Top Trends Shaping Identity Verification (IDV) In 2018

Top Trends Shaping Identity Verification (IDV) In 2018Post-Equifax Breach, IDV Aggregators Will Cater To Multifaceted IDV Requirements

by Andras Cser and Merritt MaximMarch 29, 2018

NOT LICENSED FOR DISTRIBUTION

foRRESTER.CoM

Key TakeawaysIDV Based on Credit Header Data Will Become Weaker — Get Ready To fight BackAfter the 2017 Equifax breach, we entered a new era in which credit header data for IDV solutions and knowledge-based authentication (KBA) are inadequate for reliable identity verification. Firms will have to adopt new lower cost and less intrusive IDV technologies, such as those based on device reputation or phone number.

Social And Behavioral IDV Will Lower Costs And Improve AccuracySocial IDV, based on comparing identity attributes to profiles on social media, and behavioral biometrics, verifying identities based on how a user moves the mouse or touches the screen, will lower the cost and improve the accuracy of day-to-day IDV across all verticals.

Why Read This ReportIn the face of increasing identity theft, stricter compliance regulations, and the push for online customer acquisition, reliable, accurate, cost-effective, and easy-to-use identity verification (IDV) is becoming a core building block of any customer or employee identity and access management (IAM) system. This document highlights the key trends shaping the IDV market in 2018 and beyond and helps security and risk pros adapt their strategies, vendor selection, and implementation.

2

2

10

© 2018 Forrester Research, Inc. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378

Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA+1 617-613-6000 | Fax: +1 617-613-5000 | forrester.com

Table Of Contents

Without Reliable IDV, Trust Erodes And Everyone Suffers

Evolving Your IDV Strategy In 2018

Supplemental Material

Related Research Documents

The Forrester Wave™: Customer Identity and Access Management, Q2 2017

Now Tech: Identity Verification, Q1 2018

The Strategic Role Of Identity Resolution

Vendor Landscape: Identity Verification Solutions

FOR SECURITy & RISK PROFESSIONALS

Top Trends Shaping Identity Verification (IDV) In 2018Post-Equifax Breach, IDV Aggregators Will Cater To Multifaceted IDV Requirements

by Andras Cser and Merritt Maximwith Stephanie Balaouras, Madeline Cyr, and Peggy Dostie

March 29, 2018

Share reports with colleagues. Enhance your membership with Research Share.

http://www.forrester.com/go?objectid=RES136462





http://www.forrester.com/go?objectid=BIO1762



https://go.forrester.com/research/research-share/?utm_source=forrester_com&utm_medium=banner&utm_content=featured&utm_campaign=research_share

https://go.forrester.com/research/research-share/?utm_source=forrester_com&utm_medium=banner&utm_content=featured&utm_campaign=research_share

For Security & riSk ProFeSSionalS

Top Trends Shaping Identity Verification (IDV) In 2018March 29, 2018

© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378

2

Post-Equifax Breach, IDV Aggregators Will Cater To Multifaceted IDV Requirements

Without Reliable IDV, Trust Erodes And Everyone Suffers

In 2015, cybercriminals gained access to the tax returns of approximately 104,000 individuals via the US Internal Revenue Service’s Get Transcript application.1 With in-depth knowledge of compromised consumer identities, the attackers created Get Transcript accounts for various taxpayers and successfully completed the identity verification process. This breach shined a spotlight on the importance of IDV and the consequences of poor IDV. Subsequent IDV failures, which have facilitated terrorist attacks, cybercrime, and terrorism, have served to further undermine trust in traditional methods while the global movement of goods, services, labor, and people have also shown these methods to be ineffective and unreliable for today’s businesses.2 S&R pros will need to evolve their IDV strategies sooner rather than later because:

› The Equifax breach has accelerated the erosion of trust. With the recent Equifax breach, it’s safe to assume that fraudsters can gain easy access to a US-based victim’s actual name, address, date of birth (DOB), and Social Security number, thereby creating a “perfect identity” to steal.3 As a result, people are worried that their personally identifiable information (PII) is publicly available and are now more reluctant to provide it for IDV purposes. The loss of trust is actually bidirectional: 1) Firms trust their customers less when customers sign up for digital services, and 2) customers trust their service providers and vendors less with safeguarding their PII.

