Combatting Synthetic Identity Fraud and Account Takeover With Digital Identity Verification
Unlock On-Demand Webinar
Video Transcript
Mike Engle:
All right, well let's get started. Thanks everybody for attending. We're here today to talk about synthetic identity and account takeover fraud and some mitigating controls. My name is Mike Engle. I'm joined today by Peter Carroll. I'm CSO and co-founder over at 1Kosmos, and we'll talk a little bit about our stuff after Peter goes. And Peter, if you wouldn't mind saying hello and introducing yourself.
Peter Carroll:
Yeah, hi, Peter Carroll. I'm a partner at Oliver Wyman. I've focused over the years on consumer finance, retail banking, lending, the whole credit score, credit bureau side. And in the last few years, increasingly I've focused on digital identity.
Mike Engle:
Excellent. Well, it's great to have you here and thanks everybody for joining. We're going to not kill you with too many slides here today. We're going to tell a little bit of a story. We're going to show you some product and action to help fight some of the things we're talking about. And Peter's going to go first. With that I'm going to tee up your next slide here, Peter, and let's jump right in.
Peter Carroll:
Okay. There we go. Thanks.
So I think most of us are familiar at some level with synthetic identity fraud and account takeover fraud. What I'm going to talk about briefly here is what they are and how they work. And on the next couple of pages, the magnitude of the problem is quite scary. I'm sure plenty of you on the call know, but synthetic identity fraud is essentially somebody either creating a new identity or manipulating an existing one to then pass themselves up as a person without any substance. Often, in fact, most often, this is done by obtaining a real person's social security number. Typically a minor, an infant, or someone who hasn't yet become economically active and then gradually adapting and building up on that core social security number. Typically by accessing or applying for credit, probably getting rejected the first time, but establishing a file at the credit bureaus and then gradually getting to a little bit of credit, paying the bills properly, building up the illusion of legal behavior. And then this takes time, it takes patience, it takes a lot of skill, but eventually the synthetic identity fraud or perhaps the member of a synthetic identity fraud ring will bust out, meaning maximize their borrowing and their access to money and then so disappear from the face of the earth.
This means a lot of the losses look to lenders like a form of credit default. So synthetic identity fraud is quite hard to observe in terms of its impact and to measure accurately. So I've got a lot of data on the next couple of pages, but they're all basically estimates because it's very hard to know. Account takeover fraud is a little more straightforward. It's like I get your username and password somehow, we'll talk about how, and I log into your account as you and there I do my mischief. I think of synthetic identity fraud is the front door and account takeover fraud as the side door. So when Mike starts talking about how [inaudible 00:03:53] the door, closing the front door and then putting a padlock or a combination lock on the side door to keep people out. Account takeover fraud can be as simple as someone telling you their username and password.
I always think it's sort of darkly amusing that when Edward Snowden downloaded 12 terabytes of top-secret data at the NSA, he did it because 25 of his colleagues had shared their usernames and passwords with him. But out in the real world on a sort of day-to-day basis, this happens through data breaches where as I'm sure most of you know, lots of our information is available for pennies on the dark web, including some of our username password combinations. And I'll come back to the sum of in a second. Often people can access these credentials through malware, through social engineering, phishing, other sort of closely related frauds, either to get your actual username and password or to get at least one that you use. Something like 60% of people use the same password for multiple different points of access, their bank account, their Gmail account or whatnot.
And another 20% use simple variations on a standard password. So almost all of us have fairly poor password habits. So through these techniques, people can either directly access and take over your account or do something called credential stuffing where I learn your password in one setting, I go try it to get into your bank account. If it doesn't work, I try variations and I'll do this on an industrial scale until I either get in or run out of chances to try. And in some cases, if the access control is beyond username and password, and it's backed up by an SMS code. It's surprising how easy it is for people to engineer SIM swaps. I think the relevant statistic is four out of five SIM swap attempts, fraudulent SIM swap attempts are successful. So Mike, if you could flip to the next slide, we can just quickly go through some data.
Synthetic IDs are hard to spot to the extent we can figure out something like 85 to 95% of new account applicants who are later judged to be synthetic IDs or synthetic ID frauds, were not flagged up front by the verification system. As an extension of that, something like 1 to 2% of all open US bank accounts are suspected of being synthetic. And another sort of parallel statistic, something on the order of a third of $1 billion in card debt is outstanding on accounts where the people didn't exist in 2017. So there's like phantom people probably therefore synthetic IDs. The bust out that I referred to before has a very high average dollar impact. It's on the order of $90,000 and when people bust out, they push as much as they can beyond whatever their current credit limits are. And as I mentioned briefly, the synthetic ID process is clever.
It's patient. Takes time. All leading up to the bust out, can take three, four, five years. And it's sometimes done in sort of organized rings. One of the largest known rings consisted of 7,000 synthetic identities, which had accumulated 25,000 credit cards. And when they engineered their bust out, it represented a minimum of $200 million in losses. Some estimates put it much higher. And this was on the order of $28,000 per synthetic identity and $8,000 per credit card. I mean the numbers are annoyingly large. Account takeovers, this is, I don't know, it's different in kind, but it's just about as damaging. Attempts have quadrupled since Covid came along. Nearly a quarter of US households say they've been victims of account takeovers, losses average about $12,000. Credential stuffing, which I mentioned briefly accounts for the largest portion of login attempts. I saw this data point the other day, something like 61% of all attempts to access, I think it was bank accounts in the US, were thought to be credential stuffing.
If you think about it, a majority, more than 50% of times people try to get into a bank account. It's someone doing sort of organized credential stuffing. And then last holiday season is the busiest time. And I mentioned this already, where a SIM swap attempt is required, it's surprisingly easy for that to be pulled off. If we add it all up at the top of the house. Mike, if you could flip, thank you. Taken together, banks and other lenders are estimated to have lost about $20 billion this year to synthetic identity fraud, which is a huge increase over five, six years ago.
Account takeover fraud happens more often. I'll go back to those numbers in a second. But that costs on the order of $11 to $12 billion a year. And it's really important to note that the first block of loss hits the lenders and banks directly and consumers in a sense don't even see it. The account takeover fraud on the other hand, directly hits the consumers and merchants and the consumers are very aware of it. And all kinds of survey and market research shows that consumers are very nervous about it. They're looking for people to help them. They're in a state of angst about the potential for their identity to be stolen, for their accounts to be taken over.
The pie charts on the left basically just show that the average cost per incident, meaning breakout in a synthetic ID sense, that's $90,000. I mentioned that already, $12,000 in the other case. The frequency of incidents in round numbers, it's about a million incidents a year in account takeover and about quarter of a million in synthetic. So big numbers, rapidly increasing. So I do think it's important though this point that I'll just repeat very briefly. The first one hits the banks and in a sense, quote, "the consumers don't care, they don't see it." The second one hits the consumers and they really care. And this is going to feed back because when you try to fix the problem, at some point you have to ask the consumer to help and you want to ask them to help fix the second problem because fixing the second problem will appeal to them and that'll actually help you fix the first problem.
I'll let Mike handle that. And just to wrap up, Mike, if you could just flip to my last slide. So how do you stop this? I think what you do is you put controls on the front door, you improve your account opening identity enrollment procedures so that you're much more confident that this is a real person upfront. Mike's going to talk about how you do that with a number of new steps. Then you bar the side door to control and eliminate account takeovers largely by getting rid of usernames and passwords and replacing them with what we call identity based authentication. Again, I won't steal Mike's thunder, I'll let him talk about that.
But these two are linked. To do solid authentication, you have to do solid enrollment. And that's a phrase we've started using identity based authentication. And I think Gartner now calls this identity convergence. So you do all of that and that means you've, inhibited up upfront the synthetic ID frauds. And then in the second phase, the account takeover frauds. And as I mentioned in passing, you want to enroll consumers as allies in the account takeover fraud a problem because you're going to ask them to participate in the solutions and that'll help you solve the front door problem, the synthetic ID problem. All right, I'll hand over to you, Mike.
Mike Engle:
Yeah, thanks Peter. And the research you and your team put together was really cool on this. And I didn't realize, going back to this here, that synthetic was so much bigger of a problem because what makes the news? Oh, I had $600 stolen from Zelle because somebody compromised my account and it's on the 5:00 news, or obviously lots of crypto wallets have been stolen, things like that. So it really is about the hurt individual, but the banks, all of our costs have to be going up tremendously because of that top line item there. So really great stuff.
Yeah, we're going to dive into these now, but first I'm going to ask Maureen to pop up a polling question for the audience. I don't believe our LinkedIn audience can do this, but you can do it vicariously by staring really hard at the screen. The question is, do these types of fraud affect you? And level kind of one, two, and three here of how much it affects you. Take your pick. I guess it depends how you answer and what industry you're in, but this will give us a little bit of a feel. All right, think that'll about do it.
Peter Carroll:
You might just read them out for the... Oh right, because I guess everyone can see them even if they can't participate, right?
Mike Engle:
Yeah, they'll see percentages popping up here in just a second, I'm pretty sure. Yeah, great.
So yeah, we're about split between it's nasty versus I worry about this 24x7 and slightly less think it's only a minor nuisance. So again, I'm sure it depends on the industry of the participant and kind of what they do for a living. But thanks for putting that up, Maureen. Let's jump in now and I'll talk a little bit about the conversions that Peter was talking about. [inaudible 00:15:12] have to hit share results Maureen, there we go. I think that's it, right?
Okay, so this is a graphic that talks a little bit about why the problem exists and you'll see the analysts talking about this problem in different ways. But this is just a really simple way to say that these functions, how do I onboard a user, what we call identity onboarding into my systems in a way that's trusted and then that can be leveraged in the future.
We'll talk about that next. And then the authentication, as everybody knows is a mess. Technologies like Password List will make it much better. We'll talk about that. But the real problem is that when you authenticate somebody, you're not proving it's the same person that enrolled in step one and now the technologies exist where you can actually do that and it'll bring these two together. And then there's hundreds of fraud systems on the market, right? What's my IP address, my session, my this, my that. If they have signals about these other two boxes and their trusted signals, username and password is not trusted, then you can completely revolutionize how you tackle fraud. So these have been thought about as tools, implement an onboarding tool, an authentication tool, two FA and tokens and all this other nonsense, but not as a cohesive strategy or solution. And just expanding upon this first box here a little bit.
The identity onboarding is still stuck in the '90s. We're asking users to type in data manually, 15 plus fields, multiple screens prone to data entry error. And besides this data has been stolen dozens of times from all kinds of different sources. The bureaus have been hacked, data's been leaked, it's available on the dark web for pennies. And when you go to verify it, you're verifying data that anybody can really verify. So there's no trust in this process. And this right here is the root cause of synthetic identity. And we're going to talk about some compensated controls. So that's the identity onboarding, that first siloed pillar on the left, and then the second pillar, authentication. Living in the same kind of '90s era where we're still relying on usernames, passwords, and codes, which you can give to anybody, can be stolen by anybody, can be intercepted.
And most importantly, they do not link back to the prior step. And the litmus test for this is if you can give your authenticator to somebody else, either because you want to or because it's coerced from you, then you're not proving anything about somebody's identity. We call this a system based on hope. And the industry term for this is hope based authentication. It's an industry term because I say it is. So write it down, tell all your friends, but we're migrating from this HBA to what Peter referenced as identity based authentication. And I'm going to get to that next. But first one more polling question, and we're going to talk a little bit about biometrics here today. So this is why we're bringing this up. Do you currently use biometrics in your digital identity systems for those IAM practitioners here? Are you using it for your employee systems or your customer systems? And biometrics it's a bit of a loaded term. We're going to talk about the difference between device biometrics and real biometrics here in just a minute, but let's just call it biometrics for now.
And as I suspected we're split right about down the middle. All right, so thank you for that, Maureen. Yeah, exactly. A 50/50 split on this answer. And that's a problem because biometrics are the only way to prove who somebody is remotely. If you think about why, why is that? Mike, you're crazy. I've got secure ID tokens and things. Well again, they can be given to somebody. Those codes can be intercepted. Imagine you get pulled over by the state trooper, a police officer, and they roll down the window and they say, "I need your identity. Can you give me a six digit code please?" I'd never get a speeding ticket again. But no, what they do is they look at a trusted credential, they look at your face, which is a biometric, and make sure they match. And we can do that now in a digital environment. So let me show you how. I am going to walk through a modern identity enrollment experience.
