FAQs: Your Digital Identity Crisis Primer

FAQ 1:
Fraud Is Nothing New—What’s Different About The Digital Identity Crisis?

In 1834, thieves hacked the French telegraph system to steal financial market information—the world’s first attack on digital information. As long as there’s been a cyber-world, there’s been cybercrime. The Digital Identity Crisis is defined not so much by its novelty as by its inherent contradiction and dizzying acceleration in a post-pandemic world: As our identities are ever-more crucial online interactions, they are increasingly targeted and transmitted outside of our control. The combination of rising accessibility for fraudster and friend alike has created the perfect environment for identity theft to skyrocket.

In addition, as day-to-day business no longer requires any face-to-face interactions, the behaviors that used to be red flags of fraud are no longer visible. We’ve lost all of the human nuances that used to be important for verifying that someone is indeed who they say they are. For example, if you’re a bank teller signing up a new customer, and they write the wrong name or forget their own address . . . those would be some pretty big red flags that the customer is not who they claim to be. But in the digital world, online bamboozlers simply backspace to erase behavioral blunders.

As GRC Outlook puts it: “This contradiction—that our digital identities are both key to survival and constantly under attack—has created a fracture known as the Digital Identity Crisis.”

FAQ 2:
I Already Have A Fraud Prevention Stack—Doesn’t That Protect Me From The Digital Identity Crisis?

Today’s typical fraud stack includes many different technologies. But these technologies rely on the same static, historic, personally identifiable information (PII) data that is known to be highly compromised. As one recent cyberthreat analysis report put it when discussing the PII that most anti-fraud measures rely upon:

“With such a large amount of personal and private records being stored on servers that are accessible to users worldwide with an internet connection, the exploitable attack surface is vast, making it nearly impossible to secure all systems properly.”

Fraudsters can obtain PII through all kinds of methods, including malware, hacking, and social engineering. That PII data can then be sold for high prices on dark web forums, because fraudsters who buy PII essentially get a skeleton key to unlock nearly endless doors to cyber criminality.

Relying solely on PII verification—as most modern fraud stacks were built to do—is like going to a contaminated well and hoping to pull up clean water.

As fraudsters continue to learn new ways to circumvent many fraud mitigation processes and overcome ever new modeling or rules creation, digital identity verification is becoming more difficult: thus, the Digital Identity Crisis continues to evolve and evade even the most robust approaches to fraud prediction and prevention.

FAQ 3:
I Don’t Have Much Fraud Loss, Why Should I Care About The Digital Identity Crisis?

Because it is intrinsically tied to the explosion of fraud online, the Digital Identity Crisis is often regarded as solely a fraud-loss concern. But the crisis goes far beyond fraud loss, and it highlights a common misconception: that fraud prevention = fraud loss prevention.

In reality, if you’re measuring fraud loss as your sole indicator of anti-fraud success, you’re likely ignoring huge revenue drains from false positives and customer friction, both of which lead to immense immediate revenue loss as well as long-term customer lifetime value.

Digital enterprises of all sizes walk the tightrope of creating a frictionless user onboarding experience while protecting from fraud. And there’s no safety net to catch you: one step off the tightrope into overzealous fraud barriers means losing customers to friction and false positives forever (one study found that 33% of customers who are falsely declined will never return to that site). But one stop off the other side of the tightrope means loss not just from fraud, but also from damaged reputation and consumer trust that is nearly impossible to repair.

Let’s look at the example of synthetic identity fraud, which is all but impossible for traditional PII-based methods to catch. With synthetic identity fraud, cybercriminals use real PII combinations to create new, entirely fake identities. PII-based fraud prevention or prediction systems don’t reject these fake-users, because the PII itself is real. As such, it is one of the hardest types of fraud to detect and prevent—and fraudsters know that they can use it for all manner of evils, from person-to-person payment fraud to drug trafficking and even terrorist activities. According to a recent Aite Group report, synthetic identity fraud cost the US $1.8B in lost revenue for 2020, with projections of $2.42B in losses for 2023.

Trying to fight synthetic identity fraud can lead to overzealous fraud prevention tools that push false positive rates up to +90% and result in excessive lost time and revenue spent on manual investigation . . . investigations that lead to a harmless, “genuine” customer, who has likely since moved on from your business to instead patronize one of your more trusting competitors. Meanwhile, as your resources are tied up in fraud investigations of false positives, true fraud transactions take longer to identify and fraudulent accounts continue to thrive within your ecosystem.

With its heavy cost in lost revenue from financial crimes, hits to customer conversion rates, and even regulator fines, the Digital Identity Crisis is not a simple fraud loss prevention issue. Solving it takes a tactical approach to properly balance fighting fraudsters without relying on PII, while simultaneously reducing expensive false declines and false positives.

FAQ 4:
How Can I Solve The Digital Identity Crisis?

The short answer: behavioral analytics and pre-submit behavioral data. As a recent PYMNTS report puts it:

“FIs face a familiar challenge in balancing the need to protect their customers’ accounts while also letting through legitimate transactions—in other words, limiting false positives. This has brought a new dimension of AI to the fore: behavioral analytics, which use AI-driven analysis to aggregate, sort and review a broad range of cross-channel, historical and current customer behaviors to develop clear, real-time portraits of transactional risks. Under a behavioral analytics model, stolen account numbers or log-in credentials would not suffice to perpetuate an attack because other abnormal aspects of account activity would immediately be recognized.”

Behavioral analytics work by bringing those face-to-face “red flags” we’ve lost into the digital world. When a prospect taps, types, or swipes information into an online application, they create data through their behavior. This behavioral data (also known as digital body language) provides deep insights into that user’s digital intent. By analyzing that data, you can understand a lot about that user—including whether they are who they say they are and even how they are feeling during the experience (confused, frustrated, confident, etc.). The result: a clear view into the legitimate or nefarious intentions of all applicants that relies on non-PII sources. Behavior, especially based on neuroscience and deep data, simply can’t be faked.

Monitoring the human emotions, motivations, behaviors, attitudes, and intent behind digital visitor activity enables you to combat fraud before a user even hits submit (which is why this is known as “pre-submit” data). With pre-submit behavioral analytics, you have the ability to monitor, pre-screen, and segment applicant behavior in order to seamlessly detect fraud rings, bot attacks, and other Digital Identity Crisis bad actors before they impact your ecosystem.