Event Recording

Verification as Fraud Prevention

Log in and watch the full video!

Cybercrime, often driven by fraud, continues to plague organizations leading to data breaches and loss of revenue. Account takeovers and account opening fraud contribute to this. But as organizations transition to heavier dependence on digital identities, how do we deal with the rising and changing stakes?

In this session, Anne Bailey will discuss the intersection of digital identity and fraud prevention: identity verification. Listen in to hear how identity verification can be integrated into digital identity management as a preventative measure against fraud.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
So from my side, welcome to this event, really looking forward to the conversations to come. My title is a dead giveaway for where we're going. I'm gonna propose identity verification as a means for pro fraud prevention. So here's a look at how we get there. I'm gonna start out talking about the missing link, which is often found in digital identity that will bring us to realizing a need to really reduce the complexity of our security environments, how your trust plays a role there. And of course, connected to all of that is identity verification and proposing this as a preventative measure to dive in. I think we can all be in agreement that fraud related cybercrime is very costly. Now, if, of course we can look at the estimations on how much that will cost, how this is trending upwards, you know, reaching 10.5 billion in 2025, but we can also kind of look back with a little bit of humor at the past year at all of us who have in some way or another attempted to commit identity fraud.
I know my husband chronically forgets his vaccine card and more than not, has simply borrowed a friend to enter a restaurant or an event and never has he been checked for, for his identity to really make sure that the credential, the credential itself is valid. That's true. And that's what people are looking for, but they're not necessarily looking to see that this valid credential is actually being held by the person it was issued to, or the one that it describes. So that's perhaps a humorous look at this very serious question of, as we transition to heavier dependence on digital identities, how are we going to deal with fraud?
So as I've just presented digital identity often not always lacks and anchor to reality. And I would argue that identity verification is that anchor being able to link a credential with the person it describes. Now this most often comes up in onboarding and this could be digital onboarding. This could be in person onboarding. And of course there's a range of assurance levels in those use cases. So at the lowest assurance levels, users are self attesting. Of course, there's no level of identity verification here. It's not always needed in use cases, but even at higher assurance levels where there is identity verification going on, it's often a one time verification. It's a snapshot in time. You can think of an example of a video identification process, where there's a webcam, an individual holding their identity document. And as long as that video cam is running, that identity verification is valid.
But as soon as that connection is broken, who knows somebody else may then be in possession of that identity document. Something about that situation may change. So more often than not identity verification is only a snapshot in time. What's really a pity about this situation is that there are solutions which are out there, which we call verified identity solutions, which do manage to achieve this link between a digital identity and the person holding it or the person it describes rather in ways that are trusted, that are reusable and secured. And they're trusted in that they allow the identity and the source of verification to be trusted. They're reusable in that they're allowing that verification to last for a longer duration of time, not just a moment in time and that the identity is able to be securely, stored and shared between different parties. So from that, we can take that there's an unused opportunity for organizations to be able to import or inherit a verified identity.
And what does that do for organizations that establishing a link between credential and individual that it describes it allows for improved KYC or know your customer that's especially useful in regulated industries. But what's really interesting for organizations in all industries is the portability of a verified identity, allowing access to a high level of assurance without needing to go through the agony and the cost and time of identity verification. And now this is the main question which we are going to be looking at today. Establishing this link could also act as a means of fraud reduction. So let's take a look, a closer look at why our chief fraud mitigation strategies here are fraud strategies of course, or fraud reduction strategies, but they're also identity verification capabilities, which is quite interesting to take a closer look. We've got real time insights here. Being able to use a decisioning engine, which would evaluate the risk of any incoming intelligence.
This is oftentimes paired with a risk based multifactor authentication, which is overall increasing the assurance level of the authentication. This is drawing from all sorts of information like credential intelligence, device intelligence, user behavioral analytics, behavior, behavioral, or sometimes referred to as passive biometrics and going with this is the recommendation to increase the assurance level overall of identities. Again, this goal here is to reduce fraud. So of course we're gonna wanna be pushing the assurance level up on all of these. And so bot detection and management, this also falls under this category, but if we look at this at a whole, these are very identity focused capabilities and strategies here. So as a summary, we can say that identity verification, then at the time of registration and authentication, which is supported by realtime analytics and decisioning can be form a strong prevention against account takeover and new account fraud.