Okay. We'll start the process like we do on the internet. You still have to get somebody's email address and phone number. That's been done again since the beginning of time on computers. I'm not going to get into that. There are lots of fraud checks you can do on these to make sure it has some trust to it. But again, not for the purpose of today's discussion, but now we're going to start to do some things that are only been possible in the last couple of years. First, we're going to enroll what we call device biometrics. Every modern computer and mobile phone now has this stuff built in. In this example, I'm doing my touch ID and my face ID. Now what happened here is I just linked that authenticator, my face ID on my phone to this session as I'm creating my account, and we'll be able to leverage that in the future for some higher trust.
Now we're going to continue on the account onboarding process and one of the requirements for banking is to get a national identity number for tax purposes and terrorist checks and things like that. So we do have to ask for one piece of data from the user manually. That is a national identity number. So that is, type it in. Unfortunately, there's not an easy way to do this digitally, but those nine characters that I just typed in are the only nine characters that I'll type on the keyboard to onboard this account. And the reason for that is because I can scan my government issued credential digitally. So we do that by leveraging the modern technology that's in front of us every day. You'll see me take out my camera and scan the front and the back of my driver's license.
This takes just a second. And what's happening is all kinds of machine learning, AI, whatever buzzword you want to use, but real integrity checks are being done on this document. All the overt security features are being verified. Size, shape, position of the photo, the font. Does the data on the front match the back, et cetera. There's about 600 different fraud checks that can be applied to the thousands of document types that we can scan across over 200 countries. It is far more trusted than a human looking at it with their eyeballs. Now, we haven't verified the holder of this document yet. I could have just scanned my mom's driver's license. Doesn't really get us to the point where we need to be. So now we need to verify that I am the holder of that document and I do that by capturing a live selfie.
Takes just a second. Now that biometric is used to match my face on the driver's license. I need a high percentage of confidence. And it can be, this is a very powerful tool in the future for when either your clients or the world is ready for it. That biometric can be used to prove who I am in the future. And there's ways to do that right in a privacy preserving way. So I've just matched my face to the driver's license, verified the integrity, everything looks good. Now we're going to extract all of that data from the documents, because it has to be processed to do the account opening and verify that I'm not a bad actor. And so that extraction happens very quickly and we can even verify the document against the issuing authority if that source exists.
So in the US here we have something called AAMVA, which is an aggregator of all the departments of motor vehicles. Gives us a one stop shop to verify is the driver's license loss or stolen? Verify the name on it, the address, et cetera, some of those attributes. And finally, I'm going to take that social security number that I entered in the prior step and check all of this data together in what Peter referred to as triangulation. So again, with just a simple API call, our system will check that your name matches with the bureau and the driver's license, that your address matches. And then the process will be allowed to continue. And you now have a very high level of assurance about this identity and you can continue on the journey and you can see it takes me about a minute, but it takes a normal human who hasn't done it before a couple of minutes and it's very trusted. Okay, so that's modern digital onboarding.
Now what just happened? What did we do here? Couple pieces of terminology that are really important. We proofed my identity through the documents, scanned the front, scanned the back, matched the live selfie. That's the first box here. The second then is we verified the data. There's a lot of solutions that will do these again as tools. One off over here, one off over there and become disjointed. But you do it at the time of enrollment. You have a chain of custody on the process and allows you to have a much higher level of trust when you're doing it all at once. Now a couple other things. I kind of snuck into that process. I captured a biometric, touch ID, face ID and I would've issued the user a credential with that. That's really invisible to the user. And I'll show you how that credential gets used, but I now have everything I need to get into my system on day two.
Now, what was missing from that process? Did anybody see me enter a username or a password or get prompted from my two FA system. Of course the answer is no. So now this third box, we call this identity assignment, I have bound my authenticator that's in my possession only, can't be held by Peter, to get into my system on day two. And this process will enable a passwordless experience. Now, the reason all this is possible today but was not possible that long ago are because a couple of emerging technologies and standards. So there's three certifying bodies and two standards that I'm going to get into here. On the onboarding and KYC process there's a government standard by NIST, which is our standards body here in the US and has a kind of counterpart in really nearly every country. It's the NIST 800-63-3 standard, which proves identity assurance.
So it does basically, it tells you how to do what I just showed you on that prior demonstration. Remotely proof, verify, triangulate, have a chain of custody of the events and match the biometrics. Then the second standard that goes along with this is FIDO, right? So combination of NIST and FIDO can say, "Here's how you do strong authentication." These standards on NIST side get pretty hairy, but this really sums it up quite easily. So on left, you have this IAL process, identity assurance level. We have authentication assurance. Am I sure about that authenticator? Can I trust it? And then FIDO says, here's how you use that for a passwordless experience. FIDO's made a lot of news in the last year. You'll see this popping up nearly at every website soon. And together, this is identity based authentication. If they're siloed activities, they don't prove who the user is.
Now there's three certifications that your identity provider must have in order for these processes to be trusted. On the left, you have the Kantera initiative that certifies your NIST certification. They're a nonprofit global. On the right you have FIDO certification. The FIDO Alliance was formed in 2013, has hundreds of tech companies like 1Kosmos in it as participating members to advance the standards. And then here in the middle is iBeta. They're one of the primary biometric certification laboratory. So they'll check to make sure you can't be Tom Cruise, put a mask over your head and impersonate somebody else. So they give a what's called a presentation attack detection certification. These are really important. If you don't have these, you could be using something that is weak. So now let's put this into practice. I created my account a few minutes ago. I'm ready to move money. Let's see how we could trust the authentication.
Now what you're going to see is on the left, a webpage where I'm going to authenticate without touching the keyboard. On the right is a trusted authenticator. And this on the right could be a bank app, it could be a standalone app, like a third party authenticators, or it can be embedded into existing apps through an SDK. The user experience you're going to see, this goes kind of quick, so I'm kind of leading up to it, is you press this QR code button on the right and scan the webpage on the left. Now I do my face ID, which I enrolled in the prior step, and I've just done a multifactor experience in a single touch. And you can see I'm now staring at my application and I'm ready to engage with that platform. So that is passwordless authentication. That can be done into operating systems, into banking websites, into remote access, into anything. The world is ready for it. Now I'm going to need to verify the user again.
Maybe it's been three hours, I walked away from this session or something's a little off. My fraud signals are asking me to verify the user's identity. So I am going to move some money. I'm sending $750 to my friend Peter, and I want to just verify kind of a second knock, and I will reach out to that trusted authenticator, ask him for face ID one more time and let it go through. I recently wired money to another country. I had to put in my two FA code from my big bank here in the US four times within a five minute period. And all they were doing is just kept sending me a code to the same phone. So I'm sure we've all lived through that, but this is the type of experience that kind of delights your customers, yet provides the security that you need to trust that credential.
So when I scan that I have chain of custody that I'm the same person that enrolled when I opened the bank account. Now let's take it to the highest level of authentication. And this is the police officer looking you in the face and proving who you are. So Peter, I'm going to send you a $100,000 and I really want the system to verify my identity first before it disappears out of my account. In this example, I want to look myself in the face and the money has gone through. Again, proof of identity. That is Mike Engle sending money to Peter. These are all possible today. Couple lines of code inside of a website, treating the enrollment process properly and having the right privacy and disclosure and all that can all be done and you ease your users into it. Now, people are asking, "Well Mike, I don't have a strong mobile presence in my application."
Or what about my existing users? How do I get my existing 4 million banking customers into this process? I'm not going to ask them to scan my driver's license again. And the answer is no, you're not. What you're going to do and what's happening on the web, more and more places I see, our customers are doing this, is I am going to use a FIDO authenticator. This works with any modern browser on any platform, windows, Mac, Android, iOS. And what you do is you ask the user to trade in their existing login for a modern one. I'll show you what I mean. I'm going to authenticate username, password, two FA, whatever nonsense I used to use, and I'm going to ask the user, would you like to enroll in passwordless authentication. Sign in without your password. Press yes. Now my Windows Hello pops up right here. This is my Windows authentication. Private key was just put in my local machine and linked with the web service and I'm in.
I will not need that username and password again. Tomorrow when I come to log into this website, this is going to be the experience. Windows Hello scans my face and I'm in. So we've fixed a broken authentication experience, made the user's life much easier, and we've tightly coupled the authentication back to the identity. And so if I sum all this up, I change those three stop sign shaped hexagons into a little bit different layout here. If we start the identity onboarding properly, users will choose to strongly verify their government credentials. This will greatly hinder synthetic identity, which is a problem for the banks, not the users. However, if you make it easy for the users, they'll do it because as part of that process, they're going to have a better authentication experience as well.
And so that'll flow downstream. Give them a key. So one press button operation, use the biometric from step one and feed those signals into your fraud engine so that you can really have a much better sense of what's going wrong and what's not, right. So that really sums up the implementation of how we can mitigate some of these problems. Maureen will have one last polling question and then we'll get into a bit of Q&A. So this question is very simply, are you linking some of these functions in your fraud and identity and authentication systems today? So number one is they're pretty linked. Two is a little bit and three is tightly coupled. So one is not. Questions a little long for the box.
Okay, so why don't you go ahead and end it Maureen. Actually, perfect timing because we're about evenly split within eight points from anyone to the other on this. So you can see some people are starting to think about it though. We have 26% of respondents said that they do have tightly integrated processes, which is great because this is what we need.
All right, so one of the questions we have is what do you do about account recovery? And this is one of the Achilles heels. So when I showed you, how users can be in control of that credential, for example, my mobile phone here could have a key and use my biometrics. If I lose my phone, what do I do? Well there's a couple answers to that. One is you could use a biometric as a recovery mechanism or you could enroll multiple authenticators. So for example, I actually have this on my existing bank account. I have this workstation linked and my phone linked. Either one of them is trusted and I can then authenticate with either one and then set up another one from that platform. You could also use devices such as these a secondary type of device that could restore your authentication credential back into another platform.
And then Peter, this question is for you. Are you seeing your clients at Oliver Wyman worry about these two types of fraud more and more, or is it just kind of status quo and they just have to deal with it?
Peter Carroll:
Yeah, the former, not the latter. High level observations, I think the level of interest in this in Europe kicked in first. So I think we've been helping people including individual firms, banks, but also we've been doing consulting for institutions or branches of government. So the focus I think kicked in over there. In the US I think it's picked up with a lag of a couple of years, but right now we're talking to again, some major institutional players as well as individual banks. So I think my expectation is that it's going to be very big over the next two, three years.
Mike Engle:
Yeah. Interest rates going up, belts are getting tightened, so they might look to dip into that $20 billion as some savings if they fix it, right?
Peter Carroll:
Well, it's not just the $20 billion. Well, first of all, 20 that's the dollar loss. I mentioned briefly that the actual economics are worse than that because the banks are spending, everybody is spending a lot of money to keep the losses at the level that they are, including keeping the account takeover losses where they are. And even ignoring that, something you and I have talked about, just the cost of password resets is astronomical. We did some market sizing a year or so ago saying what could be the benefit of really robust digital identity and stopping fraud is important, but actually the pure operating expense across US industry of handling username, password resets is bigger. I mean, we estimate it's on the order of 75 billion a year. It's astronomical. So usernames and passwords bye bye. I think that's going to be one of the big industry trends over the next three, four years.
Mike Engle:
Yeah. Especially when it comes to cost savings. And user experience of course. I have over a thousand passwords in my password manager and it's just scary how things still operate out there.
Peter Carroll:
Yeah, if I can just add one more thing. I did mention on my slides that consumers have a high level of angst about account takeover and having their identity stolen, even if temporarily, we've done a lot of work for clients in the banking industry where we design packages like checking account packages. And when you do that kind of research, you basically quiz consumers in a controlled setting to get them to trade off what features they like or like less in a package. The thing that always rings the bell is protection against this kind of account takeover, which is not a phrase consumers use, but protection against identity theft. It's just such a high... The second highest thing is "Not being nickled and dime." Which we've all seen before, but that level of angst is really high and anything the industry can do to diminish it, I think is a big win.
Mike Engle:
Excellent. Well, that is the end of the questions. A couple others were answered in the Q&A here in the chat, but I think we've about done it. So Peter, unless you have any closing comments, thank you for coming on here and sharing all this really amazing insight and allowing me to show off my little videos. I had a lot of fun putting them together and telling the story.
Peter Carroll:
Okay, no, I have nothing more. Thank you. Thank everybody for participating.
Mike Engle:
Thank you. Take care.
Peter Carroll:
Bye bye.
