Fraud Controls for Digital Identity Ecosystems

Thank you. Thank you very much. Good afternoon, everybody. Thank you for coming along today, to hear a little bit about open the open identity exchanges view on fraud and fraud, specifically within the context of digital identities and very much relevant in as digital identities emerge, take precedence over organization based identities. And we're here a lot about digital identities being the answer to fraud, but are they, will they entirely eradicate fraud? We'll talk about that as we go through, but to kick off.

Oh, mention we got to the end of the presentation. Have I done that? Okay. So we'll go back to the start. Great. So just to kick off, who are the open identity exchange? So we're member's organization, we're a not-for-profit and our members come together to collaborate with a vision, a vision of additional identity for all of us that is trusted that we can use wherever we go, whatever we do. So from getting on a plane, to having services with government, to proving we're 18 and AB bar to proving we're, COVID safe that our digital identity enables us to do that.

And that's quite a sophisticated thing for a digital identity to do. It's not just a, a simple collection of credentials when it starts to be our digital identity assistant and helps us achieve our goals in dealing with organizations simply, and without us having to understand the rules. So we work together with idea, reliant orgs, as we call 'em here, relying parties with those who consume identities. And we look at particular issues that need solving to make this a success.

And we help educate on digital identity to rely on parties, to regulators, other influencers, other trade bodies in particular sectors so that they understand what a digital identity is, what the opportunity digital identity brings for them, the benefits, but also what they need to see happen to make a digital identity workable for them and through our working groups. And we're typically running four or five working groups at any one time, we focus on particular challenge area.

So what I'm gonna talk about today, fraud controls came out of one of our working groups where we decided this there's an issue here, and it's an unarticulated and slightly buried issue in digital identity around fraud. So let's surface that and let's do a guide that people who are creating digital identities and using them can use to understand what the fraud challenges are. Other working groups we're running are around things like e-signatures and how they intersect with digital identities. We're looking at the whole, what happens when something goes wrong?

So this is great concept when it all works, what happens when your digital identity doesn't work? When you get stuck at the airport, because your digital identity isn't proving who you are and that you can get on the plane and you miss your flight. How do you, how do you resolve that? How do you get it fixed and how do you get compensated for what happened? So we've got a whole set of guides coming out around that area of unhappy path for digital identity. And that's just some of the examples of the work we do.

So you, our members, 50 55 members collaborate to drive these issues forward. And one of the key things is our guide to trust frameworks. So we define what a trust framework for digital identity looks like. We started this process over 10 years ago. Now with some papers and digital identities, we've done a whole series of papers.

Last year, we brought all those together into a single guide that says, this is what a trust framework for digital identity needs to contain. It's a list of good practice. This is the, the contents. We are just revamping this at the moment and the we're filling in various areas. So this whole help and support area, that's one of the guides we're working on at the moment. We've got guides around identity assurance and proofing and interoperability. They're all available on our website today.

I'm talking about fraud controls, but do go to the website and have a look at this guide because it's a comprehensive online guide to how a digital identity should work and what needs to be in place to make it success. So this guide was created in collaboration as all our guides are. This particular one we collaborated, there were two organizations, one the savings and investment Alliance. And with what they brought was the view of the financial services industry who were already tackle fraud and who are going to be a consumer of digital identities in the future.

So they need to be confident that digital identities will introduce no more fraud than they have today. What they would like is the digital identities will eradicate fraud. That's a dream. That's not going to happen. Frosts always find a way what digital identities must do is introduce no more fraud than happens in the ecosystem today. And preferably they must reduce fraud because that will be then a buying point of buying reason to go to digital identity. Sot bought the financial services industry to us. CFAs are the UK's fraud prevention agency.

They run a thing called the national fraud database. It's a centralized database of people who have been known to commit fraud. And it's also a central database of people who have been victims of fraud so that we can protect them from being victims again.

So, you know, I use the word central database. This may not be the ecosystem going forward. It's been around since the nineties. It was originally created as a round Robin in file, and it's evolved to a central database and it is looking at how it evolves in the future to more distributed models, but it's there and it's a proven model. So we brought them along to the party for this one. And then people like experie, Experian, TransUnion, Yoti also contributed resource and knowledge into the guide to enable us to construct a comprehensive guide to fraud controls. And this is CFAs graph.

