How Know Your Customer (KYC) on Steroids Looks Like
Synthetic identity fraud accounts for 80 percent of all credit card fraud losses (Source: FTC). In 2019, there were 7,098 reported breaches that exposed 15.1 billion records, which represented a 284 percent increase in records compared to 2018 (Source: Risk Based Security). On the Dark Web market, only $4 will buy a stolen Social Security Number. And for individuals with high credit scores, the bundle of Social Security Number, birth date and full name sells between $60 and $80 (Source: Atlas VPN). Basically, personal and financial information are at risk each time you and I open an account with an online merchant and start transacting.
Have you been the victim of identity theft? I’m still knocking on wood. And I am ready to do whatever it takes, so that it never happens. But the reality is that I am utterly powerless over this possibility. And if you think that a creative Amazon password with special characters will do the trick… Well, it won’t! So, what can be done to make sure a customer is indeed who he says he is?
The reality behind Know Your Customer (KYC) guidelines today
The goal behind customer onboarding is to make sure that the individual filling out the form to open a new account (1) is a real person, (2) that who he claims to be is actually who he really is, and (3) his means of payment belongs to him. Those are three critical elements that cannot be overlooked because enrolling with a synthetic identity is as easy as 1-2-3. Did you know that according to the Federal Reserve, between 85 and 95 percent of synthetic applicants are not picked up by standard fraud models?
In the United States, the minimum requirements to open an individual financial account per the Customer Identification Program (CIP) include the following attributes: Name, date of birth, physical address and an identification number. Then, within a reasonable amount of time, the financial institution must verify the identity of the account holder by verifying physical documents and/or comparing the information provided by the customer with consumer reporting agencies, public databases, among other due diligence measures.
For a cybercriminal, it’s easy as pie: Fraudsters easily falsify identification documents, establish social media presence, use drop addresses, and create fake businesses to sign up with merchant processors to obtain credit card terminals and run up charges on fraudulent cards. Add to this list that credit bureaus assume that the first person to apply for a loan with a social security number is the legitimate user, then there is no way to validate a number with the Social Security Administration.
In other words, today businesses have no way of truly knowing who their customers are.
A KYC paradigm shift does exist
The current KYC model is obviously not sustainable any longer. Yet is there an alternative that indisputably proves an individual’s identity? It involves so much more than what most customer verification models offer, especially when pertaining to individuals with no credit history. And the latter matters because synthetic identities tend to be created from SSN of people who “didn’t have time” to build a credit history, like deceased children. So, what is required to verify an identity without a shadow of doubt?
Our electronic identity verification system at 1Kosmos requires that a customer who opens an account present a series of documents whether those are government-issued (driver’s license, passport, Social Security card) or commercially issued (bank account, credit card, loyalty card, etc.). Then, our system verifies each document against their proper authorized computer security resource: In the United States the AAMVA for a driver’s license, the State Department for a passport, the Social Security Administration for an SSN, Plaid for a bank account, a major merchant for a credit card and loyalty card.
We require that the customer enroll further attributes like a physical address, an email address and a phone number, which we then also verify with the proper administrations.
Next, we ask that the customer perform an advanced form of biometrics called a liveness test. The latter ensures that we’re dealing with someone who is alive and not a robot.
Finally, we extract one claim from an enrolled document (usually the photo ID), and we triangulate this claim with all government-issued documents, advanced biometrics features, and multiple sources of truth involved in the process.
By doing so, we reach the highest level of identity assurance per the NIST 800 63-3 guidelines, or IAL3, which stipulates that physical presence for identity proofing be required. The liveness test acts as physical presence for identity proofing. The process takes about twenty minutes of the customer’s time to complete and all he or she needs is our mobile app downloaded to his or her smartphone.
What beyond customer identity proofing?
Once onboarded, the customer can login and authenticate identity by scanning a QR code displayed on the merchant’s website, before performing a liveness test, all on his smartphone.
Our liveness test is structured as follows: First, our solution prompts the customer to blink. Our system receives instant confirmation that the first facial expression was received. The user is then asked to smile. Our system receives confirmation that the second facial expression was received. If there is indeed a liveness gesture detected, then a score based on the attributes of the liveness gestures is generated. Finally, if the liveness score meets the threshold, then authentication is granted.
The score is in part based on the liveness test the customer initially enrolled when opening an account. The merchant is then assured that the individual who accessed his website and may transact is who he says he is and will use a means of payment that truly belongs to him.
Username and passwords are eliminated, and so are 2FA and other MFA solutions that leverage passwords. When you know that 81 percent of data breaches are due to password mismanagement, avoiding passwords in any shape of form dramatically reduces the risk of identity compromises.
By authenticating users thanks to a liveness test that leverages data used to prove the identity of the user, we reach the highest level of authentication assurance per the NIST 800 63-3 guidelines, or AAL3.
To conclude: Beware of deep fakes?
It’s Saturday night and I watch a video of Cristiano Ronaldo giving a post-match interview. He shares with a Sky Italia journalist his dream of playing for PSG. The dialogue is real. The post-match interview is real. As a PSG fan, I am ecstatic and share the video with my friends, who in turn share it with their friends. Soon, everyone has seen it. It’s only later that I learn that Cristiano Ronaldo’s head was superimposed on another player’s body. None of it ever actually happened. This is called a deep fake.
Could a deep fake compromise a liveness test? The ability to do real-time face-swap presents many challenges. At least for now, a smartphone simply cannot handle this technologically. It would require accommodating an application that compiles tens of thousands of frames to replace the face of the defrauded customer with the fraudster’s face.
So, we can set our mind at ease… for now.