Editor’s note: A version of this piece first appeared on Chris Skinner’s blog, The Finanser.
Last week, Equifax disclosed a data breach that may have compromised personal data of up to 143 million U.S. consumers. The compromised data includes customers’ Social Security numbers, names, addresses, dates of birth, driver’s license numbers and other sensitive info. In other words, all the information you need to open new accounts and access existing accounts were compromised in the breach.
As we have known for a long time now, it is no longer good enough to use customer’s personal information for account access. Scores of companies from Ashley Madison to JPMorgan Chase to the Federal Reserve have had data breaches.
It’s no wonder the system is no longer working. We’ve been using this identity system for almost two decades. True, some banks have added two-factor authentication to ID customers. However, many institutions still rely on personal information for when someone, say, calls a call center to access an account — a requirement that is just annoying. Yes, I may need to know my mother’s maiden name, first pet’s name and favorite rock band when I ring my bank. But when the agent inevitably says “we just need to ask a few more questions before we access your account,” my heart sinks. In particular, questions like “name a regular monthly payment set up on your account and the amount paid” or “name the last three transactions where your card was last used and for how much” leaves me irritated, as I’m sure they do for everyone else.
A monitor displays Equifax Inc. signage on the floor of the New York Stock Exchange (NYSE) in New York, U.S., on Friday, Sept. 8, 2017. The dollar fell to the weakest in more than two years, while stocks were mixed as natural disasters damped expectations for another U.S. rate increase this year. Photographer: Michael Nagle/Bloomberg
Michael Nagle/Bloomberg
Is there a solution to the broken system that is annoying at best and too easily hacked at worst? Of course. In fact, there are two options.
The first solution is biometrics technology — voice, eyes and other biometrics can easily be used by banks to authenticate their customers via their smartphones. Why banks aren’t incorporating these authentication methods into their onboarding and access mechanisms defies belief. Sure, banks would need modern core systems to use such newer authentication techniques, which is a big ask. But it sure beats relying on name, address, date of birth and all the information the hackers stole from Equifax to authenticate someone.
Nonetheless, I’m not a huge fan of biometrics if I’m being honest. If it is data, and biometric solutions are, the “solution” can still be compromised and replicated and mimicked. That’s why I am far more a fan of the second solution: a self-sovereign identity scheme, which is explained really well by Rhodri Davies, a program leader at the Charities Aid Foundation, in a blog. Davies writes:
“The basic idea behind self-sovereign identity is that rather than have our information held by third parties (often without us even knowing what that information is) and used to guarantee our identity and make decisions that affect us; we could turn the entire model on its head and give each individual control over their own digital identity.”
He then goes on to detail how people can record ID information on blockchain technology to rethink the identity model as an immutable record of transactions that is public — an idea I really like as it flips the ownership, verification and authentication process from third parties (trusted and untrusted) to me. In this model, I own my identity and I allow access to a persona of my identity on demand.
I have blogged about such concepts before and even wrote a long blog entry more than a year ago about digital identity ledger-based systems. Nevertheless, I am not advocating that blockchain solves everything, as illustrated by this proof of concept summary paper from Rabobank. However, the distributed ledger technology does get us along the way in solving identity issues.
All in all, it is pretty frustrating that time is passing by so fast and the industry is not moving to keep up with the needs for improved online authentication. Hopefully the banking industry will eventually catch up.
Democratic lawmakers made the stablecoin markup into a marathon event, leading off with amendments that would have addressed concerns about conflicts of interest between elected officials like President Donald Trump and stablecoin oversight.
Visa and American Express are both reportedly trying to lure Apple's lucrative credit businesses away from Mastercard. But the battle over processing rights is just as much about accessing the technology company's digital wallet as it is about boosting transactions.
Regulators should approve the deal because post-merger, the servicing market remains fragmented and the mortgage origination business is even more dispersed.
The state's banking commissioner said the married founders of Valuex Research and Valuex Fintech used investor money for rent, plastic surgery and shopping instead of funding a promised investing tool.
With South Florida's economy expected to continue outperforming the rest of the nation, Banesco USA is laying plans to extend its reach into Broward, the wealthy and populous county just north of its Coral Gables home base.
A three-judge panel will hear an appeal by the Trump administration of a preliminary injunction that has blocked the government from dissolving the Consumer Financial Protection Bureau.