So this is identity fraud in the UK, and it's going up for a little while it went down, wow, we had some success because generally this just goes up and up. What happened then?

Well, we had the recession, we had the credit crunch. We had tightened fraud controls and less availability of credit that led to a tail off in fraud. But the fraudster found a way around it. Interestingly, it didn't drop straight away. It took a couple of years for them to implement all those new policies and changes to, to get into this ecosystem. We then saw a bit of a drop fraudsters, immediately found a way they will find a way to steal identities and to make money from them. So this is an ongoing upward trend.

And as we move to digital identities and gives user a digital identity, which is a key to many doors, that's a very attractive prospect for a fraudster to get hold of. So once I've got this key to many doors that the fraudster can use, it's a honey pot and the frauders are going to go for it. So we've gotta make sure in our implementations, digital identity day one, they are robustly defended against fraud. And what we decided to do here was concentrate on identity, risk, identity fraud. We're not talking about any other types of fraud.

First party fraud, when an individual commits fraud themselves, it's when identity has been stolen. And we looked at the different parties in the ecosystem and who needs to defend against fraud. And primarily it's the identity providers and the relying parties. The relying parties do that today. It's their customer, it's their goods or money or services. They're going to lose to the fraudster. As that shift moves to identity providers, we see that the fraud controls need to shift as well, either in whole or part.

And that's something we're still working with the community on exactly how much, how many and how much of the fraud controls to identity providers need to run. But there's other parties, the brokers who connect relying parties and identity providers, the hubs that make the technical connections, they're all attack points for fraudster. So fraud controls need to be thought about and implemented there. And anyone who's a credential issuer, who's dealing with the user to give them a credential.

Also needs to deal with fraudster because a fraudster will try and get a passport for me from a credential issuer and put it in their own digital identity, which then makes them me. So actually with the issuer model and distributing that around, we give the fraudster another attack surface, another attack vector that needs to be protected against. So when you fraud controls in all these areas, the blue boxes are largely the headings in the, in the, in the reports, the, the guide that we created. So we have to have a whole set of legal considerations before we can do this.

We have to be doing the right thing. We have to educate users. They have to be part of it, and they have to be supported. We need information sharing, shared signals, ecosystems. We need training. We need internal risk assessments, and we need to make sure our agents themselves are not becoming victims to the fraudster Gail. So our guide covers over these areas.

And one of the key things it talks about is anyone making a trust decision, as in determining a level of assurance for the user or determining they're 18 or determining whether they should issue them with a credential needs to implement the fraud controls. And today, those trust decisions are all made by the relying parties themselves. That's essentially being outsourced into the digital identity ecosystem. Therefore the fraud risk goes with it and must be mitigated against. And it's in all channels. It's not just online.

There's going to be assisted digital where fraud is, and they're very bold. They will go face to face to try and get an ID with their own face and false documents because they know that's a weak channel because you've got a person there. People are vulnerable. We've got phone channels as well, anywhere that there's a phone contact point is particularly vulnerable, cuz you can't see the fraud. In that instance, they can be particularly manipulative to take over an identity rather than established one a fr a a phone channel is a great attack surface for a fraudster.

So we need to defend all of those different channels. And what we did was go through and create a list of fraud control techniques. So these are the things you need to think about to defend against fraud. One is looking for known fraud is this person or the device they're using or an email address they're using or part of an email address they're using already being used in fraud and shared signals. Helping communicating that across the ecosystem.

We're looking at, you know, individual devices is this device being used to apply for lots of different identities or control lots of different identities. If so that's a fraud, risk anomalies, too many things coming from the same device as an example of an anomaly, too many things coming from the same address, too many things coming from the same mobile number patterns in terms of transactional patterns, outta band access, the user never uses their ID in the middle of the night out country access.

All of these things need to be trapped in terms of anomalies and differences from the norm and fed into a fraud control matrix and velocity is often very key there. How often do people normally do things? Is it accelerating? A particularly type of anomaly is a velocity anomaly evidence check features failures. So is the user trying to establish an ID, getting it wrong, trying it again, trying another piece of evidence to see if it works. Are they trying to replace a piece of evidence with something else? All of those could be normal behavior that could be fraud risks.

