By Scott Laliberte, Managing Director
IT Security and Privacy
We live in an age of great convenience enabled by technology. Snap a photo of your check on your smartphone to make a deposit, simple. Rollover an IRA from your home office, easy. Change the password on your bank account from the airport, no problem.
What is less apparent to consumers of these services is the risks they may be assuming by making use of these conveniences. And while few of us have the wish to give up our conveniences, we’d better be ready to demand the best processes and technologies available to protect us from the risk of fraud and identity theft.
For businesses, meeting demands for enhanced personal identity protection can be costly, and it introduces new inconveniences to their customers – something of which businesses are always conscious. It helps when consumers realize the value of better security, and even demand it, despite the potential costs and inconveniences. We are all familiar with the annoyance of forgetting our password and having to jump through a half a dozen hoops to get it back – but at least we recognize it’s our own interest that demands it.
Businesses are limited to just a few options when they want to confirm the identity of a consumer: These are things the consumer knows, things the consumer has, and things the consumer is. For instance, a consumer knows her password, date of birth, social security number, and the answers to several secret questions, like make of car or mother’s maiden name. Some of these are easy to guess; all are easy for a hacker to store and reuse: If one breach reveals the customer’s password and secret question responses for one site, hackers are smart enough to “replay” this information to hack other sites. Things the consumer has, like her cell phone, are harder for hackers to obtain. Adding an “out of band” element to authentication – like texting a PIN to the phone to authorize a logon to a website – protects customers even when hackers have other identifying data. Finally, things the customer is offer strong protection as well (though they also may be subject to replay or other issues). Biometrics, such as fingerprints and retina scans, are two methods in this category right now.
These are the kinds of protections businesses must now routinely offer and customers must demand, or at least reward with their patronage those businesses that offer them.
Here are some suggestions for businesses that wish to add themselves to the category of companies with strong, responsible customer identity protection:
- Offer enhanced security features but allow your customers to opt in. Not all consumers will be willing to take on more complex authentication to protect their identities against theft. Some simply don’t care, and the complexity may drive them away.
- Consider how fees might offset the costs of enhanced protection, and also how fees might affect customer loyalty. Monitor how these services are priced by other players in your industry.
- Develop your in-house knowledge of the changing cybersecurity landscape and expedite development of your expertise in areas that are affecting your business the most.
- Educate your consumers so they can recognize the value of the enhanced security you offer to protect them against significant losses – and why the added inconvenience is a minor hassle compared to the syphoning of their 401k, for example.
- Employ advanced fraud analytics to monitor for suspicious activities and high-risk transactions.
From the consumers’ perspective, the following actions should help us to become partners in the effort to protect their own identity:
- Sign up for identity theft protection services. These services monitor credit inquiries and can protect against thieves using stolen personal information to apply for credit in your name. While they may not be able to detect activity directed at your 401k, HSA, or other financial accounts, these services may provide support to resolve problems resulting from identity theft and some even offer insurance against loss.
- Monitor financial statements promptly to ensure all transactions are valid.
- Change passwords often; don’t reuse passwords on other sites. Vary your secret questions; choose questions with answers that are the hardest to guess (e.g., the name of your best friend in high school is harder to guess than your favorite color).
- Welcome enhanced security features like out-of-band authentication (such as a PIN texted to your phone) and biometrics (using your fingerprint or iris) – especially for high-risk transactions such as changes to key account information (password, email, address) or transfers of money.
- Vote with your wallet: Gravitate toward businesses that offer enhanced security features. Encourage your established providers, via survey responses and direct requests, to offer enhanced security features, and be prepared to pay for them – perhaps in higher fees; certainly in inconvenience.
Businesses will continue to benefit from offering convenient online features to their customers, as a way of achieving customer loyalty and competitive advantage. Consumers will come to expect faster, secure, seamless services as platforms and technology allow. Businesses and consumers alike will do well to stay informed about how to protect consumer data in this evolving landscape. As long as identity theft continues to reward hackers, they’ll keep looking for ways to circumvent security measures. We need to evolve our security techniques to keep up with the ever-changing threats from cybercriminals.