One of the newest tools financial services firms are employing to combat fraud is digital identity verification checks.
According to Goode Intelligence, the checks conducted each year will surge from 1.1 billion in 2021 to 3.8 billion in 2026. That will produce $17.2 billion for the firms conducting them.
A market leader in the digital identity verification space is Cognito, a company recently acquired by Plaid. Cognito CEO Alain Meier said the soaring demand for such checks results from more people moving more aspects of their financial lives online. While we can attribute some growth to the COVID-19 pandemic (along with growing interest in cryptocurrencies), Meier believes the growth will long outlive the pandemic.
“The challenge for companies, then, is how to keep their customers’ identities secure while also providing a frictionless onboarding experience,” Meier explained. “We need a process that’s secure without being onerous. How do you keep people’s identities secure while also offering a quick and easy way to verify their identities online? It comes down to verifying identities via multiple methods and leaning on machine learning to make a determination in real-time.”
Several touchpoints verified in seconds
Cognito looks at several pieces of information, he added. Does the person verifying their identity have their basic identity information, like a Social Security number? Do they also physically possess their ID documents? Does the photo and information on their documents match what they’ve entered? That can be assessed in just a few seconds.
Meier said that the increased use of synthetic identities would necessitate more complex ID verification methods. Synthetic identities combine genuine identity data with fraudulent information. Its use began when the Social Security Administration started randomizing SSN assignments. That made it harder to validate some information quickly.
“Our current system of credit history is, on some level, based on trust,” Meier said. “And, frankly, we as a society aren’t well-prepared for synthetic identity thieves. Some bad actors may, for example, build up a healthy credit history over years, only to later defraud lenders, also known as breaking out. It’s hard to track because there isn’t always a specific victim – sometimes, they are defrauding the platform rather than an individual.
In addition to verifying government data, Cognito can also confirm how a user’s identity manifests itself online and offline is consistent with a standard, non-synthetic user – such as realistic social media accounts and email address histories, Meier said. Combining that with the ID and photo, the fraud risk can be dramatically reduced.
Neural networks critical
Robust neural networks are critical, Meier said. For example, Cognito’s technology isn’t fooled by printed-out photos trying to trick liveness detection. Scale also helps as Cognito has verified enough identities to warn a risk officer if, for example, someone with the same IP address has failed an ID verification before.
Meier acknowledged that such security needs could tax smaller fintechs’ technology budgets. But it is necessary if they don’t want to get crushed with fraud.
“As more neobanks and other online-first financial services companies come online, fraud for those that don’t launch with proper anti-risk tools will likely see a tremendous amount of fraud on their platforms,” Meier said. “These platforms — and the massive fundraising they attract from investors — are becoming a growing target for fraudsters in a way that wasn’t true in less aggressive funding environments.”
Stop me if you’ve heard this before, but companies putting growth before fundamentals like security will leave themselves at serious risk. With a low inventory of skilled computer programmers, the demand for low- and no-code solutions to improve efficiency accounts for talent shortage.
“Businesses will need to turn to software to fill in the gaps with increased automation,” Meier said.
‘Human in the loop’ weakness
One lesson fintechs can take from the pandemic is the weakness of “human in the loop” identity verification, Meier said, citing an unnamed identity verification company that used actual people overseas to check passengers checking in at the airport kiosks. Demand for automation of such processes will continue to grow this year, aided by the improvement in the accuracy of the software powering those solutions.
Meier said, expecting a continued stream of data breaches this year will lead companies across industries to adopt multi-factor identity verification methods during registration to protect their customers.
Lessening of risk, cost, and time to market are the fact low- and no-code integrations are involved when implementing the technology.
“If anything, using low-code or no-code technologies reduces risk,” Meier explained. “As we’ve seen with some zero-day exploits, for example, keeping your tech stack up-to-date is critical. Choosing reputable low- and no-code solutions reduces that risk because they handle keeping everything up-to-date.”
NFTs will be lifted by digital IDs
Strong digital identity verification will significantly contribute to the legitimacy of NFTs, Meier said. The main risk with NFTs is the lack of identity verification makes it easy for people to inflate the value of their digital goods artificially.
“People can – and do – sell themselves their own digital assets to drive up the price, so what looks to you like a deal might not be real,” Meier said. “It’s a huge issue as NFT platforms work to establish their legitimacy.”
What is the ideal combination of digital and biometric identifiers? Ultimately, you want a mix of both, Meier said. You must be sure people are who they claim to be, which necessitates a combination of data points and physical possession. They can verify digital identifiers instantly, and they’re easy for users signing up for a new service.
Friction cannot be introduced in the process. Fortunately, today’s technology can accomplish that. For Cognito, it takes just a few seconds to verify an identity that includes a selfie and physical documents.
“Biometrics alone can be tricky because, unlike other authentication methods, you can’t revoke your fingerprint or face if the data is ever leaked,” Meier said. “Digital identifiers have to supplement biometrics; otherwise, you may encounter ‘replay attacks’ on data.
Faking biometrics
Meier warned that another tactic to prepare for is the increased risk of fraud presentation attacks. These occur when scammers try to impersonate others using fake biometric data. Some are advanced, but many aren’t – they’re just bad actors taking advantage of unsophisticated ID verification systems.
“One example we’ve seen is people trying to circumvent the liveness or selfie verification step by holding up a computer printout of their victim over their face,” Meier said. “Increasingly, we’re also seeing the use of deep fakes to follow liveness check instructions.
There’s a reasonably straightforward way to thwart this specific type of presentation attack – ask the user to turn their head, smile, or do anything that requires motion. Then, on top of that, you layer on more advanced techniques, like analyzing the lighting, skin reflectivity, patterns seen on screens, signs of image manipulation, and others. The problem is that not every ID verification provider takes these steps.”
