Q: Online banks and online retailers are increasing their use of identity proofing as a method of fraud prevention. What exactly is identity proofing?
A: Identity proofing starts with the idea that before you give someone a password or create an online account in their name you have to verify that they really are who they say they are. This moment of first contact is a huge weak spot in the way online consumer authentification is done today by many online retailers and financial services firms.
Q: What about after the moment of initial contact?
A: Identity proofing definitely can and should be extended through the entire life cycle of an online user. This starts at account origination, then moves on to fraud detection during online transactions or the handling of lock-out conditions. It can also be applied at the moment of account termination to guarantee that the person who is trying to close my account really is me.
Q: What are the basic kinds of identity proofing?
A: There are really three kinds of identity proofing: classic knowledge-based authentification (KBA), dynamic KBA, and out-of-band proofing.
Q: How do the different types of knowledge-based authentification work, and how do they compare to each other?
A: Classic KBA is the most common and the weakest method. Everyone is familiar with it. It uses old standby questions like "What is your mothers maiden name?" or "What city were you born in?". This is the easiest kind of KBA to crack because its so easy for fraudsters to guess the answers to these questions. Dynamic KBA is an improvement on this method. Here you create questions on the fly whose answers are known to the consumer but are much harder for a fraudster to guess. For example, you go out to public records or third-party reporting agencies and get a piece of information like the amount of the consumers last mortgage or the last address they lived at. Your system would get this information in real time and wouldnt necessarily store the answer. The consumer can answer these questions on the spur of the moment, but probably not a fraudster. Dynamic KBA is not yet widely deployed, but it is becoming increasingly common. One vendor is Verid, which was recently acquired by EMC.
Q: What about out-of-band identity proofing?
A: Out-of-band proofing, or OOB as we call it, may be the most promising method because it takes verification completely outside of the vulnerable Web channel. For example, suppose I "fat finger" my password by mistyping it three times in a row and get locked out of one of my online accounts. With OOB I will get an automated phone call from the system to my phone number of record that will give me a "vouch code" or temporary new password. It can also use e-mail instead of a phone call, but thats not quite as secure. Another way to do OOB is for the system to call me or send me a text message on my cell phone telling me to call back or reply to the message. The proofing can come from the simple fact that I called back, or it can even include something extra, perhaps a biometric such as a voice print. This provides an extra layer of protection against man-in-the-middle attacks.
Q: Can any of these identity proofing methods be considered bulletproof?
A: No, unfortunately. No single method is bulletproof. Even a hardware token can be vulnerable. Smart cards are probably the most tamper resistant mechanism we have now, and even they can be attacked by malware. But its the layering of different methods that produces a level of protection that an institution can consider sufficient to meet a certain level of threat. It all depends on the context and on what you are trying to do. For example, an out-of-band proofing method that uses a phone call back to the consumer rather than an e-mail is not completely invulnerable to attack, but it is a lot harder for a fraudster to hack. Given a choice, the fraudster will probably avoid it and go after easier prey. Its like the old story about the two guys out for a walk in the woods who get attacked by a bear. One guy says to the other, "I hope we can run faster than that bear." The other guy says, "No, I just hope I can run faster than you." Online security is like that too.