› Tougher compliance laws will strive to regain some of it. Compliance mandates are getting more numerous and complex: Firms find it increasingly difficult to comply with PSD2, GDPR, 5AMLD, and other regulations without additional IDV investment. IDV is important for these compliance mandates because financial services institutions prefer to keep money launderers and fraudsters outside of their gates. Privacy and regulatory requirements also mandate disclosing the PII attributes a financial services institution maintains on a consumer — but have to authenticate the consumer before disclosing the information.

Evolving your IDV Strategy In 2018

It’s time to overhaul your existing, less secure, and less reliable IDV processes. To do so, you’ll have to take into account and adapt to ongoing trends and shifts in technology, architectures, and the vendor landscape.

Trend 1: IDV Consolidates Into A Hub-And-Mesh Ecosystem

Today’s organizations typically use one or only a handful of IDV methods to verify their potential and existing customers — with the most trusted IDV methods being email address, name, phone number, address, and ZIP code (see Figure 1). As fraudsters get smarter and gain access to more identity information, this reduces the effectiveness of only one IDV method.




3


› What you need to know. Forrester’s interviewees indicate that no single source of information is sufficient to establish a 360-degree view of any given customer. However, connecting the dots between the offline and online data available on a customer and using behavioral modeling to discover normal behavior and proactively intercept abnormal behavior of people and entities gives rise to a new delivery method of IDV service, called the IDV hub (see Figure 2). All vendors — while they maintain their core flavor of IDV — are moving toward providing, buying, and reselling data for their own and into each other’s hubs.

› What you should do about it. Inventory and then revise your existing IDV portfolio and find out if you have all your bases covered. After it failed to detect money laundering early enough, a North American bank expanded its existing IDV services based on credit header data to include Experian’s IDV services based on device ID reputation — resulting in a 15% higher identity theft detection rate. Further, Forrester expects consolidation in the market, and, to some degree, all specialist vendors will either: 1) offer IDV hub services or 2) be acquired by IDV hub vendors (see ThreatMetrix’s acquisition by RELX in January 2018).4

fIGURE 1 Most Trusted IDV Methods

30%

31%

32%

41%

43%

49%

54%

60%

Device �ngerprint ordevice reputation

Social Security number

Connecting phone and onlinesystems within the organization

ZIP code

Address

Phone number

Name

Email address

“Which of the following data does your organization collect for identity verification (IDV)?”

Base: 1,097 network security decision makers (20+ employees)

Source: Forrester Data Global Business Technographics® Security Survey 2017




4


fIGURE 2 The Emerging IDV Hub Ecosystem

MNO information

Social media/self-asserted

Behavioralbiometrics

Identityverification

hub(aggregator)

Credit headers

Physical document/facial recognition

Device IDs

Email andage of customer

Blockchain transaction-based

Trend 2: Banks Will Continue To Rely on IDV Based on Credit Header Data

In spite of the Equifax breach and its fallout, the entire US financial institution (FI) community still relies on the credit header-based IDV system. And since two-thirds of the US economy is based on consumer spending, it’s highly unlikely that we will see any major change in the current stance and policy of how customers can use their PII and credit information to apply for more credit.

› What you need to know. While we’d like to see a quick move away from credit header-based services (traditionally the bread and butter business of the credit bureaus Equifax, Experian, IDology, LexisNexis Risk Solutions, and TransUnion and their data resellers and OEM partners), these data sources are here to stay for the next three to five years. In fact, many players in the IDV ecosystem (e.g., ID Analytics, Neustar, etc.) will likely seek to OEM this data to embed it in their services. Beyond five years, as other IDV methods not based on credit header evolve, Forrester expects this method to decline.

