You have something they want. Something that is invaluable to their survival. Something that you cannot live without. But something they are prepared to take from you by trickery or even by force. And then to use against you. Your life will never be the same again.
Sounds like the trailer to the next science fiction novel or alien cinematic blockbuster, doesn't it? The reality is far closer to home.
The thing that today's criminals want is your identity (or at least enough of it to borrow and misrepresent it) or means of identification, or both. The acquisition of genuine credentials for the purpose of financial gain is big business. Billions of dollars the world over are lost to the black economy every year because of criminals successfully imitating citizens.
Many advisors in fraud and cybersecurity have long referenced the "strength at the weakest point in the chain" story, and the inevitability of mutation and migration of attacks as defenses are tightened in one place to leave another more attractive or susceptible. The allegories of the air-filled balloon (squeeze it in one place and it simply displaces the air to bulge elsewhere) or the snow-plough clearing a road (moving the snow from the direct path to build up on the sides) are highly topical here.
So what is the answer? To continue putting more and more resources to the wheels of reactive mitigation and salvage? Or to make a quantum leap in our risk management thinking and render data disclosure useless other than for the purpose for which the disclosure was originally intended?
Some may argue that the nirvana of a limitless defense against data disclosure is itself from the pages of science fiction. But I believe that it’s within our grasp — we just need to capitalize on a combination of technology, techniques and convention to start managing the criminal attacks in a different way.
Proxies for uniqueness
One's identity is made up of a series of characteristics which are, to varying degrees, the same as or different to others' characteristics. The composite of those factors is what makes each of us unique. The problem is that we have tried to distill this uniqueness into more common and more inexact means of identification: a card, a reference number, an account, etc.
Full replication of one's identity is still science fiction; but full replication of identification proxies has become pretty simple for the criminals, making it easy to imitate victims.
If I know your credit or debit card details and where you live then, without other defenses in place like FICO Falcon Fraud Manager to spot anomalous activity, I can order something through the mail or over the telephone and even, in many instances, have the goods or services provided to a completely different location. Worse still, if an e-commerce merchant or your card-issuing bank does not subscribe to digital certification (such as MasterCard SecureCode or Verified by Visa), or if you have not previously registered for digital certification, then I can also use your card in online transactions too.
Even where dual or multi-channel authentication is used, such as providing a purchasing customer with a one-time access code through a different trusted channel like the mobile, some criminals have simply come to circumvent some of the "out of band" defense by means of subversively diverting calls or texts messages to another number that the criminal has access to, through methods like SIM swap or call routing. Again, there are more robust defenses to this, but they are not yet widely deployed.
The future state
What we need to do, then, is to create a means of identification (and value exchange) assurance which is more closely aligned with the complex and unique sequences that make up one's identity, rather than simply relying upon those that constitute a simple identification credential.
If we can create a layered defense that starts with credential complexity, it makes the criminals' job of compromise significantly more difficult. In technology terms, this means looking at things like biometrics — and why wouldn't we, when they are already used in abundance elsewhere in society? My kids use a fingerprint scanner and reader at their Academy (secondary school) to validate their identity and access funds in an online prepaid account for payment of refreshments in the cafeteria; many border protection and immigration services use facial recognition in combination with pre-authorized passport photos to automate and speed cross-border passage.
We need to look at a more thorough and secure roll-out of tokenization. This involves creating a proxy for an otherwise susceptible identification credential; doing so in a way that is very hard to mimic; and limiting the validity of that proxy by time and event. If properly deployed, these elements make compromise less attractive to the criminal fraternity.
We also need to move away from having credentials susceptible to compromise used in a binary fashion. Sight or record of the front and back of a card is all that is required today in many card-not-present situations in order to establish that the card is in one's possession, and yet this is manifestly not a safe convention. The thought processes need to change.
Several of us at FICO are working with advisors and contributors to this future state debate, and you will see more from us as both our thought processes and defenses evolve. It’s time to make this “imitation game” a lot harder to play.
