biometrically deduplicate; that is, to determine through biometric search whether someone is surreptitiously attempting to establish a false identity. Said another way, identity proofing with biometric search helps assure the integrity of our identity data: that one identity represents each person, that each person has only one identity, and that the identity data associated with a biometric can be trusted.
Robust identity proofing requires the enrollee to present identity documents and information in-person as part of an application or onboarding process. The process might additionally draw upon public and private data sources. A biometric enrollment and search performed as part of this process serves as a highly confident “duplicate check” to ensure that the applicant is not already registered in the system, perhaps with different identity information. If upon enrollment, a biometric search yields a match to an identity with different information than what is being claimed, there is reason for further investigation. This is the idea behind biometric identity proofing; a means to combat identity theft at its source by ensuring the integrity of identity data at the point of enrollment.
Once a duplicate check is performed, a biometric enrollment digitally links the enrollee’s trusted unique record to them physically through their biometrics. These biometrics can then be used perpetually to prevent future attempts at false representation of their identity information by a fraudster. The process also establishes a high level of trust in the authenticity of the identity data associated with the enrolled biometrics, making them more useful for future biometric authentications. While biometric identity proofing requires additional effort to verify identity data integrity and detect duplicate enrollments, it provides yet another very effective barrier to fraud.
Biometric identity proofing will emerge as a key identity fraud prevention approach; a means to validate the integrity of identity information at the time of collection. It will complement biometric authentication, enabling a higher degree of trust in the validity and uniqueness of the identity being claimed.