All right, well let's get started. Thanks everybody for attending. We're here today to talk about synthetic identity and account takeover fraud and some mitigating controls. My name is Mike Engle. I'm joined today by Peter Carroll. I'm CSO and co-founder over at 1Kosmos, and we'll talk a little bit about our stuff after Peter goes. And Peter, if you wouldn't mind saying hello and introducing yourself.
Peter Carroll:
Yeah, hi, Peter Carroll. I'm a partner at Oliver Wyman. I've focused over the years on consumer finance, retail banking, lending, the whole credit score, credit bureau side. And in the last few years, increasingly I've focused on digital identity.
Mike Engle:
Excellent. Well, it's great to have you here and thanks everybody for joining. We're going to not kill you with too many slides here today. We're going to tell a little bit of a story. We're going to show you some product and action to help fight some of the things we're talking about. And Peter's going to go first. With that I'm going to tee up your next slide here, Peter, and let's jump right in.
Peter Carroll:
Okay. There we go. Thanks.
So I think most of us are familiar at some level with synthetic identity fraud and account takeover fraud. What I'm going to talk about briefly here is what they are and how they work. And on the next couple of pages, the magnitude of the problem is quite scary. I'm sure plenty of you on the call know, but synthetic identity fraud is essentially somebody either creating a new identity or manipulating an existing one to then pass themselves up as a person without any substance. Often, in fact, most often, this is done by obtaining a real person's social security number. Typically a minor, an infant, or someone who hasn't yet become economically active and then gradually adapting and building up on that core social security number. Typically by accessing or applying for credit, probably getting rejected the first time, but establishing a file at the credit bureaus and then gradually getting to a little bit of credit, paying the bills properly, building up the illusion of legal behavior. And then this takes time, it takes patience, it takes a lot of skill, but eventually the synthetic identity fraud or perhaps the member of a synthetic identity fraud ring will bust out, meaning maximize their borrowing and their access to money and then so disappear from the face of the earth.
This means a lot of the losses look to lenders like a form of credit default. So synthetic identity fraud is quite hard to observe in terms of its impact and to measure accurately. So I've got a lot of data on the next couple of pages, but they're all basically estimates because it's very hard to know. Account takeover fraud is a little more straightforward. It's like I get your username and password somehow, we'll talk about how, and I log into your account as you and there I do my mischief. I think of synthetic identity fraud is the front door and account takeover fraud as the side door. So when Mike starts talking about how [inaudible 00:03:53] the door, closing the front door and then putting a padlock or a combination lock on the side door to keep people out. Account takeover fraud can be as simple as someone telling you their username and password.
I always think it's sort of darkly amusing that when Edward Snowden downloaded 12 terabytes of top-secret data at the NSA, he did it because 25 of his colleagues had shared their usernames and passwords with him. But out in the real world on a sort of day-to-day basis, this happens through data breaches where as I'm sure most of you know, lots of our information is available for pennies on the dark web, including some of our username password combinations. And I'll come back to the sum of in a second. Often people can access these credentials through malware, through social engineering, phishing, other sort of closely related frauds, either to get your actual username and password or to get at least one that you use. Something like 60% of people use the same password for multiple different points of access, their bank account, their Gmail account or whatnot.
And another 20% use simple variations on a standard password. So almost all of us have fairly poor password habits. So through these techniques, people can either directly access and take over your account or do something called credential stuffing where I learn your password in one setting, I go try it to get into your bank account. If it doesn't work, I try variations and I'll do this on an industrial scale until I either get in or run out of chances to try. And in some cases, if the access control is beyond username and password, and it's backed up by an SMS code. It's surprising how easy it is for people to engineer SIM swaps. I think the relevant statistic is four out of five SIM swap attempts, fraudulent SIM swap attempts are successful. So Mike, if you could flip to the next slide, we can just quickly go through some data.
Synthetic IDs are hard to spot to the extent we can figure out something like 85 to 95% of new account applicants who are later judged to be synthetic IDs or synthetic ID frauds, were not flagged up front by the verification system. As an extension of that, something like 1 to 2% of all open US bank accounts are suspected of being synthetic. And another sort of parallel statistic, something on the order of a third of $1 billion in card debt is outstanding on accounts where the people didn't exist in 2017. So there's like phantom people probably therefore synthetic IDs. The bust out that I referred to before has a very high average dollar impact. It's on the order of $90,000 and when people bust out, they push as much as they can beyond whatever their current credit limits are. And as I mentioned briefly, the synthetic ID process is clever.
It's patient. Takes time. All leading up to the bust out, can take three, four, five years. And it's sometimes done in sort of organized rings. One of the largest known rings consisted of 7,000 synthetic identities, which had accumulated 25,000 credit cards. And when they engineered their bust out, it represented a minimum of $200 million in losses. Some estimates put it much higher. And this was on the order of $28,000 per synthetic identity and $8,000 per credit card. I mean the numbers are annoyingly large. Account takeovers, this is, I don't know, it's different in kind, but it's just about as damaging. Attempts have quadrupled since Covid came along. Nearly a quarter of US households say they've been victims of account takeovers, losses average about $12,000. Credential stuffing, which I mentioned briefly accounts for the largest portion of login attempts. I saw this data point the other day, something like 61% of all attempts to access, I think it was bank accounts in the US, were thought to be credential stuffing.
If you think about it, a majority, more than 50% of times people try to get into a bank account. It's someone doing sort of organized credential stuffing. And then last holiday season is the busiest time. And I mentioned this already, where a SIM swap attempt is required, it's surprisingly easy for that to be pulled off. If we add it all up at the top of the house. Mike, if you could flip, thank you. Taken together, banks and other lenders are estimated to have lost about $20 billion this year to synthetic identity fraud, which is a huge increase over five, six years ago.
Account takeover fraud happens more often. I'll go back to those numbers in a second. But that costs on the order of $11 to $12 billion a year. And it's really important to note that the first block of loss hits the lenders and banks directly and consumers in a sense don't even see it. The account takeover fraud on the other hand, directly hits the consumers and merchants and the consumers are very aware of it. And all kinds of survey and market research shows that consumers are very nervous about it. They're looking for people to help them. They're in a state of angst about the potential for their identity to be stolen, for their accounts to be taken over.
The pie charts on the left basically just show that the average cost per incident, meaning breakout in a synthetic ID sense, that's $90,000. I mentioned that already, $12,000 in the other case. The frequency of incidents in round numbers, it's about a million incidents a year in account takeover and about quarter of a million in synthetic. So big numbers, rapidly increasing. So I do think it's important though this point that I'll just repeat very briefly. The first one hits the banks and in a sense, quote, "the consumers don't care, they don't see it." The second one hits the consumers and they really care. And this is going to feed back because when you try to fix the problem, at some point you have to ask the consumer to help and you want to ask them to help fix the second problem because fixing the second problem will appeal to them and that'll actually help you fix the first problem.
I'll let Mike handle that. And just to wrap up, Mike, if you could just flip to my last slide. So how do you stop this? I think what you do is you put controls on the front door, you improve your account opening identity enrollment procedures so that you're much more confident that this is a real person upfront. Mike's going to talk about how you do that with a number of new steps. Then you bar the side door to control and eliminate account takeovers largely by getting rid of usernames and passwords and replacing them with what we call identity based authentication. Again, I won't steal Mike's thunder, I'll let him talk about that.
But these two are linked. To do solid authentication, you have to do solid enrollment. And that's a phrase we've started using identity based authentication. And I think Gartner now calls this identity convergence. So you do all of that and that means you've, inhibited up upfront the synthetic ID frauds. And then in the second phase, the account takeover frauds. And as I mentioned in passing, you want to enroll consumers as allies in the account takeover fraud a problem because you're going to ask them to participate in the solutions and that'll help you solve the front door problem, the synthetic ID problem. All right, I'll hand over to you, Mike.
Mike Engle:
Yeah, thanks Peter. And the research you and your team put together was really cool on this. And I didn't realize, going back to this here, that synthetic was so much bigger of a problem because what makes the news? Oh, I had $600 stolen from Zelle because somebody compromised my account and it's on the 5:00 news, or obviously lots of crypto wallets have been stolen, things like that. So it really is about the hurt individual, but the banks, all of our costs have to be going up tremendously because of that top line item there. So really great stuff.
Yeah, we're going to dive into these now, but first I'm going to ask Maureen to pop up a polling question for the audience. I don't believe our LinkedIn audience can do this, but you can do it vicariously by staring really hard at the screen. The question is, do these types of fraud affect you? And level kind of one, two, and three here of how much it affects you. Take your pick. I guess it depends how you answer and what industry you're in, but this will give us a little bit of a feel. All right, think that'll about do it.
Peter Carroll:
You might just read them out for the... Oh right, because I guess everyone can see them even if they can't participate, right?
Mike Engle:
Yeah, they'll see percentages popping up here in just a second, I'm pretty sure. Yeah, great.
So yeah, we're about split between it's nasty versus I worry about this 24x7 and slightly less think it's only a minor nuisance. So again, I'm sure it depends on the industry of the participant and kind of what they do for a living. But thanks for putting that up, Maureen. Let's jump in now and I'll talk a little bit about the conversions that Peter was talking about. [inaudible 00:15:12] have to hit share results Maureen, there we go. I think that's it, right?
Okay, so this is a graphic that talks a little bit about why the problem exists and you'll see the analysts talking about this problem in different ways. But this is just a really simple way to say that these functions, how do I onboard a user, what we call identity onboarding into my systems in a way that's trusted and then that can be leveraged in the future.
We'll talk about that next. And then the authentication, as everybody knows is a mess. Technologies like Password List will make it much better. We'll talk about that. But the real problem is that when you authenticate somebody, you're not proving it's the same person that enrolled in step one and now the technologies exist where you can actually do that and it'll bring these two together. And then there's hundreds of fraud systems on the market, right? What's my IP address, my session, my this, my that. If they have signals about these other two boxes and their trusted signals, username and password is not trusted, then you can completely revolutionize how you tackle fraud. So these have been thought about as tools, implement an onboarding tool, an authentication tool, two FA and tokens and all this other nonsense, but not as a cohesive strategy or solution. And just expanding upon this first box here a little bit.
The identity onboarding is still stuck in the '90s. We're asking users to type in data manually, 15 plus fields, multiple screens prone to data entry error. And besides this data has been stolen dozens of times from all kinds of different sources. The bureaus have been hacked, data's been leaked, it's available on the dark web for pennies. And when you go to verify it, you're verifying data that anybody can really verify. So there's no trust in this process. And this right here is the root cause of synthetic identity. And we're going to talk about some compensated controls. So that's the identity onboarding, that first siloed pillar on the left, and then the second pillar, authentication. Living in the same kind of '90s era where we're still relying on usernames, passwords, and codes, which you can give to anybody, can be stolen by anybody, can be intercepted.
And most importantly, they do not link back to the prior step. And the litmus test for this is if you can give your authenticator to somebody else, either because you want to or because it's coerced from you, then you're not proving anything about somebody's identity. We call this a system based on hope. And the industry term for this is hope based authentication. It's an industry term because I say it is. So write it down, tell all your friends, but we're migrating from this HBA to what Peter referenced as identity based authentication. And I'm going to get to that next. But first one more polling question, and we're going to talk a little bit about biometrics here today. So this is why we're bringing this up. Do you currently use biometrics in your digital identity systems for those IAM practitioners here? Are you using it for your employee systems or your customer systems? And biometrics it's a bit of a loaded term. We're going to talk about the difference between device biometrics and real biometrics here in just a minute, but let's just call it biometrics for now.
And as I suspected we're split right about down the middle. All right, so thank you for that, Maureen. Yeah, exactly. A 50/50 split on this answer. And that's a problem because biometrics are the only way to prove who somebody is remotely. If you think about why, why is that? Mike, you're crazy. I've got secure ID tokens and things. Well again, they can be given to somebody. Those codes can be intercepted. Imagine you get pulled over by the state trooper, a police officer, and they roll down the window and they say, "I need your identity. Can you give me a six digit code please?" I'd never get a speeding ticket again. But no, what they do is they look at a trusted credential, they look at your face, which is a biometric, and make sure they match. And we can do that now in a digital environment. So let me show you how. I am going to walk through a modern identity enrollment experience.
Okay. We'll start the process like we do on the internet. You still have to get somebody's email address and phone number. That's been done again since the beginning of time on computers. I'm not going to get into that. There are lots of fraud checks you can do on these to make sure it has some trust to it. But again, not for the purpose of today's discussion, but now we're going to start to do some things that are only been possible in the last couple of years. First, we're going to enroll what we call device biometrics. Every modern computer and mobile phone now has this stuff built in. In this example, I'm doing my touch ID and my face ID. Now what happened here is I just linked that authenticator, my face ID on my phone to this session as I'm creating my account, and we'll be able to leverage that in the future for some higher trust.
