Editor’s note: A version of this piece first appeared on Chris Skinner’s blog, The Finanser.
Last week, Equifax disclosed a data breach that may have compromised personal data of up to 143 million U.S. consumers. The compromised data includes customers’ Social Security numbers, names, addresses, dates of birth, driver’s license numbers and other sensitive info. In other words, all the information you need to open new accounts and access existing accounts were compromised in the breach.
As we have known for a long time now, it is no longer good enough to use customer’s personal information for account access. Scores of companies from Ashley Madison to JPMorgan Chase to the Federal Reserve have had data breaches.
It’s no wonder the system is no longer working. We’ve been using this identity system for almost two decades. True, some banks have added two-factor authentication to ID customers. However, many institutions still rely on personal information for when someone, say, calls a call center to access an account — a requirement that is just annoying. Yes, I may need to know my mother’s maiden name, first pet’s name and favorite rock band when I ring my bank. But when the agent inevitably says “we just need to ask a few more questions before we access your account,” my heart sinks. In particular, questions like “name a regular monthly payment set up on your account and the amount paid” or “name the last three transactions where your card was last used and for how much” leaves me irritated, as I’m sure they do for everyone else.
Is there a solution to the broken system that is annoying at best and too easily hacked at worst? Of course. In fact, there are two options.
The first solution is biometrics technology — voice, eyes and other biometrics can easily be used by banks to authenticate their customers via their smartphones. Why banks aren’t incorporating these authentication methods into their onboarding and access mechanisms defies belief. Sure, banks would need modern core systems to use such newer authentication techniques, which is a big ask. But it sure beats relying on name, address, date of birth and all the information the hackers stole from Equifax to authenticate someone.
Nonetheless, I’m not a huge fan of biometrics if I’m being honest. If it is data, and biometric solutions are, the “solution” can still be compromised and replicated and mimicked. That’s why I am far more a fan of the second solution: a self-sovereign identity scheme, which is explained really well by Rhodri Davies, a program leader at the Charities Aid Foundation, in a blog. Davies writes:
“The basic idea behind self-sovereign identity is that rather than have our information held by third parties (often without us even knowing what that information is) and used to guarantee our identity and make decisions that affect us; we could turn the entire model on its head and give each individual control over their own digital identity.”
He then goes on to detail how people can record ID information on blockchain technology to rethink the identity model as an immutable record of transactions that is public — an idea I really like as it flips the ownership, verification and authentication process from third parties (trusted and untrusted) to me. In this model, I own my identity and I allow access to a persona of my identity on demand.
I have blogged about such concepts before and even wrote a long blog entry more than a year ago about digital identity ledger-based systems. Nevertheless, I am not advocating that blockchain solves everything, as illustrated by this proof of concept summary paper from Rabobank. However, the distributed ledger technology does get us along the way in solving identity issues.
All in all, it is pretty frustrating that time is passing by so fast and the industry is not moving to keep up with the needs for improved online authentication. Hopefully the banking industry will eventually catch up.
Amid steady customer growth, USAA's banking arm failed to make the investments necessary to satisfy either its regulators or some decades-long customers. Changes in the executive suite haven't fixed the problems.
The Consumer Financial Protection Bureau has significantly raised the transaction threshold for its larger participant rule — which defines which firms will be affected — from 5 million annual payments to 50 million.