At an event in Indianapolis two weeks ago a banker in the audience ardently challenged me over the transparency of social networks and the subsequent risk of identity theft. There are a lot of identity theft specialists who will warn you of the risks of exposing your identity on social networks and the possibility of compromising your personal information. This is becoming a common bandwagon, that of the risk of exposure via social media – the big bad Internet is the real problem! How do we solve it? How do we educate our audience so they stop giving their personal information away?
The problem with this approach is that it is simply getting easier, not more difficult, to find out personal information about individuals and use this to create a bank account or similar based on their identity. The efforts of banks to ensure I am really me, are also getting more than a little ludicrous and frustrating. Recently I endeavored to open an account in the US with a global bank that I have a relationship with in two other countries. As part of the process of the KYC identity checking, I was asked to provide 3 months worth of bank statements from the account I held with the same bank in Hong Kong, along with proof of a permanent residential address. It turns out in the end that in order to satisfy the KYC criteria of the bank it was easier to get my father in Australia to open a utility account in my name, so that it would appear I had a permanent offshore address, even though I have not lived in Australia since 1999. I was forced to game the process because it was the only way my identity was acceptable from a policy perspective based on my passport.
Our notion of Identity, as embedded and enforced through KYC rules and bank policy, and our attempts to protect that fragile identity through firewalling personal details is laughable in today’s environment. The era of the identity based on a data profile is clearly at an end.
Phenomenon like social media and networks, increased transparency and visibility of your personal details and phishing attacks are not going away. The reality is that thinking that you can rein in social media so that it reduces the incidences of identity theft, is a fool’s errand. Educating customers on the perils of sharing their personal information is a loosing battle. There are two reasons for this:
The thought that I will stop registering for services and such online, or that one day soon digital natives will wake up and realize what a terrible mistake they’ve made by exposing their lives online through Facebook, Twitter, and Google+ – is simply naïve.
How many passwords do you have to remember? It has long be recognized by security experts around the world, that by nature of the way our memory works and the load of having to remember so many login details, that customers increasingly choose the same passwords and IDs for multiple properties. The problem is when you have ask me to remember more and more passwords, that this actually makes systems less secure over time.
The weakest link is actually the individual and our flawed memory. If I use the same password at multiple sites, the risk of one system intrusion being responsible for the compromise of a range of websites increases.
The fact is, the systems we use today to verify someone’s identity are massively flawed based on growing exposure and increasing transparency of personal information. Data Privacy laws in various jurisdictions are a nice idea, but when the main risk of exposure is the customer themselves sharing information through a ‘phished’ website or at a site with weak security infrastructure, privacy is no longer a legal solution.
One of the banks I use recently called me to verify some transactions that had taken place on my debit card. Although they called me, I was required to verify my details with them to prove who I was – all the information they asked me was pretty easy to source (address, ID number, etc). The ironic thing was, that when I asked to verify who they were, they were incredulous – “But, we’re your bank!”. I could have been giving my details over the phone to an identity thief for all I knew. In the end they gave me a number to call back – although that could have easily been mimicked as well.
The only way to change this is to create a digital identity construct that is far more secure than being based on data that could be readily stolen, phished, compromised or willingly given by accident. We need to create an identity based on characteristics that are much more difficult to compromise. The only current technology that would seem to provide that security is biometrics.
Banks as an industry and government themselves are in a unique position to provide this layer of trusted identity management. They already have strong security platforms, broad availability, strong data management policies, and the ability to capture the biometric data points.
In reality though, the likelihood is that someone like Facebook or Google would be more likely to create a common identity platform because they understand that customer behavior means you can’t prop-up an outdated, outmoded KYC and identity model. It’s just one more reason why banks in the future are unlikely to own the customer.
© 2019 Breaking Banks