Okay. Sounds easy. Great. Cut and clear. And the question is, is that, so what we can perhaps agree on is that identity fraud in its many forms is a security risk, but if we remain too focused on a single issue of simply solving fraud, then we're missing out on some of the other changes which are happening in our environment that we need to count for. Part of that is the increasing complexity of the security environment we're entering a different reality than would we assumed in previous years, which is that we're moving towards a multi-cloud multi-hybrid environment. We're not just sticking to one private cloud or even a combination of a private cloud with on premise, but really a much more involved environment. Of course, going with that is the word from home scenario, bring your own device. And of course the ensuing device sprawl edge computing is then increasing the need to have very good and focused management of device and machine and non-human identities.
And to add to that, we needed to hear it from the people who are having to solve these challenges. On a day to day basis, we asked the CSOs, we conducted a survey a couple months ago and asked what are the five biggest challenges that they will be facing in the next year? And the item, which had the most agreement was that there were too many tools being used against too many threats. So to look at this in summary, we do have an increasingly complex and interconnected security environment, but our strategy of throwing specific tools at specific problems is not working and has creating too much, too much noise in an area where we need simplicity and a stronger overview.
So how do we go about that? I hope it's not too early in the event to bring up zero trust. Unfortunately, it's already relevant. So I apologize, but I'd like to bring up this hopefully familiar phrase of don't trust, always verify it aligns very literally with access management in that if you, you know, you shouldn't trust those familiar access requests that are coming in from employees, from partners, from a recurring customer, you should verify that indeed they are still in possession of a valid credential, which is describing themselves. So that puts identity in the center and is using that as a preventative action against fraud. And we can boost that even higher if when we base it on verified and validated digital identities. So a valid question, which you may have is, well, if we're trying to reduce the number of tools which are focused on specific problems, then why are we adding identity verification in here?
We already have fraud reduction. Well, as an Analyst, I need to point out trends which are happening and a trend, which is happening here is that these two areas they choose these two market segments are approaching each other. They're having more and more shared capabilities, which is quite interesting in this scenario. So if we look at fraud, reduction capabilities of course have things which are specific here, like credential intelligence, user behavioral analysis bot detection. But we also have, if you look on the right, this growing list of shared capabilities, which does include ID proofing, device intelligence, behavioral, and passive biometrics credential intelligence, in the sense of looking at sanctions blacklists, politically exposed persons lists and the underlying basis of a risk based decisioning identity view verification also has its own specific capabilities, mostly around document proofing and onboarding of those documents and, and creation of a digital credential from an identity verification standpoint, that's also using optical character recognition, Deerfield, communication, things like that.
So another question which could arise is what do you do when a fraud case shows up with your identity verification system in place? How does that actually react to potential fraudulent behavior? Typically it's there to leverage automation and then escalate so that you have more information and know better what to do. So an organization would set their own risk acceptance, which would mean either permitting or denying a request in normal scenarios. When an interesting case comes up, it would then cycle through to an automated response either to reauthenticate or to step up that authentication or to go through a series of measures, perhaps putting a hold on an account or any other mitigating measures until it's more certain, if that access request was fraudulent or not. So with that, I'd love to leave you with some recommendations and we've gone through several different ideas today, but I'm gonna try and bring that back together here on this slide, which is we've understood that there's a need to reduce complexity in our security environment.
We have identity verification as a proposal to combat fraud. So how do we bring these two together in reducing complexity also with identity verification, part of this is the ability to achieve more than one goal. So if we widen our perspective, it's not just about reducing fraud. What else can we do with this part of that is being able to deconstruct a user journey or to make the user journey more modular, less rigid. So for example, we can bring identity proofing into the registration process actually. So they happen in parallel and that a successful identity proofing then triggers an automatic registration. We can also bring in authentication as an additional fraud check. So moving this identity verification, what could traditionally happen at the beginning of a process to later in the process? And so overall, the recommendation that I would be giving to you is to look for opportunities to reuse ID specifically verified identity, to achieve multiple purposes. So to introduce fraud reduction into the user journey, to make it more modular and flexible and more what users are expecting, and also to be able to inherit trusted identities from those trusted organizations and issuers building your own ecosystems. So with that, I threw quite a lot of information at you. I welcome any questions that you may have send those to Christopher and thank you very much for your time back to you.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00