Now we're going to continue on the account onboarding process and one of the requirements for banking is to get a national identity number for tax purposes and terrorist checks and things like that. So we do have to ask for one piece of data from the user manually. That is a national identity number. So that is, type it in. Unfortunately, there's not an easy way to do this digitally, but those nine characters that I just typed in are the only nine characters that I'll type on the keyboard to onboard this account. And the reason for that is because I can scan my government issued credential digitally. So we do that by leveraging the modern technology that's in front of us every day. You'll see me take out my camera and scan the front and the back of my driver's license.
This takes just a second. And what's happening is all kinds of machine learning, AI, whatever buzzword you want to use, but real integrity checks are being done on this document. All the overt security features are being verified. Size, shape, position of the photo, the font. Does the data on the front match the back, et cetera. There's about 600 different fraud checks that can be applied to the thousands of document types that we can scan across over 200 countries. It is far more trusted than a human looking at it with their eyeballs. Now, we haven't verified the holder of this document yet. I could have just scanned my mom's driver's license. Doesn't really get us to the point where we need to be. So now we need to verify that I am the holder of that document and I do that by capturing a live selfie.
Takes just a second. Now that biometric is used to match my face on the driver's license. I need a high percentage of confidence. And it can be, this is a very powerful tool in the future for when either your clients or the world is ready for it. That biometric can be used to prove who I am in the future. And there's ways to do that right in a privacy preserving way. So I've just matched my face to the driver's license, verified the integrity, everything looks good. Now we're going to extract all of that data from the documents, because it has to be processed to do the account opening and verify that I'm not a bad actor. And so that extraction happens very quickly and we can even verify the document against the issuing authority if that source exists.
So in the US here we have something called AAMVA, which is an aggregator of all the departments of motor vehicles. Gives us a one stop shop to verify is the driver's license loss or stolen? Verify the name on it, the address, et cetera, some of those attributes. And finally, I'm going to take that social security number that I entered in the prior step and check all of this data together in what Peter referred to as triangulation. So again, with just a simple API call, our system will check that your name matches with the bureau and the driver's license, that your address matches. And then the process will be allowed to continue. And you now have a very high level of assurance about this identity and you can continue on the journey and you can see it takes me about a minute, but it takes a normal human who hasn't done it before a couple of minutes and it's very trusted. Okay, so that's modern digital onboarding.
Now what just happened? What did we do here? Couple pieces of terminology that are really important. We proofed my identity through the documents, scanned the front, scanned the back, matched the live selfie. That's the first box here. The second then is we verified the data. There's a lot of solutions that will do these again as tools. One off over here, one off over there and become disjointed. But you do it at the time of enrollment. You have a chain of custody on the process and allows you to have a much higher level of trust when you're doing it all at once. Now a couple other things. I kind of snuck into that process. I captured a biometric, touch ID, face ID and I would've issued the user a credential with that. That's really invisible to the user. And I'll show you how that credential gets used, but I now have everything I need to get into my system on day two.
Now, what was missing from that process? Did anybody see me enter a username or a password or get prompted from my two FA system. Of course the answer is no. So now this third box, we call this identity assignment, I have bound my authenticator that's in my possession only, can't be held by Peter, to get into my system on day two. And this process will enable a passwordless experience. Now, the reason all this is possible today but was not possible that long ago are because a couple of emerging technologies and standards. So there's three certifying bodies and two standards that I'm going to get into here. On the onboarding and KYC process there's a government standard by NIST, which is our standards body here in the US and has a kind of counterpart in really nearly every country. It's the NIST 800-63-3 standard, which proves identity assurance.
So it does basically, it tells you how to do what I just showed you on that prior demonstration. Remotely proof, verify, triangulate, have a chain of custody of the events and match the biometrics. Then the second standard that goes along with this is FIDO, right? So combination of NIST and FIDO can say, "Here's how you do strong authentication." These standards on NIST side get pretty hairy, but this really sums it up quite easily. So on left, you have this IAL process, identity assurance level. We have authentication assurance. Am I sure about that authenticator? Can I trust it? And then FIDO says, here's how you use that for a passwordless experience. FIDO's made a lot of news in the last year. You'll see this popping up nearly at every website soon. And together, this is identity based authentication. If they're siloed activities, they don't prove who the user is.
Now there's three certifications that your identity provider must have in order for these processes to be trusted. On the left, you have the Kantera initiative that certifies your NIST certification. They're a nonprofit global. On the right you have FIDO certification. The FIDO Alliance was formed in 2013, has hundreds of tech companies like 1Kosmos in it as participating members to advance the standards. And then here in the middle is iBeta. They're one of the primary biometric certification laboratory. So they'll check to make sure you can't be Tom Cruise, put a mask over your head and impersonate somebody else. So they give a what's called a presentation attack detection certification. These are really important. If you don't have these, you could be using something that is weak. So now let's put this into practice. I created my account a few minutes ago. I'm ready to move money. Let's see how we could trust the authentication.
Now what you're going to see is on the left, a webpage where I'm going to authenticate without touching the keyboard. On the right is a trusted authenticator. And this on the right could be a bank app, it could be a standalone app, like a third party authenticators, or it can be embedded into existing apps through an SDK. The user experience you're going to see, this goes kind of quick, so I'm kind of leading up to it, is you press this QR code button on the right and scan the webpage on the left. Now I do my face ID, which I enrolled in the prior step, and I've just done a multifactor experience in a single touch. And you can see I'm now staring at my application and I'm ready to engage with that platform. So that is passwordless authentication. That can be done into operating systems, into banking websites, into remote access, into anything. The world is ready for it. Now I'm going to need to verify the user again.
Maybe it's been three hours, I walked away from this session or something's a little off. My fraud signals are asking me to verify the user's identity. So I am going to move some money. I'm sending $750 to my friend Peter, and I want to just verify kind of a second knock, and I will reach out to that trusted authenticator, ask him for face ID one more time and let it go through. I recently wired money to another country. I had to put in my two FA code from my big bank here in the US four times within a five minute period. And all they were doing is just kept sending me a code to the same phone. So I'm sure we've all lived through that, but this is the type of experience that kind of delights your customers, yet provides the security that you need to trust that credential.
So when I scan that I have chain of custody that I'm the same person that enrolled when I opened the bank account. Now let's take it to the highest level of authentication. And this is the police officer looking you in the face and proving who you are. So Peter, I'm going to send you a $100,000 and I really want the system to verify my identity first before it disappears out of my account. In this example, I want to look myself in the face and the money has gone through. Again, proof of identity. That is Mike Engle sending money to Peter. These are all possible today. Couple lines of code inside of a website, treating the enrollment process properly and having the right privacy and disclosure and all that can all be done and you ease your users into it. Now, people are asking, "Well Mike, I don't have a strong mobile presence in my application."
Or what about my existing users? How do I get my existing 4 million banking customers into this process? I'm not going to ask them to scan my driver's license again. And the answer is no, you're not. What you're going to do and what's happening on the web, more and more places I see, our customers are doing this, is I am going to use a FIDO authenticator. This works with any modern browser on any platform, windows, Mac, Android, iOS. And what you do is you ask the user to trade in their existing login for a modern one. I'll show you what I mean. I'm going to authenticate username, password, two FA, whatever nonsense I used to use, and I'm going to ask the user, would you like to enroll in passwordless authentication. Sign in without your password. Press yes. Now my Windows Hello pops up right here. This is my Windows authentication. Private key was just put in my local machine and linked with the web service and I'm in.
I will not need that username and password again. Tomorrow when I come to log into this website, this is going to be the experience. Windows Hello scans my face and I'm in. So we've fixed a broken authentication experience, made the user's life much easier, and we've tightly coupled the authentication back to the identity. And so if I sum all this up, I change those three stop sign shaped hexagons into a little bit different layout here. If we start the identity onboarding properly, users will choose to strongly verify their government credentials. This will greatly hinder synthetic identity, which is a problem for the banks, not the users. However, if you make it easy for the users, they'll do it because as part of that process, they're going to have a better authentication experience as well.
And so that'll flow downstream. Give them a key. So one press button operation, use the biometric from step one and feed those signals into your fraud engine so that you can really have a much better sense of what's going wrong and what's not, right. So that really sums up the implementation of how we can mitigate some of these problems. Maureen will have one last polling question and then we'll get into a bit of Q&A. So this question is very simply, are you linking some of these functions in your fraud and identity and authentication systems today? So number one is they're pretty linked. Two is a little bit and three is tightly coupled. So one is not. Questions a little long for the box.
Okay, so why don't you go ahead and end it Maureen. Actually, perfect timing because we're about evenly split within eight points from anyone to the other on this. So you can see some people are starting to think about it though. We have 26% of respondents said that they do have tightly integrated processes, which is great because this is what we need.
All right, so one of the questions we have is what do you do about account recovery? And this is one of the Achilles heels. So when I showed you, how users can be in control of that credential, for example, my mobile phone here could have a key and use my biometrics. If I lose my phone, what do I do? Well there's a couple answers to that. One is you could use a biometric as a recovery mechanism or you could enroll multiple authenticators. So for example, I actually have this on my existing bank account. I have this workstation linked and my phone linked. Either one of them is trusted and I can then authenticate with either one and then set up another one from that platform. You could also use devices such as these a secondary type of device that could restore your authentication credential back into another platform.
And then Peter, this question is for you. Are you seeing your clients at Oliver Wyman worry about these two types of fraud more and more, or is it just kind of status quo and they just have to deal with it?
Peter Carroll:
Yeah, the former, not the latter. High level observations, I think the level of interest in this in Europe kicked in first. So I think we've been helping people including individual firms, banks, but also we've been doing consulting for institutions or branches of government. So the focus I think kicked in over there. In the US I think it's picked up with a lag of a couple of years, but right now we're talking to again, some major institutional players as well as individual banks. So I think my expectation is that it's going to be very big over the next two, three years.
Mike Engle:
Yeah. Interest rates going up, belts are getting tightened, so they might look to dip into that $20 billion as some savings if they fix it, right?
Peter Carroll:
Well, it's not just the $20 billion. Well, first of all, 20 that's the dollar loss. I mentioned briefly that the actual economics are worse than that because the banks are spending, everybody is spending a lot of money to keep the losses at the level that they are, including keeping the account takeover losses where they are. And even ignoring that, something you and I have talked about, just the cost of password resets is astronomical. We did some market sizing a year or so ago saying what could be the benefit of really robust digital identity and stopping fraud is important, but actually the pure operating expense across US industry of handling username, password resets is bigger. I mean, we estimate it's on the order of 75 billion a year. It's astronomical. So usernames and passwords bye bye. I think that's going to be one of the big industry trends over the next three, four years.
Mike Engle:
Yeah. Especially when it comes to cost savings. And user experience of course. I have over a thousand passwords in my password manager and it's just scary how things still operate out there.
Peter Carroll:
Yeah, if I can just add one more thing. I did mention on my slides that consumers have a high level of angst about account takeover and having their identity stolen, even if temporarily, we've done a lot of work for clients in the banking industry where we design packages like checking account packages. And when you do that kind of research, you basically quiz consumers in a controlled setting to get them to trade off what features they like or like less in a package. The thing that always rings the bell is protection against this kind of account takeover, which is not a phrase consumers use, but protection against identity theft. It's just such a high... The second highest thing is "Not being nickled and dime." Which we've all seen before, but that level of angst is really high and anything the industry can do to diminish it, I think is a big win.
Mike Engle:
Excellent. Well, that is the end of the questions. A couple others were answered in the Q&A here in the chat, but I think we've about done it. So Peter, unless you have any closing comments, thank you for coming on here and sharing all this really amazing insight and allowing me to show off my little videos. I had a lot of fun putting them together and telling the story.
Peter Carroll:
Okay, no, I have nothing more. Thank you. Thank everybody for participating.
Mike Engle:
Thank you. Take care.
Peter Carroll:
Bye bye.
Mike Engle
CSO
1Kosmos
Peter Carroll
Partner
Oliver Wyman
In this webinar, we closely examined how these identities are constructed and what organizations need to detect synthetic identities early while delivering a convenient onboarding experience to legitimate individuals. Hear why:
- Organizations use Data Triangulation to verify identity anywhere, anytime, and on any device with over 99% accuracy and without human intervention
- The use of real biometrics with Liveness Detection is critical to prevent deepfakes and other spoofing techniques
- The role of government credentials, banking records, and SMS verification to create a valid, accurate, and secure digital identity
- The use of identity-based authentication to protect account logins and fraudulent transactions
- The benefits of using a distributed ledger to protect PII and to eliminate honeypots of user data
According to the Federal Reserve, synthetic identity fraud is one of the fastest-growing financial crimes in the US, with some fraud estimates reaching $20b annually.
