Identity needs ‘fixing’, speakers at major US security forum warn

Proof of ID is the weakest link in identity today – resulting in the creation of millions of synthetic identities to support fraud, warn attendees of the Secure Digital Alliance’s Virginia event on December the 4th

Posted 18 December 2018 at 8:31am by

Identity proofing is the weakest link in Identity, resulting in the creation of millions of synthetic identities perpetuating fraud every day.

That was the stark warning from US industry’s group the Secure Technology Alliance‘s recent ‘Securing Digital Identity Symposium 2018‘, held in Virginia earlier this month to hear the latest in Identity validation, strong authentication methods and the standards and the future of Identity in the important US market.

“Identity security conversations often center around authentication, but the biggest takeaway from this symposium is that having a sound process for verifying identities before issuing accounts and access credentials is critical to solving our identity fraud crisis,” said Randy Vanderhoof, executive director of the Secure Technology Alliance.

“We know now that the processes that we’ve relied on until now, like Know Your Customer (KYC), are simply no longer sufficient for identity proofing, and this symposium provided a call to the industry to come together and agree on a framework to fix this problem.”

Keynote speaker Richard Parry of Parry Advisory told attendees that with all the personally identifiable information (PII) available on the web, cyber criminals can easily create synthetic identities that can pass KYC and even have valid FICO scores. He said that while some vertical industries are willing to take on some risk around creating accounts for possible synthetic identities, other industries like healthcare simply cannot afford the risk. The whole onboarding process, Parry said, needs to be fixed.

Other speakers and audience members agreed and discussed options for stronger identity proofing including in-person proofing versus supervised remote in-person proofing, the latter of which has improved and can be conducted more cost-effectively. Many agreed that the industry needs to come together on a common solution, and that NIST’s SP 800-63-3 could be a good framework to follow.

Speakers said that once a strong identity has been created, only then will strong multi-factor authentication (MFA) be effective for its intended purpose – validating that the same person who enrolled is the one accessing the account. But MFA is not foolproof. Computer security columnist, author, and Data-Driven Defense Evangelist Roger Grimes of KnowBe4 presented several ways to hack around MFA including endpoint attacks, subject hijacks, duplicate code generators, SIM swapping, account recovery, social engineering, biometric spoofing and more.

All things considered, he said that any MFA is better than none and businesses should require it whenever possible.

Speakers and panelists also discussed which authentication methods and factors could be embraced to provide security without creating added user friction. They agreed that knowledge-based authentication, where factors are based on a user’s biographical data, is now a risky approach because this data is no longer “secret,” and now as accessible to hackers as it is to the owners of the data. Other methods where authentication factors are more tightly bound to users and their devices such as hardware tokens, physical biometrics and behavioral biometrics were discussed as more secure solutions. The need for the industry to coalesce around a standard authentication approach, some examples including NIST’s levels of assurance (LOA) framework and FIDO standards, was also echoed across presentations.

“The identity fraud problem is reaching its tipping point; the tools are out there to combat fraud, but nothing will gain broad adoption if it adds too much user friction to the process. The Secure Technology Alliance plans to engage the industry in further discussions in 2019 and begin putting forward recommended best practices on identity proofing and authentication that the industry can adopt as a whole,” added Vanderhoof.

 

The Secure Technology Alliance is a US not-for-profit, multi-industry association working to stimulate the understanding, adoption and widespread application of secure solutions, including smart cards, embedded chip technology, and related hardware and software across a variety of markets including authentication, commerce and Internet of Things (IoT).