Behavioral discrepancies is the user's cadence in terms of typing their password different from normal, which means it's perhaps a different person is the tapping on the screen, the way they do it, the way they're holding the device different. So all of these different techniques in terms of capturing differences between the normal user and the fraudster are really important to have in place. And then there's some just key risk indicators is the person dead now. And someone's using their ID. That's a pretty obvious risk indicator. You probably ought to close the ID down at that point.

But unless you're looking for that, you're not going to know people. Don't tend to tell you they're dead. Eventually somebody will, but you know, these are the things you need to build in, but there's lots of other indicators redirections away from the address. They're politically exposed person that you should consider in there as risk indicator.

So we, we documented all of this and each of these areas has got its own table of sub techniques. And whether we recommend or highly recommend their implementation in digital identity and in which channel and by which party. So the we've given some consideration the guide as to where all of this needs to be implemented. So that's great. We find the fraud or the risks. What happens then we think we've got a fraud. We think we've got a fraud. We don't know we've got a fraud.

Somebody, something has got to make a decision that could be an AI. It could be an AI using scoring in the end. It's most likely a person, the outliers from the scoring go to a person in the UK. For instance, everything must go to a person for a fraud decision. That's the way the regulations work. So we have a fraud management requirement. Someone needs to look at a referral, assess it. And hopefully it's a force positive.

No, the, the machine's got it wrong. We look at it. We can see that's okay. They may need to implement something within it in terms of extra checks and send it back to the user. They may determine it is a fraud. In which case, what is done, what is the process for then helping the user and I'll come onto that. The automated side might decide, well, actually there's a risk, but let's just inject some step up. And if they pass the step up, then that's fine. We'll accept the risk. Or I might ask for them to refresh a document because the genuine users should be able to do that.

The fraudster probably won't have it. So there's lots of different techniques to mitigate the referrals, but they've got, got to be dealt with by a fraud management process that you end up with either a trusted user or a fraudster. In which case you've got a set of fraud indicators, that it would be great if you could share across the ecosystem Agent fraud risk. So if we've got individual agents, particularly in call centers, particularly behind chats where you can't even hear the user and they're rushed and they're actually leaping from user to user, then they must be trained.

They must look for unusual behavior. Frauders are either over confident. They're often over confident and that's usually how they get caught because they get too cocky and they get too good at it. And then they make a mistake. They probably know information instantly. That will well that's, that's strange. And you know, most people don't have this information to hand. The fraudster clearly knows the exact process I'm gonna go through it can go bang, bang, bang, bang through the authentication process.

So we need to train our agents and this needs to be built into the implementation and the requirements of any digital identity trust framework. We might need some different levels of fraud controls because there's different levels of risk out there. If I'm trying to buy some pens, The fraud risk is pretty low. Frauders don't buy pens that much. They can go around hotels and pick them up. It's a lot easy. You don't get sent to jail for it. So the fraud controls in, in a lot of areas are lower inherently than something like say banking where the price for the fraudster is much higher.

So do we end up with a situation where there, like there are different levels of assurance in identity. There are different levels of fraud control. And how does that work across an ecosystem? When a user establishes an ID for a low risk use case like Asia or retail, and then moves into government or finance. And at the point of step up, we then find actually we've had a frauding here all along. So all of those other transactions they've done, we now know were done by a fraudster, but we said they were okay because only now we know they're a fraudster.

So you probably need common fraud controls across an ecosystem or one or two steps. And you need to plan to what happens when you find a fraudster. Somewhat later after the event, you've got to educate users. You've got to tell 'em right. They are well educated.

In fact, one of the things we're finding with digital identity is that users are very nervous because our education has been so good. We tell them not to share data with anybody. We tell them not to put it all in one place. A digital identity puts it all in one place, albeit often on their device. And it also then us them to share it with people in a safe way, but they need to understand it's safe. But what happens when things go wrong and they will go wrong and there's two problems there. One is the user has lost their identity. That needs to be repaired.

