The Problem with Static PII Identification
7 Dec 2017
We’ve all been there. You’ve logged into this site a thousand times, but today there seems to be some doubt that you are who you say you are. None shall pass before answering some security questions. What’s your mother’s maiden name? What street do you live on? Companies must put these barriers in place because they’re effective security measures. But are they?
For some insight, let’s look at Equifax. Equifax had two security roadblocks that employees had to pass in verifying their identity. To access their information, they first had to enter a 4-digit PIN, and then provide some personally identifiable information (PII) – that is, answer security questions in the vein of “What is your mother’s maiden name?” or “What street did you live on as a child?” Two layers of security sounds good, right? So, what’s the problem?
As Avivah Litan commented to Brian Krebs: “That’s so 1990s.” Litan, a VP and Distinguished Analyst at Gartner Research who specializes in cybersecurity and fraud, says that relying on PII to secure users’ data makes it easy for hackers to penetrate a system. To hack Equifax employees’ data, fraudsters needed only to reset a 4-digit PIN and then answer those security questions.
If you think finding a user’s PII is something only Sherlock Holmes could do, then think again. People are cavalier with their personal information, sharing freely even when their accounts are public. A Google search for a user’s social media account is often enough to find any PII. As long as websites and other online services continue to rely on these antiquated security measures, Litan believes the next big data breach is more than imminent: it’s happening as we speak.
According to Litan, the chance that any given piece of personally identifiable information is already in criminal hands is over 50%. That’s a 1 in 2 chance that a fraudster knows your mother’s maiden name! In fact, more U.S. identities have been compromised than not, especially in recent years. And this isn’t even taking into account identities that have been compromised outside the U.S., where businesses aren’t always legally obligated to report data breaches.
As a result of this alarming trend, we haven’t just seen a sharp increase in data breaches; we’ve also seen a dramatic rise in account takeover (ATO). Even though PII is so easy to find, most businesses and organizations rely on it to identify new and existing users and to execute high-risk, real-time transactions. Now that fraudsters have such easy access to PII, they can systematically test stolen credentials on sites and apps until they’re able to log into someone’s account. A shocking 1 in 2 businesses saw a rise in ATO last year.
We can no longer rely on static personally identifiable information to stem the tide of data breaches and combat account takeover. Instead, Litan and other fraud experts advocate that businesses turn to dynamic identity data to verify a user’s identity. Dynamic identification relies on behavioral data. In contrast to static solutions, dynamic fraud solutions might check to see whether the user is browsing on an unfamiliar device, whether they’re logging in from an unfamiliar location, or whether they’re clicking through a page faster or slower than usual. Rather than relying on a single data point to draw inferences, dynamic solutions examine these signals as a whole to make intelligent decisions about a user’s trustworthiness. Trustworthy users can enjoy a frictionless experience on the site, while suspicious users might have to go over a few speed bumps before they can proceed. The result is a safer online experience for everyone.
That’s where Sift Science comes in. The Sift Science Digital Trust Platform is a holistic and dynamic way for businesses to protect their customers from fraud and abuse, while providing trustworthy users a tailor-made online experience. It’s never been harder or more important for businesses to trust their users, and vice versa. While trust will always be important, it doesn’t have to be hard. Download our Complete Guide to Preventing Account Takeover to get started today.