Bryan Lewis, CEO of Intellicheck, has a stark take on just how severe the damage a fraudster can inflict with a few bits of information.
“People don’t realize how easy it is to steal your identity. If I can get your social media account or your email, I can change everything about your life,” he told PYMNTS CEO Karen Webster.
“I can change every password you have,” he added.
And most ominously: “I can ruin your reputation.” That’s especially true with merchants, as many as a quarter of customers are willing to abandon a retailer if they find out that their identities have been stolen through a breach with that enterprise.
Right now, there’s an arms race between the good guys and the bad guys, and the latter can find the ammunition they need — the email addresses, social media passwords and credit card data they need — to pose as someone else. The recent cyberattack at Change Healthcare is just one example, exposing sensitive data of patients and hospital systems. Lewis himself estimated to Webster that he’s been a victim of half a dozen breaches as an AT&T customer.
Best practices and vigilance help, as individuals should know that banks or call centers will not call and ask for information. The IRS doesn’t call your mobile.
“Never give anything out,” by phone, said Lewis. “Hang up, Google the phone number, call the agency.”
The raw material to steal an identity is startlingly cheap, he said — for $30 to $40, enterprising criminals and even crime rings can buy names, addresses, Social Security numbers and emails. Challenge questions and answers have been hacked, too, so knowledge-based security protocols are not as robust as they once were.
Advanced technologies are vulnerable too, Lewis said. Voice print, face prints and even facial recognition can be mimicked with artificial intelligence (AI) — so much so that banks are shying away from using voice recognition to speed customer interactions.
But there are some tools in the arsenal that are still among the strongest lines of defense. Treating everyone like a criminal, he said, in an attempt to weed out the small percentage of people who are criminals, injecting friction in the mix, is bad for business. The key, he said, is to let people prove they are who they say they are in the simplest way.
“If you can tell that a government-issued ID is real, that’s the most important step,” Lewis said. “After that, you can use the face or something else, because now we’ve tied a face or voice to an identity — and you can create an immutable token.”
There is still fragmentation at the state level about how digital IDs are created, issued and provisioned into digital wallets (many states mandate that individuals carry physical licenses even though they may have the digital ones on hand).
Lewis said Intellicheck is fighting identity fraud by verifying the authenticity of government-issued IDs such as drivers’ licenses, detecting counterfeits with scans of barcodes and examining the hidden security features of every ID issued in North America.
The scanning and detection is sorely needed, as Lewis said, as it can prevent everything from account takeovers to fraudulent loan applications.
The company’s own data shows that 1% of activity moving through title companies involves a fake ID (and real estate transactions are big money). Even in the bank setting — the physical branch — over 1% of the time, when someone walks up to the teller, they’re using a fake or expired ID. In that setting, opening up an account to move money from one place to another, or to close an account, does not require a credit pull.
That’s why, he said, account takeovers are among the fastest growing forms of identity theft (the same Intellicheck machines that read checks can read the driver’s license barcodes to ascertain authenticity).
Across all sectors, as fraudsters tried to open card accounts or take out auto loans, he said, “last year we stopped more than $400 million of potentially profitless transactions — because we stopped people from using fake IDs.”
One banking client, using consumers’ phone and digital conduits in addition to ID verification, saw a 20% lift in “finished” applications because there were and are fewer steps involved.
As he told Webster, the world is evolving, and so are the fraudsters. “And the more accurate you can be with the first steps in identity proofing, the safer you are downstream.”