By Wes Kussmaul, Founder of The Authenticity Institute and creator of the world’s first online Encyclopedia.
In her November 9 article “Credit Repair Firms Driving $20B Synthetic ID Fraud Crisis”in the publication Bank Infosecurity, Suparna Goswami (gsuparna) notes that “Firms Help Customers Create False IDs and Promise to Improve Their Credit History.”
Thomson Reuters reports that “Synthetic Identity is the fastest growing form of identity theft with losses in the multi-billions. Over 80% of all new account fraud can be attributed to synthetic identity fraud. Synthetic identity fraudsters are tricky and sophisticated. They use a combination of real data and fictitious data to create a new identity.”
Synthetic identities are a huge problem for retail banking, with the extent of the problem is just starting to be recognized by the industry. Richard Parry illustrates the difficulty of detecting synthetic identities in the video on his site at https://parryadvisory.com .
With all the attention paid to multifactor authentication technology including biometrics, what gets overlooked is the enrollment part. After all, it’s easy to purchase a dozen phones, especially unlocked phones, and become a dozen new “people”, each of whom has a different name and national ID but the same fingerprint and facial image – valid fingerprint and facial image – as all the others.
One contributing factor to the problem is that in the United States and elsewhere, banking regulatory requirements call for a burdensome reporting process whenever accpimt fraud is suspected. Thus it’s less costly to simply treat an account in the name of a suspected synthetic ID whose holder has stopped making an effort to keep current as simply a delinquent account and write it off.
And a synthetic identity will of course at one point stop making payments on their accounts – especially in difficult economic times. After all, the creator of the synthetic identity can kill them off whenever it becomes advantageous to do so. That’s typically after they’ve racked up some impressive charges on their credit card.
The fact is that KYC and KYCC methods used by banksat enrollment time are insufficient. And yet, more thorough identity enrollment methods, using multiple sources of EOI – evidence of identity – can be prohibitively costly, particularly when it comes to average-sized retail banking accounts.
Some governments, including that of the USA, have realized that identity reliability is not a binary thing, that identity reliability can be represented in a quantifiable way. Industry and banking, by contrast, holdon to a binary notion of ID reliability: verified or not verified.
In the United States, the National Institute of Standards and Technology, provides the NIST 800-63-3 system for assigning a numeric identity reliability score that contractors and others are required to obtain. NIST 800-63-3 identity reliability metrics, make use of a variety of sources of EOI (evidence of identity).
The identity reliability score is permanently associated with their claim of identity, as represented by a digital identity certificate called a PIV credential. The military uses a similar identity reliability system for their CAC identity certificate. Governments of other countries have similar systems.
However, the resulting “Level of Assurance” score in the NIST system ends up being represented by a simple 1, 2, or 3. “1” means self-asserted, ie it means nothing; “2” is a score that covers such a broad range of measurements that it is effectively meaningless; while “3”, “very reliable” is the only meaningful score.
A government agency might find a “3” score to be worth the substantial cost of enrollment for a security-intensive mission. However, if the NIST system were to be considered as a replacement for KYC and KYCC, an enrollment process producing a “3” would be justifiable only for the highest-value individual or business accounts.
Other systems are more flexible. In particular, the Osmio ID Quality Assurance or Osmio IDQA system offers a system of identity reliability scoring measures the value of the evidence behind a claim of identity in eight different ways, that is, eight sources of EOI evidence of identity. Each of the eight is measured on a scale of zero to nine, giving an aggregate score of seventy-two. While Osmio IDQA can measure reliability of an identity claim in any system, it is designed to be used so that the eight individual scores are bound to an Osmio identity certificate. That lets any relying party, whether human or computer, know immediately the degree to which they can trust that identity claim.
In summary,
- An identity reliability credential that carries with it the measure of the reliability of the identity claim, based on scoring the various pieces of EOI (evidence of identity) can be permanently associated with the subject. Thus by making it re-usable, the cost is spread among multiple relying parties. Osmio IDQA is particularly useful across a broad range of account sizes.
- An identity certificate is superior to other forms of identity credential for a number of reasons. Particularly noteworthy is the fact that the private key associated with the certificate never leaves the user’s device, so unlike a password, even a hashed password, it can’t be captured in transit.