› What you should do about it. If your firm uses these services for initial customer onboarding, customer due diligence (CDD), and KBA for high-value risk transaction protection, first ensure that you have prices in check: Per transaction pricing should not exceed $1.50 per verification even for low, less than 1 million transactions per year volumes. Second, regularly measure the customer dissatisfaction for those who are unable to transact: These are the customers who could




5


be going somewhere else to do business because they are unable to recall on a whim how much their monthly mortgage payment was 20 years ago. It’s also a good idea to work with a reputable vendor, such as Experian, Identity Analytics, or LexisNexis (see Figure 3).

fIGURE 3 Survey Respondents Use Experian, Identity Analytics, And LexisNexis Most

13%

13%

15%

17%

18%

18%

19%

24%

25%

Neustar

Socure

None of the above

TransUnion

ID.me

Telesign

LexisNexis

Identity Analytics

Experian

“Which of the following vendors does your organization use for identity verification (IDV)?”

Base: 1,097 network security decision makers (20+ employees)

Source: Forrester Data Global Business Technographics® Security Survey 2017

Trend 3: Synthetic IDs Continue To Wreak Havoc

Synthetic identities are fraudulent identities that fraudsters create then nurture purposefully to use for taking out fraudulent loans, money laundering, and other malicious activities. Russian operatives used synthetic IDs as a means to influence political discussions during the 2016 US elections. They cause enormous headaches for FIs as well as IDV vendors. Synthetic IDs game the credit application process and cause financial loss to FIs, who then shift it to their consumers.5

› What you need to know. To create these synthetic IDs, cybercriminals: 1) take Social Security or other personal identification numbers of deceased or young people with no credit history; 2) add a fictitious name, address, and phone number to create the synthetic identity; 3) apply for




6


credit with the synthetic ID or add it as an authorized user to an accomplice’s or victim’s credit card to establish a credit history; 4) repeat the above process for years until the synthetic ID has established a good credit score; and 5) finally take out a large loan or credit line never to be repaid. Tax refund fraud also follows the above steps.

› What you should do about it. Synthetic IDs are time bombs that lie dormant until fraudsters activate them. When a FI opens an account — even if the account passes initial IDV checks — you must always be on the lookout for lack of activity. It’s also a good idea to check for address tenure of suspected synthetic IDs: In Forrester’s estimation, it tends to be 50% to 70% shorter than real people’s tenure. Using link analytics, find out if you have accounts that inexplicably share addresses: One or more of the cohabitating identities may be synthetic.

Trend 4: Poor IDV Continues To Have Serious Consequences Beyond Transactions

Currently, most identity verification processes are used to validate a user as part of the account creation process and to help identify fraud during a transaction. Consequently, fraudsters seek to defeat IDV processes to enable them to steal money. The ease with which online accounts can be created (in some cases only requiring a name and email address) is leading to a rise in fake accounts that can be used to spread disinformation or other offensive materials.

› What you need to know. Social media is increasingly influencing individuals and organizations, and the ease with which accounts can be created also invites fraud. In social media scenarios, the fraud can include fake accounts, fake followers — all of which can be used to create seemingly legitimate online identities that can then be used as launching points for phishing scams (by sending malware-laden emails to followers) or for spreading false information about specific brands or companies.

› What you should do about it. Don’t expect the social media giants to increase the requirements for creating an account any time soon; it will be up to your firm to be more vigilant about monitoring its corporate digital properties to ensure that they are not being compromised. Given the increased importance of social media in driving customer engagement, S&R pros should consider evaluating digital risk monitoring solutions from vendors like CyberInt, Digital Shadows, Proofpoint, Social SafeGuard, and ZeroFOX to keep their digital brands and social media presence protected from fraudsters.6

Trend 5: Device Identities Expand from Authentication To IDV

Traditionally part of risk-based authentication, device ID reputation solutions have used JavaScript (web) or SDK (mobile apps) collection mechanisms to formulate device fingerprints based on collected IP address, geolocation, browser versions, screen resolution, installed fonts, software, and other device data.7 As a device ID is 90% to 95% immutable, reputation services have used it to identify known good and known bad devices. If a fraudster wants to open hundreds of accounts or sell thousands of stolen goods from the same device, the device ID solution will alert and prevent it.