Even government agencies are not immune to these scams, but now thanks to new digital identity verification techniques, banks, creditors, government agencies, and others are closing the gaps in customer, citizen and employee onboarding to close the door on synthetic identities.
Mike Engle
CSO
1Kosmos
Peter Carroll
Partner
Oliver Wyman
Video Transcript
Mike Engle:
All right, well let's get started. Thanks everybody for attending. We're here today to talk about synthetic identity and account takeover fraud and some mitigating controls. My name is Mike Engle. I'm joined today by Peter Carroll. I'm CSO and co-founder over at 1Kosmos, and we'll talk a little bit about our stuff after Peter goes. And Peter, if you wouldn't mind saying hello and introducing yourself.
Peter Carroll:
Yeah, hi, Peter Carroll. I'm a partner at Oliver Wyman. I've focused over the years on consumer finance, retail banking, lending, the whole credit score, credit bureau side. And in the last few years, increasingly I've focused on digital identity.
Mike Engle:
Excellent. Well, it's great to have you here and thanks everybody for joining. We're going to not kill you with too many slides here today. We're going to tell a little bit of a story. We're going to show you some product and action to help fight some of the things we're talking about. And Peter's going to go first. With that I'm going to tee up your next slide here, Peter, and let's jump right in.
Peter Carroll:
Okay. There we go. Thanks.
So I think most of us are familiar at some level with synthetic identity fraud and account takeover fraud. What I'm going to talk about briefly here is what they are and how they work. And on the next couple of pages, the magnitude of the problem is quite scary. I'm sure plenty of you on the call know, but synthetic identity fraud is essentially somebody either creating a new identity or manipulating an existing one to then pass themselves up as a person without any substance. Often, in fact, most often, this is done by obtaining a real person's social security number. Typically a minor, an infant, or someone who hasn't yet become economically active and then gradually adapting and building up on that core social security number. Typically by accessing or applying for credit, probably getting rejected the first time, but establishing a file at the credit bureaus and then gradually getting to a little bit of credit, paying the bills properly, building up the illusion of legal behavior. And then this takes time, it takes patience, it takes a lot of skill, but eventually the synthetic identity fraud or perhaps the member of a synthetic identity fraud ring will bust out, meaning maximize their borrowing and their access to money and then so disappear from the face of the earth.
This means a lot of the losses look to lenders like a form of credit default. So synthetic identity fraud is quite hard to observe in terms of its impact and to measure accurately. So I've got a lot of data on the next couple of pages, but they're all basically estimates because it's very hard to know. Account takeover fraud is a little more straightforward. It's like I get your username and password somehow, we'll talk about how, and I log into your account as you and there I do my mischief. I think of synthetic identity fraud is the front door and account takeover fraud as the side door. So when Mike starts talking about how [inaudible 00:03:53] the door, closing the front door and then putting a padlock or a combination lock on the side door to keep people out. Account takeover fraud can be as simple as someone telling you their username and password.
I always think it's sort of darkly amusing that when Edward Snowden downloaded 12 terabytes of top-secret data at the NSA, he did it because 25 of his colleagues had shared their usernames and passwords with him. But out in the real world on a sort of day-to-day basis, this happens through data breaches where as I'm sure most of you know, lots of our information is available for pennies on the dark web, including some of our username password combinations. And I'll come back to the sum of in a second. Often people can access these credentials through malware, through social engineering, phishing, other sort of closely related frauds, either to get your actual username and password or to get at least one that you use. Something like 60% of people use the same password for multiple different points of access, their bank account, their Gmail account or whatnot.
And another 20% use simple variations on a standard password. So almost all of us have fairly poor password habits. So through these techniques, people can either directly access and take over your account or do something called credential stuffing where I learn your password in one setting, I go try it to get into your bank account. If it doesn't work, I try variations and I'll do this on an industrial scale until I either get in or run out of chances to try. And in some cases, if the access control is beyond username and password, and it's backed up by an SMS code. It's surprising how easy it is for people to engineer SIM swaps. I think the relevant statistic is four out of five SIM swap attempts, fraudulent SIM swap attempts are successful. So Mike, if you could flip to the next slide, we can just quickly go through some data.
Synthetic IDs are hard to spot to the extent we can figure out something like 85 to 95% of new account applicants who are later judged to be synthetic IDs or synthetic ID frauds, were not flagged up front by the verification system. As an extension of that, something like 1 to 2% of all open US bank accounts are suspected of being synthetic. And another sort of parallel statistic, something on the order of a third of $1 billion in card debt is outstanding on accounts where the people didn't exist in 2017. So there's like phantom people probably therefore synthetic IDs. The bust out that I referred to before has a very high average dollar impact. It's on the order of $90,000 and when people bust out, they push as much as they can beyond whatever their current credit limits are. And as I mentioned briefly, the synthetic ID process is clever.
It's patient. Takes time. All leading up to the bust out, can take three, four, five years. And it's sometimes done in sort of organized rings. One of the largest known rings consisted of 7,000 synthetic identities, which had accumulated 25,000 credit cards. And when they engineered their bust out, it represented a minimum of $200 million in losses. Some estimates put it much higher. And this was on the order of $28,000 per synthetic identity and $8,000 per credit card. I mean the numbers are annoyingly large. Account takeovers, this is, I don't know, it's different in kind, but it's just about as damaging. Attempts have quadrupled since Covid came along. Nearly a quarter of US households say they've been victims of account takeovers, losses average about $12,000. Credential stuffing, which I mentioned briefly accounts for the largest portion of login attempts. I saw this data point the other day, something like 61% of all attempts to access, I think it was bank accounts in the US, were thought to be credential stuffing.
If you think about it, a majority, more than 50% of times people try to get into a bank account. It's someone doing sort of organized credential stuffing. And then last holiday season is the busiest time. And I mentioned this already, where a SIM swap attempt is required, it's surprisingly easy for that to be pulled off. If we add it all up at the top of the house. Mike, if you could flip, thank you. Taken together, banks and other lenders are estimated to have lost about $20 billion this year to synthetic identity fraud, which is a huge increase over five, six years ago.
Account takeover fraud happens more often. I'll go back to those numbers in a second. But that costs on the order of $11 to $12 billion a year. And it's really important to note that the first block of loss hits the lenders and banks directly and consumers in a sense don't even see it. The account takeover fraud on the other hand, directly hits the consumers and merchants and the consumers are very aware of it. And all kinds of survey and market research shows that consumers are very nervous about it. They're looking for people to help them. They're in a state of angst about the potential for their identity to be stolen, for their accounts to be taken over.
The pie charts on the left basically just show that the average cost per incident, meaning breakout in a synthetic ID sense, that's $90,000. I mentioned that already, $12,000 in the other case. The frequency of incidents in round numbers, it's about a million incidents a year in account takeover and about quarter of a million in synthetic. So big numbers, rapidly increasing. So I do think it's important though this point that I'll just repeat very briefly. The first one hits the banks and in a sense, quote, "the consumers don't care, they don't see it." The second one hits the consumers and they really care. And this is going to feed back because when you try to fix the problem, at some point you have to ask the consumer to help and you want to ask them to help fix the second problem because fixing the second problem will appeal to them and that'll actually help you fix the first problem.
I'll let Mike handle that. And just to wrap up, Mike, if you could just flip to my last slide. So how do you stop this? I think what you do is you put controls on the front door, you improve your account opening identity enrollment procedures so that you're much more confident that this is a real person upfront. Mike's going to talk about how you do that with a number of new steps. Then you bar the side door to control and eliminate account takeovers largely by getting rid of usernames and passwords and replacing them with what we call identity based authentication. Again, I won't steal Mike's thunder, I'll let him talk about that.
But these two are linked. To do solid authentication, you have to do solid enrollment. And that's a phrase we've started using identity based authentication. And I think Gartner now calls this identity convergence. So you do all of that and that means you've, inhibited up upfront the synthetic ID frauds. And then in the second phase, the account takeover frauds. And as I mentioned in passing, you want to enroll consumers as allies in the account takeover fraud a problem because you're going to ask them to participate in the solutions and that'll help you solve the front door problem, the synthetic ID problem. All right, I'll hand over to you, Mike.
Mike Engle:
Yeah, thanks Peter. And the research you and your team put together was really cool on this. And I didn't realize, going back to this here, that synthetic was so much bigger of a problem because what makes the news? Oh, I had $600 stolen from Zelle because somebody compromised my account and it's on the 5:00 news, or obviously lots of crypto wallets have been stolen, things like that. So it really is about the hurt individual, but the banks, all of our costs have to be going up tremendously because of that top line item there. So really great stuff.
Yeah, we're going to dive into these now, but first I'm going to ask Maureen to pop up a polling question for the audience. I don't believe our LinkedIn audience can do this, but you can do it vicariously by staring really hard at the screen. The question is, do these types of fraud affect you? And level kind of one, two, and three here of how much it affects you. Take your pick. I guess it depends how you answer and what industry you're in, but this will give us a little bit of a feel. All right, think that'll about do it.
Peter Carroll:
You might just read them out for the... Oh right, because I guess everyone can see them even if they can't participate, right?
Mike Engle:
Yeah, they'll see percentages popping up here in just a second, I'm pretty sure. Yeah, great.
So yeah, we're about split between it's nasty versus I worry about this 24x7 and slightly less think it's only a minor nuisance. So again, I'm sure it depends on the industry of the participant and kind of what they do for a living. But thanks for putting that up, Maureen. Let's jump in now and I'll talk a little bit about the conversions that Peter was talking about. [inaudible 00:15:12] have to hit share results Maureen, there we go. I think that's it, right?
Okay, so this is a graphic that talks a little bit about why the problem exists and you'll see the analysts talking about this problem in different ways. But this is just a really simple way to say that these functions, how do I onboard a user, what we call identity onboarding into my systems in a way that's trusted and then that can be leveraged in the future.
We'll talk about that next. And then the authentication, as everybody knows is a mess. Technologies like Password List will make it much better. We'll talk about that. But the real problem is that when you authenticate somebody, you're not proving it's the same person that enrolled in step one and now the technologies exist where you can actually do that and it'll bring these two together. And then there's hundreds of fraud systems on the market, right? What's my IP address, my session, my this, my that. If they have signals about these other two boxes and their trusted signals, username and password is not trusted, then you can completely revolutionize how you tackle fraud. So these have been thought about as tools, implement an onboarding tool, an authentication tool, two FA and tokens and all this other nonsense, but not as a cohesive strategy or solution. And just expanding upon this first box here a little bit.
The identity onboarding is still stuck in the '90s. We're asking users to type in data manually, 15 plus fields, multiple screens prone to data entry error. And besides this data has been stolen dozens of times from all kinds of different sources. The bureaus have been hacked, data's been leaked, it's available on the dark web for pennies. And when you go to verify it, you're verifying data that anybody can really verify. So there's no trust in this process. And this right here is the root cause of synthetic identity. And we're going to talk about some compensated controls. So that's the identity onboarding, that first siloed pillar on the left, and then the second pillar, authentication. Living in the same kind of '90s era where we're still relying on usernames, passwords, and codes, which you can give to anybody, can be stolen by anybody, can be intercepted.
And most importantly, they do not link back to the prior step. And the litmus test for this is if you can give your authenticator to somebody else, either because you want to or because it's coerced from you, then you're not proving anything about somebody's identity. We call this a system based on hope. And the industry term for this is hope based authentication. It's an industry term because I say it is. So write it down, tell all your friends, but we're migrating from this HBA to what Peter referenced as identity based authentication. And I'm going to get to that next. But first one more polling question, and we're going to talk a little bit about biometrics here today. So this is why we're bringing this up. Do you currently use biometrics in your digital identity systems for those IAM practitioners here? Are you using it for your employee systems or your customer systems? And biometrics it's a bit of a loaded term. We're going to talk about the difference between device biometrics and real biometrics here in just a minute, but let's just call it biometrics for now.