It needs to be reestablished and they need to be reassured and they may need to be compensated. The relying party has also got a problem. They had a fraudster through the door. Hopefully you stopped it at the door, but if they're already in and now they've like taken goods or services, what happens? Who's liable. We've got a separate piece of work on the liability question that sits in our, what goes wrong guide, cuz it's a key question for us to get in. People lose money. Who's held liable. I'm not even going to go there now. Cause that's the entire presentation its own, right?

But that goes alongside this, you know, the ability of implementing controls and then for this to be successful, we've got to share information. It can't just be done in isolation because the fraudsters will will.

If they, if they know you're all working in isolation, they'll manipulate that and they'll find a way to get through everybody's process. And they'll hit everybody all at once. So sharing has got to be in place and it's got to be synchronous. It's got to be done immediately. Somebody finds an issue. So we call the information sharing. It's often called shared signals. So sharing suspicious information sharing when you found fraud across the ecosystem and you need to define decide at what level you do that, is it within the identity provider ecosystem?

Is it between that and the traditional ecosystems because there's gonna be, you know, a blend for a while. And again, fraudsters will exploit that gap and to share, you've got to have a set of defined principles. You've got to be doing it within the legal frameworks that are in place within your particular jurisdiction. And sometimes they're quite restrictive in this area, but without this, the frauders will make hay. So your legal considerations are really important.

So we have, you know, each of these areas has some paragraphs about it, about the things you need to think about and you can do different things in different jurisdictions of it, as I've said. But you know, there is a lot you can do that. You may think you cannot for fraud. You're looking for crime. GDPR supports legitimate interest to enable you to look for crime. So a lot of time, you know, the ability to find in tech fraud is missed, but actually the legal abilities to do it are there. And finally I'll just re reiterate, why is this important?

So at the moment the fraudster works a patch and they do so prior to being in identity, I was in fraud and then I was in both and now I'm more in identity. So I designed one of the UK's fraud protection systems called hunter that operates across the whole ecosystem as a form of shared signals. It operates in silos though.

It it, and then it shares across the ecosystem and that's for efficiency's sake, but Forster's work patches. They work techniques. They'll hit banks, they'll hit credit card lenders. The price is different. The product is different. They'll go for mortgages, sophisticated fraud. You probably need some people working with you. Some people who are complicit to do that. So they work their patch, but they know their patch. They understand their controls. So they know where's weak and good. We used to do an annual fraud report and we couldn't.

We had to anonymize an awful lot and we'd look at the data and we'd go, whoa, that bank's been hit really bad this year. And we'd find, say what happened?

Oh, fraud to found a hole, bang, BA millions gone, we've plugged the hole stopped. And then next, then you see the fraud to find the same hole or a similar hole somewhere else. They will work around the system. So they know who's good, who's green. They know who's red. They'll be attacking the people. Who's red. That attack surface changes with digital identity. It actually becomes two layers. So they're relying parties with who the, the, the fraudster is attacking, who are providing the services are still there, but there's a layer of digital identity sitting on top of them.

And the frauders will work this out pretty quickly. It's very obvious and they'll work their ways through it. And they'll work out if any identity providers week they'll work that out and they'll attack them and they'll use them to get into every other identity provider. So here I've got a red IDP for us to get in. They can get into all those green relying parties. So if they had good fraud control, so you've just made their fraud problem worse, they're not gonna accept that identity will fail. If fraud is worse than it is today, if is better, doesn't have to be resolved entirely.

If it's better, it will succeed. But if it's even ever so slightly worse, it will fail. People will not tolerate it.

And, and why would they? So we've got to design into every digital identity ecosystem, robust fraud controls, information, sharing, shared signals and make sure that the user is supported when it goes wrong, because it still will. And that's gotta be built in and across the ecosystem. So that's it on the guide from me, if you want a copy of the guide, it's controlled access. So most of our guides are on our website and free to download this one because it essentially says, this is how you defend against fraud.

We didn't want to put out on the internet because we didn't want the fraud just to look at it and go, ah, no, this is what everyone's going to do. Then we will start to use this as a manual of how to get round it. So if you wish to have a copy, give me a shout afterwards or email member support or Stephanie Meley at open identity exchange and we'll gladly share a copy with you. So that's an update on the guide. So it's there for you. It's there to help you. Any questions.