7


› What you need to know. Vendors of device ID reputation (including but not limited to Experian/41st Parameter, InAuth, Iovation, Kount, RELX/ThreatMetrix, and RSA) have announced plans to offer, alone or in partnership with other IDV vendors, IDV services based on device ID reputation. These services recognize the reputation of a device in their large (billions of devices) databases and then can negatively or positively flag a device that a customer organization sees for the first time. They also use algorithms to associate a device ID with a human being based on browser cookies and other file objects.

› What you should do about it. To successfully sell the added cost of device ID reputation services to internal execs, don’t focus only on the benefits of shutting out the bad guys. Also focus on the benefits of fast-tracking the good customer aspects such as known good device identities, known good card numbers, or know good shipping addresses. These conversations should also include the potential benefit of selling products in new and risky geographies as well as reductions in blocking valid new customers from transacting with your digital properties.

Trend 6: Phone Number IDV Performs Address Verification

Automatic number indicator (AKA caller ID) spoofing detection, from vendors such as SecureLogix and TrapCall, has long been part of firms’ trusted security tool arsenal. However, these solutions only work in the call center and are only marginally useful when it comes to mobile phones.

› What you need to know. Now that smartphones have become the norm for everyone, associating mobile phone information (e.g., phone number reputation, SIM/EID number, etc.) with human identities has become very common. While originally the domain of ad customization and delivery, the technique has quickly found adoption in the domain of IDV vendors such as Danal, Neustar, Pindrop, and TeleSign. These solutions query, aggregate, and provide mobile network operator (MNO) information on a phone number, such as: 1) time the number has been in service; 2) when the number was ported; and 3) whether the number is a prepaid or postpaid subscription. For subscribed numbers, they can also provide address verification. Other vendors such as Informatica and Pitney Bowes can also verify physical addresses for users who may not have or use a mobile number during the transaction.

› What you should do about it. Despite the marketing messages of vendors in this space, the phone number and its reputation are not always true indicators of fraud. In conversations with a North American retailer, Forrester uncovered that the false positive rate for phone-based IDV was over 5% — forcing the retailer to retire the phone-based IDV service. It is also critical to understand the pricing model of the vendor, as many phone IDV vendors have to pay hefty per-transaction-query fees to MNOs that they bury in their end user pricing.




8


Trend 7: Physical Document Verification Becomes Smart

FIs and retailers with physical branches often verify personal identity documents of their customers at onboarding, but this approach is showing signs of weakness. For instance, a North American credit union reported that one of its employees collaborated with fraudsters to accept fake IDs and originate fraudulent accounts. High costs of in-person customer verification and the push toward online customer enrollment also mandate a rethinking of physical document verification processes.

› What you need to know. Acuant, Gemalto, IDEMIA, Jumio, Mitek, Onfido, Trulioo, and yoti offer IDV solutions based on physical documents. These solutions have improved tremendously in the past two to three years. One way these work is for a customer to sit in front of the camera and show her physical personal ID document; the solution compares her live picture with the picture on the document. Most solutions have added optical character recognition capabilities that allow for reading the name, address, and DOB from the document and matching it against another IDV source, such as address verification, social identity verification, or credit file header-based IDV.

› What you should do about it. Fraudsters want to avoid having their picture taken, so using any face recognition solution is a good deterrent. Forrester’s interviewees mentioned that liveness detection (inability to fool the system with static pictures or cutouts), the ability to match photos against those on social media (e.g., Facebook, Twitter, LinkedIn etc.), and integration with social media-based IDV solutions are emerging requirements. The introduction of digital identities such as a digital driver’s license also give users more control of their data, as the digital application may allow them to only share specific attributes of their identity with a given retailer (such as when presenting a license to test drive a car at a dealership).

Trend 8: Self-Asserted Information, Via Social Media, Enters IDV

Firms have traditionally used only non-self-asserted pieces of information (e.g., credit files, court records, etc.) about users to verify their identity. Examples include credit file headers, addresses from court records, assessors’ databases, and lien information. Because this information is static, it’s easy for anyone to obtain, including fraudsters.