And as I suspected we're split right about down the middle. All right, so thank you for that, Maureen. Yeah, exactly. A 50/50 split on this answer. And that's a problem because biometrics are the only way to prove who somebody is remotely. If you think about why, why is that? Mike, you're crazy. I've got secure ID tokens and things. Well again, they can be given to somebody. Those codes can be intercepted. Imagine you get pulled over by the state trooper, a police officer, and they roll down the window and they say, "I need your identity. Can you give me a six digit code please?" I'd never get a speeding ticket again. But no, what they do is they look at a trusted credential, they look at your face, which is a biometric, and make sure they match. And we can do that now in a digital environment. So let me show you how. I am going to walk through a modern identity enrollment experience.
Okay. We'll start the process like we do on the internet. You still have to get somebody's email address and phone number. That's been done again since the beginning of time on computers. I'm not going to get into that. There are lots of fraud checks you can do on these to make sure it has some trust to it. But again, not for the purpose of today's discussion, but now we're going to start to do some things that are only been possible in the last couple of years. First, we're going to enroll what we call device biometrics. Every modern computer and mobile phone now has this stuff built in. In this example, I'm doing my touch ID and my face ID. Now what happened here is I just linked that authenticator, my face ID on my phone to this session as I'm creating my account, and we'll be able to leverage that in the future for some higher trust.
Now we're going to continue on the account onboarding process and one of the requirements for banking is to get a national identity number for tax purposes and terrorist checks and things like that. So we do have to ask for one piece of data from the user manually. That is a national identity number. So that is, type it in. Unfortunately, there's not an easy way to do this digitally, but those nine characters that I just typed in are the only nine characters that I'll type on the keyboard to onboard this account. And the reason for that is because I can scan my government issued credential digitally. So we do that by leveraging the modern technology that's in front of us every day. You'll see me take out my camera and scan the front and the back of my driver's license.
This takes just a second. And what's happening is all kinds of machine learning, AI, whatever buzzword you want to use, but real integrity checks are being done on this document. All the overt security features are being verified. Size, shape, position of the photo, the font. Does the data on the front match the back, et cetera. There's about 600 different fraud checks that can be applied to the thousands of document types that we can scan across over 200 countries. It is far more trusted than a human looking at it with their eyeballs. Now, we haven't verified the holder of this document yet. I could have just scanned my mom's driver's license. Doesn't really get us to the point where we need to be. So now we need to verify that I am the holder of that document and I do that by capturing a live selfie.
Takes just a second. Now that biometric is used to match my face on the driver's license. I need a high percentage of confidence. And it can be, this is a very powerful tool in the future for when either your clients or the world is ready for it. That biometric can be used to prove who I am in the future. And there's ways to do that right in a privacy preserving way. So I've just matched my face to the driver's license, verified the integrity, everything looks good. Now we're going to extract all of that data from the documents, because it has to be processed to do the account opening and verify that I'm not a bad actor. And so that extraction happens very quickly and we can even verify the document against the issuing authority if that source exists.
So in the US here we have something called AAMVA, which is an aggregator of all the departments of motor vehicles. Gives us a one stop shop to verify is the driver's license loss or stolen? Verify the name on it, the address, et cetera, some of those attributes. And finally, I'm going to take that social security number that I entered in the prior step and check all of this data together in what Peter referred to as triangulation. So again, with just a simple API call, our system will check that your name matches with the bureau and the driver's license, that your address matches. And then the process will be allowed to continue. And you now have a very high level of assurance about this identity and you can continue on the journey and you can see it takes me about a minute, but it takes a normal human who hasn't done it before a couple of minutes and it's very trusted. Okay, so that's modern digital onboarding.
Now what just happened? What did we do here? Couple pieces of terminology that are really important. We proofed my identity through the documents, scanned the front, scanned the back, matched the live selfie. That's the first box here. The second then is we verified the data. There's a lot of solutions that will do these again as tools. One off over here, one off over there and become disjointed. But you do it at the time of enrollment. You have a chain of custody on the process and allows you to have a much higher level of trust when you're doing it all at once. Now a couple other things. I kind of snuck into that process. I captured a biometric, touch ID, face ID and I would've issued the user a credential with that. That's really invisible to the user. And I'll show you how that credential gets used, but I now have everything I need to get into my system on day two.
Now, what was missing from that process? Did anybody see me enter a username or a password or get prompted from my two FA system. Of course the answer is no. So now this third box, we call this identity assignment, I have bound my authenticator that's in my possession only, can't be held by Peter, to get into my system on day two. And this process will enable a passwordless experience. Now, the reason all this is possible today but was not possible that long ago are because a couple of emerging technologies and standards. So there's three certifying bodies and two standards that I'm going to get into here. On the onboarding and KYC process there's a government standard by NIST, which is our standards body here in the US and has a kind of counterpart in really nearly every country. It's the NIST 800-63-3 standard, which proves identity assurance.
So it does basically, it tells you how to do what I just showed you on that prior demonstration. Remotely proof, verify, triangulate, have a chain of custody of the events and match the biometrics. Then the second standard that goes along with this is FIDO, right? So combination of NIST and FIDO can say, "Here's how you do strong authentication." These standards on NIST side get pretty hairy, but this really sums it up quite easily. So on left, you have this IAL process, identity assurance level. We have authentication assurance. Am I sure about that authenticator? Can I trust it? And then FIDO says, here's how you use that for a passwordless experience. FIDO's made a lot of news in the last year. You'll see this popping up nearly at every website soon. And together, this is identity based authentication. If they're siloed activities, they don't prove who the user is.
Now there's three certifications that your identity provider must have in order for these processes to be trusted. On the left, you have the Kantera initiative that certifies your NIST certification. They're a nonprofit global. On the right you have FIDO certification. The FIDO Alliance was formed in 2013, has hundreds of tech companies like 1Kosmos in it as participating members to advance the standards. And then here in the middle is iBeta. They're one of the primary biometric certification laboratory. So they'll check to make sure you can't be Tom Cruise, put a mask over your head and impersonate somebody else. So they give a what's called a presentation attack detection certification. These are really important. If you don't have these, you could be using something that is weak. So now let's put this into practice. I created my account a few minutes ago. I'm ready to move money. Let's see how we could trust the authentication.
Now what you're going to see is on the left, a webpage where I'm going to authenticate without touching the keyboard. On the right is a trusted authenticator. And this on the right could be a bank app, it could be a standalone app, like a third party authenticators, or it can be embedded into existing apps through an SDK. The user experience you're going to see, this goes kind of quick, so I'm kind of leading up to it, is you press this QR code button on the right and scan the webpage on the left. Now I do my face ID, which I enrolled in the prior step, and I've just done a multifactor experience in a single touch. And you can see I'm now staring at my application and I'm ready to engage with that platform. So that is passwordless authentication. That can be done into operating systems, into banking websites, into remote access, into anything. The world is ready for it. Now I'm going to need to verify the user again.
Maybe it's been three hours, I walked away from this session or something's a little off. My fraud signals are asking me to verify the user's identity. So I am going to move some money. I'm sending $750 to my friend Peter, and I want to just verify kind of a second knock, and I will reach out to that trusted authenticator, ask him for face ID one more time and let it go through. I recently wired money to another country. I had to put in my two FA code from my big bank here in the US four times within a five minute period. And all they were doing is just kept sending me a code to the same phone. So I'm sure we've all lived through that, but this is the type of experience that kind of delights your customers, yet provides the security that you need to trust that credential.
So when I scan that I have chain of custody that I'm the same person that enrolled when I opened the bank account. Now let's take it to the highest level of authentication. And this is the police officer looking you in the face and proving who you are. So Peter, I'm going to send you a $100,000 and I really want the system to verify my identity first before it disappears out of my account. In this example, I want to look myself in the face and the money has gone through. Again, proof of identity. That is Mike Engle sending money to Peter. These are all possible today. Couple lines of code inside of a website, treating the enrollment process properly and having the right privacy and disclosure and all that can all be done and you ease your users into it. Now, people are asking, "Well Mike, I don't have a strong mobile presence in my application."
Or what about my existing users? How do I get my existing 4 million banking customers into this process? I'm not going to ask them to scan my driver's license again. And the answer is no, you're not. What you're going to do and what's happening on the web, more and more places I see, our customers are doing this, is I am going to use a FIDO authenticator. This works with any modern browser on any platform, windows, Mac, Android, iOS. And what you do is you ask the user to trade in their existing login for a modern one. I'll show you what I mean. I'm going to authenticate username, password, two FA, whatever nonsense I used to use, and I'm going to ask the user, would you like to enroll in passwordless authentication. Sign in without your password. Press yes. Now my Windows Hello pops up right here. This is my Windows authentication. Private key was just put in my local machine and linked with the web service and I'm in.
I will not need that username and password again. Tomorrow when I come to log into this website, this is going to be the experience. Windows Hello scans my face and I'm in. So we've fixed a broken authentication experience, made the user's life much easier, and we've tightly coupled the authentication back to the identity. And so if I sum all this up, I change those three stop sign shaped hexagons into a little bit different layout here. If we start the identity onboarding properly, users will choose to strongly verify their government credentials. This will greatly hinder synthetic identity, which is a problem for the banks, not the users. However, if you make it easy for the users, they'll do it because as part of that process, they're going to have a better authentication experience as well.
And so that'll flow downstream. Give them a key. So one press button operation, use the biometric from step one and feed those signals into your fraud engine so that you can really have a much better sense of what's going wrong and what's not, right. So that really sums up the implementation of how we can mitigate some of these problems. Maureen will have one last polling question and then we'll get into a bit of Q&A. So this question is very simply, are you linking some of these functions in your fraud and identity and authentication systems today? So number one is they're pretty linked. Two is a little bit and three is tightly coupled. So one is not. Questions a little long for the box.
Okay, so why don't you go ahead and end it Maureen. Actually, perfect timing because we're about evenly split within eight points from anyone to the other on this. So you can see some people are starting to think about it though. We have 26% of respondents said that they do have tightly integrated processes, which is great because this is what we need.
All right, so one of the questions we have is what do you do about account recovery? And this is one of the Achilles heels. So when I showed you, how users can be in control of that credential, for example, my mobile phone here could have a key and use my biometrics. If I lose my phone, what do I do? Well there's a couple answers to that. One is you could use a biometric as a recovery mechanism or you could enroll multiple authenticators. So for example, I actually have this on my existing bank account. I have this workstation linked and my phone linked. Either one of them is trusted and I can then authenticate with either one and then set up another one from that platform. You could also use devices such as these a secondary type of device that could restore your authentication credential back into another platform.
And then Peter, this question is for you. Are you seeing your clients at Oliver Wyman worry about these two types of fraud more and more, or is it just kind of status quo and they just have to deal with it?
Peter Carroll:
Yeah, the former, not the latter. High level observations, I think the level of interest in this in Europe kicked in first. So I think we've been helping people including individual firms, banks, but also we've been doing consulting for institutions or branches of government. So the focus I think kicked in over there. In the US I think it's picked up with a lag of a couple of years, but right now we're talking to again, some major institutional players as well as individual banks. So I think my expectation is that it's going to be very big over the next two, three years.
Mike Engle:
Yeah. Interest rates going up, belts are getting tightened, so they might look to dip into that $20 billion as some savings if they fix it, right?
Peter Carroll:
Well, it's not just the $20 billion. Well, first of all, 20 that's the dollar loss. I mentioned briefly that the actual economics are worse than that because the banks are spending, everybody is spending a lot of money to keep the losses at the level that they are, including keeping the account takeover losses where they are. And even ignoring that, something you and I have talked about, just the cost of password resets is astronomical. We did some market sizing a year or so ago saying what could be the benefit of really robust digital identity and stopping fraud is important, but actually the pure operating expense across US industry of handling username, password resets is bigger. I mean, we estimate it's on the order of 75 billion a year. It's astronomical. So usernames and passwords bye bye. I think that's going to be one of the big industry trends over the next three, four years.
Mike Engle:
Yeah. Especially when it comes to cost savings. And user experience of course. I have over a thousand passwords in my password manager and it's just scary how things still operate out there.
Peter Carroll:
Yeah, if I can just add one more thing. I did mention on my slides that consumers have a high level of angst about account takeover and having their identity stolen, even if temporarily, we've done a lot of work for clients in the banking industry where we design packages like checking account packages. And when you do that kind of research, you basically quiz consumers in a controlled setting to get them to trade off what features they like or like less in a package. The thing that always rings the bell is protection against this kind of account takeover, which is not a phrase consumers use, but protection against identity theft. It's just such a high... The second highest thing is "Not being nickled and dime." Which we've all seen before, but that level of angst is really high and anything the industry can do to diminish it, I think is a big win.
