When it comes to identity, most banking services seem to have kept a foot in the Stone Age while the internet changed the world around them. Just opening an account required individuals to show up to a brick-and-mortar branch carrying several different identity documents to prove who they are. Once the account is open, users rely on bank cards and passwords to transact. These identity protocols, based on physical objects, are susceptible to loss, fraud and human error. In the past they were good enough, but the ways and places that people prove their identity are changing. If they are to keep users safe, identity protocols must change as well.
Today’s world is digital. The average US internet user spends 32 hours per month online. On a daily basis, internet users send over 200 billion emails and search Google 3 billion times. Online shopping now accounts for 7.2% of the $4.5 trillion retail sales market in the US. Essential services are going digital – 54% of American adults who learned about or applied for government benefits in 2014 did so online, and over half bank online. When it comes to online identity, the stakes are high, and so far the digital world isn’t doing a good job of protecting its users.
When service providers began to switch to online platforms they tweaked the identity model, replacing a physical card and PIN with a username and password. Identity became entirely information-based, relying on things that only the real user, presumably, knew. This stopped working as the digital world expanded. By 2007, the average American user had 25 password-protected accounts. Today, the problems are even worse.
Average number of accounts registered to one email address
The demands now being placed on users are highly unrealistic: every account should have a unique password, and it should probably be a combination of 10+ upper- and lower-case characters with symbols thrown in; it should be frequently changed, and of course, never recorded. Pencil and paper isn’t secure, and password management software is a prime hacking target.
One result is that legitimate users are frequently pressing the ‘password reset’ button. Despite the cost to organizations – 10% to 30% of help desk calls are for forgotten passwords, with costs ranging from $51 to $147 for labour – this is far from the most serious problem.
Frustrated users employ workarounds that make the system vulnerable. They pick passwords that are easy to remember, and therefore vulnerable to being cracked by brute computing force. They repeat passwords across accounts: in 2007 the average password was associated with four online accounts, creating a domino effect if one account is compromised. Security questions can be cracked through research and social engineering – the hacker who broke into presidential candidate Sarah Palin’s email in 2008 simply answered the security questions using biographical information that was readily available online.
The vulnerability of online identity breeds cybercrime. Whether it’s personal details, usernames and passwords, or credit card numbers, Statista estimates that in 2014 hackers exposed information from over 85 million accounts in the US – a mindboggling number.
Although the posting of ridiculous tweets to a celebrity’s Twitter may not seem serious – tweets about disasters on the New York Post’s feed, less so – hackers can do huge amounts of damage. A hacker can drain a bank account, falsely apply for government benefits, disseminate personal information or pictures, and ruin reputations from across the globe – and given the lack of international structures for dealing with cybercrime, may never face any consequences. This leaves individuals struggling to repair the damage.
The call to re-think password-based authentication is loud and clear, and there are promising signs that it is being heard. Providers are moving toward multi-factor authentication, relying on contextual factors such the specific device being used as part of authentication. Biometrics are rapidly gaining ground; Microsoft’s Windows 10 operating system allows users to log in through fingerprint or facial recognition, while Canadian start-up Nymi’s proprietary technology authenticates users based on their heartbeat. The US, which has long been lagging, is finally making the switch from magnetic-stripe credit cards to the more secure chip-and-PIN EMV cards, with even more secure biometric-based cards on the horizon. While there is still a long way to go, the digital world is starting to take better care of its users.
Effective identity solutions have one thing in common: they reduce the burden on the user. Good authentication is both strong and easy, making it simple for users to manage and protect their personal information. Financial institutions, governments, and service providers must collaborate to allow users to reap the benefits of the online world – without risking their digital lives.
Author: Christine Robson, Project Manager, Financial Services, World Economic Forum. Leads the Digital Identity work as part of the Forum’s Disruptive Innovation in Financial Services project. Christine is seconded to the Forum from Deloitte Canada, where she is part of the Monitor Deloitte corporate strategy group.
Image: A man poses with his iPad tablet as he sits in a bar, in this photo illustration taken in Rome September 20, 2012. REUTERS/Tony Gentile