› What you need to know. Social identity verification solutions such as ID.me, SheerID, and Socure crawl the information we put on the internet — our “digital exhaust” on social media, bulletin boards, and community sites. From its client organizations, the solution accepts a combination of attributes (name, DOB, address, phone number, employer, email address) and — based on its real-time updated database — returns a confidence score that indicates how likely the set of information corresponds to the person. The assumption is that it’s hard and time consuming for ID thieves to create a synthetic Facebook profile (with enough legitimate friends connections, timeline posts, etc.) that would be convincing enough to appear legitimate.




9


› What you should do about it. As social IDV solutions use machine learning, they can develop bias. Check with vendors on how they mitigate this. If you have user populations that lack a credit file, such as younger people or international users, social IDV is a great tool for low-cost and relatively reliable IDV. On the other hand, it may not work well for older demographics with limited or nonexistent social exhaust that can be leveraged.

Trend 9: Behavioral Biometrics Shows Its Strength With IDV

Behavioral biometrics is a new discipline: It automatically builds a behavioral profile based on how the user types on the keyboard, manipulates the mouse or touchscreen, moves between fields, etc.8 It can also be used in mobile-only scenarios and use device and location data along with other movements from the user to determine legitimate usage.

› What you need to know. Just like RBA solutions based on device ID reputation, behavioral biometrics solutions (including but not limited to BehavioSec, BioCatch, SecuredTouch, and UnifyID) initially have been used for authentication, step-up authentication, and continuous authentication of users. In the past 12 to 18 months, vendors have announced plans to provide IDV services as well. When a user vacillates when filling out a simple questionnaire asking for DOB and annual income, or uncharacteristically moves between fields on a loan application form using the TAB key, it may be an indication of fraud.

› What you should do about it. Integrating behavioral biometrics with existing forms and business workflows can be complex. A UK insurance firm said that a complete redesign and instrumentation of its online application interface for behavioral data collection was a daunting task. Unifying and consolidating application processes and forms means fewer places to protect and monitor. Also look to mobile-specific use cases where other device parameters can be used along with user activity to identify fraud.

Trend 10: Blockchain Morphs To Accommodate IDV Use Cases

Blockchain is the new buzzword. It’s also a confusing concept for many. However, it’s simple to think of it as nothing more than a distributed, tamper-evident transaction ledger and database (for example Ethereum, MultiChain, etc.).

› What you need to know. Forrester expects that blockchain implementations will evolve from today’s purely payment transactional data schemas to incorporate identity data schemas as well. This will accommodate PII information, device IDs, traditional financial transactional information for the user, authentication credentials, as well as public PKI keys. Identity coin vendors (ICO Pass, Selfkey, Sovrin, uPort, and Veres One) promise to create self-asserted identity verification and authentication systems which offer distributed control of identity data to their consumers. Forrester expects that blockchains will not only offer natural persons’ identity verification but also augment business identity verification of firms — for example, how an insurance carrier verifies the business of an independent agency.




10


› What you should do about it. Identity coins may involve nefarious activity — similarly to hackers using ransomed infrastructures for blockchain mining. Work with your regulator to understand how blockchain-based IDV and authentication systems will fit into your audit regime and how these identity coins are acceptable (or not) for customer due diligence purposes.

Engage With An Analyst

Gain greater confidence in your decisions by working with Forrester thought leaders to apply our research to your specific business and technology initiatives.

forrester’s research apps for ioS and Android.Stay ahead of your competition no matter where you are.

Analyst Inquiry

To help you put research into practice, connect with an analyst to discuss your questions in a 30-minute phone session — or opt for a response via email.

Learn more.

Analyst Advisory

Translate research into action by working with an analyst on a specific engagement in the form of custom strategy sessions, workshops, or speeches.

Learn more.

Webinar

Join our online sessions on the latest research affecting your business. Each call includes analyst Q&A and slides and is available on-demand.

Learn more.