Mike Engle:
Excellent. Well, that is the end of the questions. A couple others were answered in the Q&A here in the chat, but I think we've about done it. So Peter, unless you have any closing comments, thank you for coming on here and sharing all this really amazing insight and allowing me to show off my little videos. I had a lot of fun putting them together and telling the story.
Peter Carroll:
Okay, no, I have nothing more. Thank you. Thank everybody for participating.
Mike Engle:
Thank you. Take care.
Peter Carroll:
Bye bye.
All right, well let's get started. Thanks everybody for attending. We're here today to talk about synthetic identity and account takeover fraud and some mitigating controls. My name is Mike Engle. I'm joined today by Peter Carroll. I'm CSO and co-founder over at 1Kosmos, and we'll talk a little bit about our stuff after Peter goes. And Peter, if you wouldn't mind saying hello and introducing yourself.
Peter Carroll:
Yeah, hi, Peter Carroll. I'm a partner at Oliver Wyman. I've focused over the years on consumer finance, retail banking, lending, the whole credit score, credit bureau side. And in the last few years, increasingly I've focused on digital identity.
Mike Engle:
Excellent. Well, it's great to have you here and thanks everybody for joining. We're going to not kill you with too many slides here today. We're going to tell a little bit of a story. We're going to show you some product and action to help fight some of the things we're talking about. And Peter's going to go first. With that I'm going to tee up your next slide here, Peter, and let's jump right in.
Peter Carroll:
Okay. There we go. Thanks.
So I think most of us are familiar at some level with synthetic identity fraud and account takeover fraud. What I'm going to talk about briefly here is what they are and how they work. And on the next couple of pages, the magnitude of the problem is quite scary. I'm sure plenty of you on the call know, but synthetic identity fraud is essentially somebody either creating a new identity or manipulating an existing one to then pass themselves up as a person without any substance. Often, in fact, most often, this is done by obtaining a real person's social security number. Typically a minor, an infant, or someone who hasn't yet become economically active and then gradually adapting and building up on that core social security number. Typically by accessing or applying for credit, probably getting rejected the first time, but establishing a file at the credit bureaus and then gradually getting to a little bit of credit, paying the bills properly, building up the illusion of legal behavior. And then this takes time, it takes patience, it takes a lot of skill, but eventually the synthetic identity fraud or perhaps the member of a synthetic identity fraud ring will bust out, meaning maximize their borrowing and their access to money and then so disappear from the face of the earth.
This means a lot of the losses look to lenders like a form of credit default. So synthetic identity fraud is quite hard to observe in terms of its impact and to measure accurately. So I've got a lot of data on the next couple of pages, but they're all basically estimates because it's very hard to know. Account takeover fraud is a little more straightforward. It's like I get your username and password somehow, we'll talk about how, and I log into your account as you and there I do my mischief. I think of synthetic identity fraud is the front door and account takeover fraud as the side door. So when Mike starts talking about how [inaudible 00:03:53] the door, closing the front door and then putting a padlock or a combination lock on the side door to keep people out. Account takeover fraud can be as simple as someone telling you their username and password.
I always think it's sort of darkly amusing that when Edward Snowden downloaded 12 terabytes of top-secret data at the NSA, he did it because 25 of his colleagues had shared their usernames and passwords with him. But out in the real world on a sort of day-to-day basis, this happens through data breaches where as I'm sure most of you know, lots of our information is available for pennies on the dark web, including some of our username password combinations. And I'll come back to the sum of in a second. Often people can access these credentials through malware, through social engineering, phishing, other sort of closely related frauds, either to get your actual username and password or to get at least one that you use. Something like 60% of people use the same password for multiple different points of access, their bank account, their Gmail account or whatnot.
And another 20% use simple variations on a standard password. So almost all of us have fairly poor password habits. So through these techniques, people can either directly access and take over your account or do something called credential stuffing where I learn your password in one setting, I go try it to get into your bank account. If it doesn't work, I try variations and I'll do this on an industrial scale until I either get in or run out of chances to try. And in some cases, if the access control is beyond username and password, and it's backed up by an SMS code. It's surprising how easy it is for people to engineer SIM swaps. I think the relevant statistic is four out of five SIM swap attempts, fraudulent SIM swap attempts are successful. So Mike, if you could flip to the next slide, we can just quickly go through some data.
Synthetic IDs are hard to spot to the extent we can figure out something like 85 to 95% of new account applicants who are later judged to be synthetic IDs or synthetic ID frauds, were not flagged up front by the verification system. As an extension of that, something like 1 to 2% of all open US bank accounts are suspected of being synthetic. And another sort of parallel statistic, something on the order of a third of $1 billion in card debt is outstanding on accounts where the people didn't exist in 2017. So there's like phantom people probably therefore synthetic IDs. The bust out that I referred to before has a very high average dollar impact. It's on the order of $90,000 and when people bust out, they push as much as they can beyond whatever their current credit limits are. And as I mentioned briefly, the synthetic ID process is clever.
It's patient. Takes time. All leading up to the bust out, can take three, four, five years. And it's sometimes done in sort of organized rings. One of the largest known rings consisted of 7,000 synthetic identities, which had accumulated 25,000 credit cards. And when they engineered their bust out, it represented a minimum of $200 million in losses. Some estimates put it much higher. And this was on the order of $28,000 per synthetic identity and $8,000 per credit card. I mean the numbers are annoyingly large. Account takeovers, this is, I don't know, it's different in kind, but it's just about as damaging. Attempts have quadrupled since Covid came along. Nearly a quarter of US households say they've been victims of account takeovers, losses average about $12,000. Credential stuffing, which I mentioned briefly accounts for the largest portion of login attempts. I saw this data point the other day, something like 61% of all attempts to access, I think it was bank accounts in the US, were thought to be credential stuffing.
If you think about it, a majority, more than 50% of times people try to get into a bank account. It's someone doing sort of organized credential stuffing. And then last holiday season is the busiest time. And I mentioned this already, where a SIM swap attempt is required, it's surprisingly easy for that to be pulled off. If we add it all up at the top of the house. Mike, if you could flip, thank you. Taken together, banks and other lenders are estimated to have lost about $20 billion this year to synthetic identity fraud, which is a huge increase over five, six years ago.
Account takeover fraud happens more often. I'll go back to those numbers in a second. But that costs on the order of $11 to $12 billion a year. And it's really important to note that the first block of loss hits the lenders and banks directly and consumers in a sense don't even see it. The account takeover fraud on the other hand, directly hits the consumers and merchants and the consumers are very aware of it. And all kinds of survey and market research shows that consumers are very nervous about it. They're looking for people to help them. They're in a state of angst about the potential for their identity to be stolen, for their accounts to be taken over.
The pie charts on the left basically just show that the average cost per incident, meaning breakout in a synthetic ID sense, that's $90,000. I mentioned that already, $12,000 in the other case. The frequency of incidents in round numbers, it's about a million incidents a year in account takeover and about quarter of a million in synthetic. So big numbers, rapidly increasing. So I do think it's important though this point that I'll just repeat very briefly. The first one hits the banks and in a sense, quote, "the consumers don't care, they don't see it." The second one hits the consumers and they really care. And this is going to feed back because when you try to fix the problem, at some point you have to ask the consumer to help and you want to ask them to help fix the second problem because fixing the second problem will appeal to them and that'll actually help you fix the first problem.
I'll let Mike handle that. And just to wrap up, Mike, if you could just flip to my last slide. So how do you stop this? I think what you do is you put controls on the front door, you improve your account opening identity enrollment procedures so that you're much more confident that this is a real person upfront. Mike's going to talk about how you do that with a number of new steps. Then you bar the side door to control and eliminate account takeovers largely by getting rid of usernames and passwords and replacing them with what we call identity based authentication. Again, I won't steal Mike's thunder, I'll let him talk about that.
But these two are linked. To do solid authentication, you have to do solid enrollment. And that's a phrase we've started using identity based authentication. And I think Gartner now calls this identity convergence. So you do all of that and that means you've, inhibited up upfront the synthetic ID frauds. And then in the second phase, the account takeover frauds. And as I mentioned in passing, you want to enroll consumers as allies in the account takeover fraud a problem because you're going to ask them to participate in the solutions and that'll help you solve the front door problem, the synthetic ID problem. All right, I'll hand over to you, Mike.
Mike Engle:
Yeah, thanks Peter. And the research you and your team put together was really cool on this. And I didn't realize, going back to this here, that synthetic was so much bigger of a problem because what makes the news? Oh, I had $600 stolen from Zelle because somebody compromised my account and it's on the 5:00 news, or obviously lots of crypto wallets have been stolen, things like that. So it really is about the hurt individual, but the banks, all of our costs have to be going up tremendously because of that top line item there. So really great stuff.
Yeah, we're going to dive into these now, but first I'm going to ask Maureen to pop up a polling question for the audience. I don't believe our LinkedIn audience can do this, but you can do it vicariously by staring really hard at the screen. The question is, do these types of fraud affect you? And level kind of one, two, and three here of how much it affects you. Take your pick. I guess it depends how you answer and what industry you're in, but this will give us a little bit of a feel. All right, think that'll about do it.
Peter Carroll:
You might just read them out for the... Oh right, because I guess everyone can see them even if they can't participate, right?
Mike Engle:
Yeah, they'll see percentages popping up here in just a second, I'm pretty sure. Yeah, great.
So yeah, we're about split between it's nasty versus I worry about this 24x7 and slightly less think it's only a minor nuisance. So again, I'm sure it depends on the industry of the participant and kind of what they do for a living. But thanks for putting that up, Maureen. Let's jump in now and I'll talk a little bit about the conversions that Peter was talking about. [inaudible 00:15:12] have to hit share results Maureen, there we go. I think that's it, right?
Okay, so this is a graphic that talks a little bit about why the problem exists and you'll see the analysts talking about this problem in different ways. But this is just a really simple way to say that these functions, how do I onboard a user, what we call identity onboarding into my systems in a way that's trusted and then that can be leveraged in the future.
We'll talk about that next. And then the authentication, as everybody knows is a mess. Technologies like Password List will make it much better. We'll talk about that. But the real problem is that when you authenticate somebody, you're not proving it's the same person that enrolled in step one and now the technologies exist where you can actually do that and it'll bring these two together. And then there's hundreds of fraud systems on the market, right? What's my IP address, my session, my this, my that. If they have signals about these other two boxes and their trusted signals, username and password is not trusted, then you can completely revolutionize how you tackle fraud. So these have been thought about as tools, implement an onboarding tool, an authentication tool, two FA and tokens and all this other nonsense, but not as a cohesive strategy or solution. And just expanding upon this first box here a little bit.
The identity onboarding is still stuck in the '90s. We're asking users to type in data manually, 15 plus fields, multiple screens prone to data entry error. And besides this data has been stolen dozens of times from all kinds of different sources. The bureaus have been hacked, data's been leaked, it's available on the dark web for pennies. And when you go to verify it, you're verifying data that anybody can really verify. So there's no trust in this process. And this right here is the root cause of synthetic identity. And we're going to talk about some compensated controls. So that's the identity onboarding, that first siloed pillar on the left, and then the second pillar, authentication. Living in the same kind of '90s era where we're still relying on usernames, passwords, and codes, which you can give to anybody, can be stolen by anybody, can be intercepted.
And most importantly, they do not link back to the prior step. And the litmus test for this is if you can give your authenticator to somebody else, either because you want to or because it's coerced from you, then you're not proving anything about somebody's identity. We call this a system based on hope. And the industry term for this is hope based authentication. It's an industry term because I say it is. So write it down, tell all your friends, but we're migrating from this HBA to what Peter referenced as identity based authentication. And I'm going to get to that next. But first one more polling question, and we're going to talk a little bit about biometrics here today. So this is why we're bringing this up. Do you currently use biometrics in your digital identity systems for those IAM practitioners here? Are you using it for your employee systems or your customer systems? And biometrics it's a bit of a loaded term. We're going to talk about the difference between device biometrics and real biometrics here in just a minute, but let's just call it biometrics for now.
And as I suspected we're split right about down the middle. All right, so thank you for that, Maureen. Yeah, exactly. A 50/50 split on this answer. And that's a problem because biometrics are the only way to prove who somebody is remotely. If you think about why, why is that? Mike, you're crazy. I've got secure ID tokens and things. Well again, they can be given to somebody. Those codes can be intercepted. Imagine you get pulled over by the state trooper, a police officer, and they roll down the window and they say, "I need your identity. Can you give me a six digit code please?" I'd never get a speeding ticket again. But no, what they do is they look at a trusted credential, they look at your face, which is a biometric, and make sure they match. And we can do that now in a digital environment. So let me show you how. I am going to walk through a modern identity enrollment experience.
