The internet is broken—let’s save it by fixing the core issue

posted in: blog | 0

Payfone, 2fa, identity authentication

The internet is broken—let’s save it by fixing the core issue

Cyber scams and identity fraud continue to be a leading national issue in the United States with nearly half of Americans saying they feel ID theft is likely to cause them financial loss, and account takeover attacks alone costing Americans 62.2 million hours of lost time and $5.1 billion in monetary losses in 2017 (a 120-percent increase from 2016).
 
 
From “SIM swaps” to phone number spoofing, American businesses continue to battle fraud at an unprecedented rate. Scam robocalls, another type of identity theft attack, were the number-one consumer complaint to the FCC in 2017.
 
 
Know Your Customer (KYC) regulations intend to protect consumers from identity theft through passive verification; however, in our view, the core issue is that our nation’s dynamic digital economy is protected with honeypots of static personal information (for example, having to enter your Social Security Number in order to reset your password for an online account). This approach is no longer effective at protecting businesses and consumers as a result of numerous data breaches that have given fraudsters easy access to personal information like SSN, date-of-birth, etc. Further, relying on static personal data creates the need for additional honeypots of personal data for ongoing authentication needs. These honeypots are then breached via phishing attacks against consumers. It’s a vicious cycle.
 
 

The core issue is that our nation’s dynamic digital economy is protected with honeypots of static personal information.

 
Security should not depend on static personal data. Instead, security needs to be modernized to meet the requirements of thwarting fraud, ease-of-use, privacy based on consumer choice and controls, zero-knowledge, and compliance regulations such as KYC and AML.
 
 
Specifically, this means:

  • Removing the need to store personal data in vast honeypots; this removes the risk of data breaches
  • Anonymous tokens that can be used for authentication; this eliminates the risk around re-identifying personal data
  • Passive authentication via encryption that can be used end-to-end; removing the risk of man-in-the-middle attacks and making security easy for consumers to use by removing the need for passwords (over 80% of consumers reuse passwords, which makes one breach cascades into many more)

 
 
In our view, the EU’s GDPR provides a framework that can be used to provide American companies guidance in meeting these challenges. For example, when consumers open bank accounts, the personal data they assert, such as their identity, needs to be verified to meet Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance regulations. This can be done with the use of verification services (such as information reporting agencies and commercial databases maintained by banks, telecom service providers and utilities), but with consumer opt-in and disclosure on the type of data that is being accessed for the identity verification process (for example, via the bank’s Terms of Service and Privacy Policy).
 
 
Further, once a consumer becomes a customer, anonymous tokens can be used to KYC and verify the customer each time they access their bank account (mobile app logins, calls to call centers, password reset services, e-commerce, etc). There is no need to use personal data to secure these transactions. Instead, we advocate the use of passive authentication via encryption, anonymous tokens and risk scores. This approach combines the vision of GDPR with a “zero-knowledge” framework being advanced by the security community (more on zero-knowledge).
 
 
Payfone works with banks, healthcare organizations and insurance companies to develop KYC products that meet and often exceed regulations. Our services provide a modernized way of protecting consumers against identity theft while removing the need for the vast stores of static personal data that the internet currently relies upon. In addition to eliminating the need to store personal data, our solutions don’t require us to send personal data to our clients in order to verify identities. We believe our approach is the key to a safer, easier and better digital future–one where security, privacy and exceptional user experiences can finally coexist.