Supplemental Material

Survey Methodology

The Forrester Data Global Business Technographics® Security Survey, 2017 was fielded between May and June of 2017. This online survey included 3,752 respondents in Australia, Brazil, Canada, China, France, Germany, India, New Zealand, the UK, and the US from companies with two or more employees.

http://www.forrester.com/app

http://forr.com/1einFan

http://www.forrester.com/Analyst-Advisory/-/E-MPL172

https://www.forrester.com/events?N=10006+5025




11


Forrester’s Business Technographics ensures that the final survey population contains only those with significant involvement in the planning, funding, and purchasing of business and technology products and services. Research Now fielded this survey on behalf of Forrester. Survey respondent incentives include points redeemable for gift certificates.

for Technographics Clients: How To Get More Technographics Data Insights

The Forrester Data Global Business Technographics Security Survey, 2017 includes many additional questions and parameters by which you can analyze the data contained in this report.

We can provide additional insights about the consumers highlighted in this report:

› Who they are (e.g., demographics, lifestyle, and interests).

› What they do (e.g., digital, mobile, and social behaviors).

› Affiliations they have (e.g., brands used, products owned).

› How they feel (e.g., attitudes, interests).

If you wish to subscribe to Forrester’s Business Technographics services, please contact your account manager or [email protected]. If you are an existing Technographics client, please contact your data advisor at [email protected].

Companies Interviewed for This Report

We would like to thank the individuals from the following companies who generously gave their time during the research for this report.

Experian

GBG

ID Analytics

IDology

Jumio

LexisNexis Risk Solutions

Pindrop

TransUnion

Trulioo




12


Endnotes1 Source: Michael Cohn, “IRS Detects Massive Data Breach in ‘Get Transcript’ Application,” Accounting Today, May 26,

2015 (https://www.accountingtoday.com/news/irs-detects-massive-data-breach-in-get-transcript-application).

2 Source: Joe Davidson, “Thieves stole taxpayer data from IRS ‘Get Transcript’ service,” The Washington Post, September 12, 2016 (https://www.washingtonpost.com/news/powerpost/wp/2016/09/12/thieves-stole-taxpayer-data-from-irs-get-transcript-service/?utm_term=.c1c4b50a8c64).

3 Source: “Equifax Data Breach Affected 2.4 Million More Consumers,” Consumer Reports, March 1, 2018 (https://www.consumerreports.org/credit-bureaus/equifax-data-breach-was-bigger-than-previously-reported/).

4 Source: “RELX group announces definitive agreement to acquire ThreatMetrix,” RELX Group press release, January 29, 2018 (https://www.relx.com/media/press-releases/year-2018/threatmetrix-29-jan-2018).

5 Based on its own data, TransUnion estimates that synthetic fraud has grown twofold since 2012.

6 See the Forrester report “Assess your Digital Risk Protection Maturity” and see the Forrester report “The Forrester Wave™: Digital Risk Monitoring, Q3 2016.”

7 See the Forrester report “The Forrester Wave™: Risk-Based Authentication, Q3 2017.”

8 See the Forrester report “Vendor Landscape: Behavioral Biometrics.”






We work with business and technology leaders to develop customer-obsessed strategies that drive growth.

Products and services

› core research and tools › data and analytics › Peer collaboration › analyst engagement › consulting › events

Forrester research (nasdaq: Forr) is one of the most influential research and advisory firms in the world. We work with business and technology leaders to develop customer-obsessed strategies that drive growth. through proprietary research, data, custom consulting, exclusive executive peer groups, and events, the Forrester experience is about a singular and powerful purpose: to challenge the thinking of our clients to help them lead change in their organizations. For more information, visit forrester.com.

client suPPort

For information on hard-copy or electronic reprints, please contact client support at +1 866-367-7378, +1 617-613-5730, or [email protected]. We offer quantity discounts and special pricing for academic and nonprofit institutions.

Forrester’s research and insights are tailored to your role and critical business initiatives.

roles We serve

Marketing & Strategy ProfessionalscMoB2B MarketingB2c Marketingcustomer experiencecustomer insightseBusiness & channel strategy

Technology Management Professionalscioapplication development & deliveryenterprise architectureinfrastructure & operations

› security & risksourcing & vendor Management

Technology Industry Professionalsanalyst relations

141411