In an exclusive interview with Cyber Intelligence, Patrick Harding, chief product architect at digital identity security company, Ping Identity, outlines the growing threat of identity theft and fraud, explaining how it evolved and what can be done to counter it.
Cyber Intelligence: How widespread is the threat of identity fraud?
Patrick Harding: Everybody is forced into digital transactions and relationships and identity management is fundamental to knowing who you are interacting with. The problem goes back to the beginning of the internet in the 1990s and a cartoon of a dog in front of a computer with the caption, “On the internet no-one knows you’re a dog!” That really illustrates the core problem of identifying online users and customers. The extent to which this is carried out largely depends on the sensitivity of the activity concerned. There is a big difference between buying a pair of jeans online and opening a bank account. In both cases, there is a significant series of steps which could include requesting passport ID for financial services.
Cyber Intelligence: Is the problem of identity fraud worsening?
Patrick Harding: Ever since the start of the internet, people preferred to remain largely anonymous when making online transactions, just as you could go into a
shop and buy something for cash and walk out without anyone knowing who you are. When people started using credit cards in the late 1960s and early 1970s, they followed the same principle and shoppers were only required to proffer a plastic credit card and give a simple written signature. We have been trying to force that process onto the digital world and it is a very poor fit. But this approach is already showing cracks. Current methods of identity verifications typically include sending a verification code to the user’s cell phone or email. Banks may also require a potential customer’s social security number. But there is a constant balance that needs to be struck between ID security and ease of customer interaction so as not to deter potential purchasers of goods or services.
Cyber Intelligence: How can retailers best strike the balance between not overburdening customers with security while protecting themselves from refund scams and other frauds?
Patrick Harding: Multi-factor authentication via phone or email is now being widely used as a solution. But what is really happening is that the relationship between retailers and their customers is now adapting to the internet. Retailers now realize that a better knowledge of their customers’ identities enables them to upsell them. For instance, a tennis racquet manufacturer used to sell directly to sporting goods stores and they had no real idea who their end customers were. Selling directly to online users enables the manufacturer to learn far more about its customer base and target it far more directly.
Cyber Intelligence: Organised international ransomware gangs are a threat across all sectors. What can organizations do to protect not only themselves but also their customers, whose data may be exposed?
Patrick Harding: That is tough to tackle. Many successful ransomware attacks are the result of social engineering. It is, therefore, vital to have processes in place that enable verification even of emails that may appear to be valid, particularly if they request something out of the ordinary, such as a chief financial officer asking a member of staff to transfer a large amount of money to an unfamiliar account or to change their password. Unfortunately, phone numbers and emails can be spoofed. Staff cybersecurity education is, therefore, vital in order for them not to trust everything they see. The classic example is a deepfake video conference that duped an employee in a finance department into sending $26 million to the fraudster’s bank account.
Cyber Intelligence: How can companies in the financial services sector ensure that their identity management practices comply with new regulations such as the new European Digital Operational Resilience Act (DORA), which also applies to U.S. companies with European customers?
Patrick Harding: There’s an increase in strict cybersecurity laws now being enacted on both sides of the Atlantic to protect customers’ personal and financial data. It is likely that the financial services sector, in particular, will increasingly leverage remote biometric identification of online customers.
Cyber Intelligence: Thank you.
