What was the color of the car you owned in 2005?
Still remember it?
Probably not. But you can bet someone knows — that someone being a fraudster. And that fact — shared by Cognito CEO Alain Meier during a recent PYMNTS interview centered around changes in digital ID – serves to show the weakness of knowledge-based authentication.
“We used to provide a knowledge-based authentication system, but we found that the fraudsters, on average, were better able to answer the questions than were individuals,” he said. “They had a higher match rate, a higher success rate.” You can thank the information stolen during data breaches for that, he said: “They essentially were working from an answer key.”
And that is why they probably knew more about the color of your car back in 2005, or whenever, than you would know now.
Post-Equifax World
As shown by recent news involving the aftermath of the Equifax breach — the company reportedly is nearing a $700 million settlement for the breach, which impacted some 143 million people worldwide — online fraud defenses are in need of constant work. But any company that introduces unneeded friction into the process risks alienating consumers. As Meier told it to PYMNTS, that provides an opening for a concept called gradual verification.
Requiring consumers to provide a basket load of personal data to sign into web services worked well in the 1990s and early 2000s, he said, when people and companies were still trying to figure out how the internet worked, and today’s fraud concerns were not top-of-mind.
But as the 2020s loom, such a process not only seems cumbersome — who likes filling out all those digital information forms? — but can also provide advantages to any criminals who come in possession of such data. And the need to be seamless is even more important now than it was then — significantly more so, given the competition out there.
“Now, merchants are trying to squeeze every last basis point out of their conversion rate,” Meier told PYMNTS. There is no room for friction unless it’s absolutely necessary — and consumers understand why it’s there.
As Meier described it, gradual verification collects just as much personal data from a consumer that is needed to perform a specific digital or mobile task. “The system helps you collect the least amount of data from the largest number of users,” he said. Meier noted that 80 percent of consumers can be verified by their names and numbers, though more information can be collected depending on the specific use case. “The worst-case scenario is asking someone for all their information,” he said. “The worst-case scenario in our system is the status quo for most providers.”
This is not Cognito’s first attempt to add strength to digital ID and verification by using a newer approach. As PYMNTS has covered, phone numbers can provide a treasure trove of information about a consumer who is trying to sign up for a new banking account, onboard to an online service or open an account with an online merchant. A person’s phone number, according to Meier, can serve as a reliable path toward frictionless, secure interactions between consumers and banks, payment service providers and other organizations.
Phone Number Ubiquity
In fact, more than 95 percent of people in the U.S. possess phone numbers. Not only have people demonstrated little or no reluctance to share their phone numbers in public (a trait not enjoyed by many other identifying credentials), but the ubiquitous phone number ties into many other types of personal data that can be used for electronic ID verification — including, but not limited to, addresses, dates of birth and Social Security numbers.
The move toward new forms of ID verification comes as regulators and politicians increase their focus on data security in the wake of Equifax and other breaches. Meier said there is serious pressure to move further away from knowledge-based authentication methods and even Social Security numbers. In fact, he expects significant change in this general space to unfold over the next two to three years.
Certainly, biometrics will play an increasingly important and visible role in those efforts. But so, too, could new methods of online verification.