Okay. We'll start the process like we do on the internet. You still have to get somebody's email address and phone number. That's been done again since the beginning of time on computers. I'm not going to get into that. There are lots of fraud checks you can do on these to make sure it has some trust to it. But again, not for the purpose of today's discussion, but now we're going to start to do some things that are only been possible in the last couple of years. First, we're going to enroll what we call device biometrics. Every modern computer and mobile phone now has this stuff built in. In this example, I'm doing my touch ID and my face ID. Now what happened here is I just linked that authenticator, my face ID on my phone to this session as I'm creating my account, and we'll be able to leverage that in the future for some higher trust.
Now we're going to continue on the account onboarding process and one of the requirements for banking is to get a national identity number for tax purposes and terrorist checks and things like that. So we do have to ask for one piece of data from the user manually. That is a national identity number. So that is, type it in. Unfortunately, there's not an easy way to do this digitally, but those nine characters that I just typed in are the only nine characters that I'll type on the keyboard to onboard this account. And the reason for that is because I can scan my government issued credential digitally. So we do that by leveraging the modern technology that's in front of us every day. You'll see me take out my camera and scan the front and the back of my driver's license.
This takes just a second. And what's happening is all kinds of machine learning, AI, whatever buzzword you want to use, but real integrity checks are being done on this document. All the overt security features are being verified. Size, shape, position of the photo, the font. Does the data on the front match the back, et cetera. There's about 600 different fraud checks that can be applied to the thousands of document types that we can scan across over 200 countries. It is far more trusted than a human looking at it with their eyeballs. Now, we haven't verified the holder of this document yet. I could have just scanned my mom's driver's license. Doesn't really get us to the point where we need to be. So now we need to verify that I am the holder of that document and I do that by capturing a live selfie.
Takes just a second. Now that biometric is used to match my face on the driver's license. I need a high percentage of confidence. And it can be, this is a very powerful tool in the future for when either your clients or the world is ready for it. That biometric can be used to prove who I am in the future. And there's ways to do that right in a privacy preserving way. So I've just matched my face to the driver's license, verified the integrity, everything looks good. Now we're going to extract all of that data from the documents, because it has to be processed to do the account opening and verify that I'm not a bad actor. And so that extraction happens very quickly and we can even verify the document against the issuing authority if that source exists.
So in the US here we have something called AAMVA, which is an aggregator of all the departments of motor vehicles. Gives us a one stop shop to verify is the driver's license loss or stolen? Verify the name on it, the address, et cetera, some of those attributes. And finally, I'm going to take that social security number that I entered in the prior step and check all of this data together in what Peter referred to as triangulation. So again, with just a simple API call, our system will check that your name matches with the bureau and the driver's license, that your address matches. And then the process will be allowed to continue. And you now have a very high level of assurance about this identity and you can continue on the journey and you can see it takes me about a minute, but it takes a normal human who hasn't done it before a couple of minutes and it's very trusted. Okay, so that's modern digital onboarding.
Now what just happened? What did we do here? Couple pieces of terminology that are really important. We proofed my identity through the documents, scanned the front, scanned the back, matched the live selfie. That's the first box here. The second then is we verified the data. There's a lot of solutions that will do these again as tools. One off over here, one off over there and become disjointed. But you do it at the time of enrollment. You have a chain of custody on the process and allows you to have a much higher level of trust when you're doing it all at once. Now a couple other things. I kind of snuck into that process. I captured a biometric, touch ID, face ID and I would've issued the user a credential with that. That's really invisible to the user. And I'll show you how that credential gets used, but I now have everything I need to get into my system on day two.
Now, what was missing from that process? Did anybody see me enter a username or a password or get prompted from my two FA system. Of course the answer is no. So now this third box, we call this identity assignment, I have bound my authenticator that's in my possession only, can't be held by Peter, to get into my system on day two. And this process will enable a passwordless experience. Now, the reason all this is possible today but was not possible that long ago are because a couple of emerging technologies and standards. So there's three certifying bodies and two standards that I'm going to get into here. On the onboarding and KYC process there's a government standard by NIST, which is our standards body here in the US and has a kind of counterpart in really nearly every country. It's the NIST 800-63-3 standard, which proves identity assurance.
So it does basically, it tells you how to do what I just showed you on that prior demonstration. Remotely proof, verify, triangulate, have a chain of custody of the events and match the biometrics. Then the second standard that goes along with this is FIDO, right? So combination of NIST and FIDO can say, "Here's how you do strong authentication." These standards on NIST side get pretty hairy, but this really sums it up quite easily. So on left, you have this IAL process, identity assurance level. We have authentication assurance. Am I sure about that authenticator? Can I trust it? And then FIDO says, here's how you use that for a passwordless experience. FIDO's made a lot of news in the last year. You'll see this popping up nearly at every website soon. And together, this is identity based authentication. If they're siloed activities, they don't prove who the user is.
Now there's three certifications that your identity provider must have in order for these processes to be trusted. On the left, you have the Kantera initiative that certifies your NIST certification. They're a nonprofit global. On the right you have FIDO certification. The FIDO Alliance was formed in 2013, has hundreds of tech companies like 1Kosmos in it as participating members to advance the standards. And then here in the middle is iBeta. They're one of the primary biometric certification laboratory. So they'll check to make sure you can't be Tom Cruise, put a mask over your head and impersonate somebody else. So they give a what's called a presentation attack detection certification. These are really important. If you don't have these, you could be using something that is weak. So now let's put this into practice. I created my account a few minutes ago. I'm ready to move money. Let's see how we could trust the authentication.
Now what you're going to see is on the left, a webpage where I'm going to authenticate without touching the keyboard. On the right is a trusted authenticator. And this on the right could be a bank app, it could be a standalone app, like a third party authenticators, or it can be embedded into existing apps through an SDK. The user experience you're going to see, this goes kind of quick, so I'm kind of leading up to it, is you press this QR code button on the right and scan the webpage on the left. Now I do my face ID, which I enrolled in the prior step, and I've just done a multifactor experience in a single touch. And you can see I'm now staring at my application and I'm ready to engage with that platform. So that is passwordless authentication. That can be done into operating systems, into banking websites, into remote access, into anything. The world is ready for it. Now I'm going to need to verify the user again.
Maybe it's been three hours, I walked away from this session or something's a little off. My fraud signals are asking me to verify the user's identity. So I am going to move some money. I'm sending $750 to my friend Peter, and I want to just verify kind of a second knock, and I will reach out to that trusted authenticator, ask him for face ID one more time and let it go through. I recently wired money to another country. I had to put in my two FA code from my big bank here in the US four times within a five minute period. And all they were doing is just kept sending me a code to the same phone. So I'm sure we've all lived through that, but this is the type of experience that kind of delights your customers, yet provides the security that you need to trust that credential.
So when I scan that I have chain of custody that I'm the same person that enrolled when I opened the bank account. Now let's take it to the highest level of authentication. And this is the police officer looking you in the face and proving who you are. So Peter, I'm going to send you a $100,000 and I really want the system to verify my identity first before it disappears out of my account. In this example, I want to look myself in the face and the money has gone through. Again, proof of identity. That is Mike Engle sending money to Peter. These are all possible today. Couple lines of code inside of a website, treating the enrollment process properly and having the right privacy and disclosure and all that can all be done and you ease your users into it. Now, people are asking, "Well Mike, I don't have a strong mobile presence in my application."
Or what about my existing users? How do I get my existing 4 million banking customers into this process? I'm not going to ask them to scan my driver's license again. And the answer is no, you're not. What you're going to do and what's happening on the web, more and more places I see, our customers are doing this, is I am going to use a FIDO authenticator. This works with any modern browser on any platform, windows, Mac, Android, iOS. And what you do is you ask the user to trade in their existing login for a modern one. I'll show you what I mean. I'm going to authenticate username, password, two FA, whatever nonsense I used to use, and I'm going to ask the user, would you like to enroll in passwordless authentication. Sign in without your password. Press yes. Now my Windows Hello pops up right here. This is my Windows authentication. Private key was just put in my local machine and linked with the web service and I'm in.
I will not need that username and password again. Tomorrow when I come to log into this website, this is going to be the experience. Windows Hello scans my face and I'm in. So we've fixed a broken authentication experience, made the user's life much easier, and we've tightly coupled the authentication back to the identity. And so if I sum all this up, I change those three stop sign shaped hexagons into a little bit different layout here. If we start the identity onboarding properly, users will choose to strongly verify their government credentials. This will greatly hinder synthetic identity, which is a problem for the banks, not the users. However, if you make it easy for the users, they'll do it because as part of that process, they're going to have a better authentication experience as well.
And so that'll flow downstream. Give them a key. So one press button operation, use the biometric from step one and feed those signals into your fraud engine so that you can really have a much better sense of what's going wrong and what's not, right. So that really sums up the implementation of how we can mitigate some of these problems. Maureen will have one last polling question and then we'll get into a bit of Q&A. So this question is very simply, are you linking some of these functions in your fraud and identity and authentication systems today? So number one is they're pretty linked. Two is a little bit and three is tightly coupled. So one is not. Questions a little long for the box.
Okay, so why don't you go ahead and end it Maureen. Actually, perfect timing because we're about evenly split within eight points from anyone to the other on this. So you can see some people are starting to think about it though. We have 26% of respondents said that they do have tightly integrated processes, which is great because this is what we need.
All right, so one of the questions we have is what do you do about account recovery? And this is one of the Achilles heels. So when I showed you, how users can be in control of that credential, for example, my mobile phone here could have a key and use my biometrics. If I lose my phone, what do I do? Well there's a couple answers to that. One is you could use a biometric as a recovery mechanism or you could enroll multiple authenticators. So for example, I actually have this on my existing bank account. I have this workstation linked and my phone linked. Either one of them is trusted and I can then authenticate with either one and then set up another one from that platform. You could also use devices such as these a secondary type of device that could restore your authentication credential back into another platform.
And then Peter, this question is for you. Are you seeing your clients at Oliver Wyman worry about these two types of fraud more and more, or is it just kind of status quo and they just have to deal with it?
Peter Carroll:
Yeah, the former, not the latter. High level observations, I think the level of interest in this in Europe kicked in first. So I think we've been helping people including individual firms, banks, but also we've been doing consulting for institutions or branches of government. So the focus I think kicked in over there. In the US I think it's picked up with a lag of a couple of years, but right now we're talking to again, some major institutional players as well as individual banks. So I think my expectation is that it's going to be very big over the next two, three years.
Mike Engle:
Yeah. Interest rates going up, belts are getting tightened, so they might look to dip into that $20 billion as some savings if they fix it, right?
Peter Carroll:
Well, it's not just the $20 billion. Well, first of all, 20 that's the dollar loss. I mentioned briefly that the actual economics are worse than that because the banks are spending, everybody is spending a lot of money to keep the losses at the level that they are, including keeping the account takeover losses where they are. And even ignoring that, something you and I have talked about, just the cost of password resets is astronomical. We did some market sizing a year or so ago saying what could be the benefit of really robust digital identity and stopping fraud is important, but actually the pure operating expense across US industry of handling username, password resets is bigger. I mean, we estimate it's on the order of 75 billion a year. It's astronomical. So usernames and passwords bye bye. I think that's going to be one of the big industry trends over the next three, four years.
Mike Engle:
Yeah. Especially when it comes to cost savings. And user experience of course. I have over a thousand passwords in my password manager and it's just scary how things still operate out there.
Peter Carroll:
Yeah, if I can just add one more thing. I did mention on my slides that consumers have a high level of angst about account takeover and having their identity stolen, even if temporarily, we've done a lot of work for clients in the banking industry where we design packages like checking account packages. And when you do that kind of research, you basically quiz consumers in a controlled setting to get them to trade off what features they like or like less in a package. The thing that always rings the bell is protection against this kind of account takeover, which is not a phrase consumers use, but protection against identity theft. It's just such a high... The second highest thing is "Not being nickled and dime." Which we've all seen before, but that level of angst is really high and anything the industry can do to diminish it, I think is a big win.
Mike Engle:
Excellent. Well, that is the end of the questions. A couple others were answered in the Q&A here in the chat, but I think we've about done it. So Peter, unless you have any closing comments, thank you for coming on here and sharing all this really amazing insight and allowing me to show off my little videos. I had a lot of fun putting them together and telling the story.
Peter Carroll:
Okay, no, I have nothing more. Thank you. Thank everybody for participating.
Mike Engle:
Thank you. Take care.
Peter Carroll:
Bye bye.