Equifax hack, the ultimate wake-up call for KBA advocates: time to embrace stronger means of identity verification

19-09-2017

Equifax’s data breach, coined the worst hack to date, has exposed personal data of over 45% of the American population (Equifax estimates that sensitive information of circa 143 million people would have been potentially leaked.) Although the credit rating agency said its UK systems had not been impacted by the attack, it revealed that a file containing UK consumer information on 400,000 people “may potentially have been accessed”. This alert followed the UK Information Commissioner’s Office (ICO) order for Equifax to alert British customers about the hack.

Amongst other sensitive details, within the data of those 400,000 customers were individual names, dates of birth, email addresses, and telephone numbers. Furthermore, PII including U.S. consumers’ social security numbers and driving licence numbers have also been disclosed in this breach. It’s worth recalling that this type of data serves as the basis for impersonation and other kinds of identity fraud.

On this note, market experts alert to a presumable spike in identity theft and account takeover. A study by Javelin, prior to the hack, already drew the correlation between data breaches and an increased risk of fraud, warning that those whose personal data was compromised in a breach have a greater than one-in-four chance to be the victim of identity theft resulting in fraud in the year following the hack.

Meanwhile, knowledge-based authentication (KBA) methods such as security questions and passwords have suffered a major blow, forcing both businesses and regulators to review their approach to secure yet convenient ways of confirming the identity of the people they deal with remotely. This need is even more acute for organisations operating in the digital channel, as KBA procedures are clearly not enough to verify identities online. 

Equifax data breach bolsters the urgency of reinstating trust in the digital channel through secure and user-friendly identity verification

The confluence of factors has all stakeholders agreeing that today, it’s paramount to recover and retain trust in the digital channel. Both consumers and organisations have earned the right to be certain that the people they are dealing with online are who they say they are. Providing this assurance is definitely feasible when implementing comprehensive identity verification mechanisms methods based on multiple factors of authentication such as identity documents ('what you have') and selfies and other biometrics ('who you are'.)

The conclusion everyone seems to have reached to is that this breach, while massive, is really just another chapter in an ongoing story. And, if we’re to change this story we need to rethink identity. At Mitek we are confident the Equifax data breach marks a point of inflection, serving as a facilitator for consumers, businesses, and policymakers to work side by side on the design and implementation of more secure and convenient identity verification processes.

Fortuitously, risk-based approaches grounded on a thorough identity verification component are already accepted by all stakeholders as the best way to prevent and mitigate losses such as those caused by the Equifax data breach.

In this vein, Javelin’s white paper Looking Behind KBA urges financial institutions and other organisations operating online to address the three pillars of successful and secure digital transactions: customer experience, regulatory compliance, and evolving fraud risks. This research just adds to what the Equifax data breach has proven just once again: tools such as static or dynamic KBA, IP geolocation, and device recognition play a vital role in preventing fraud but might be faulty when it comes to verifying the identity of certain customers.