Moving From Static Identity To Digital Identity
Opinions expressed by Forbes Contributors are their own.
Post written by
A Fortune 500 executive, blending early-stage action with public company knowledge and a key pioneer in the building of digital identities.
The most recent Equifax data breach exposed the confidential and private information of some 143 million U.S. consumers to hackers and other nefarious users. This information includes consumer’s names, Social Security numbers, birth dates, addresses and, in some cases, driver’s license and credit card numbers.
Essentially, this means that practically every adult consumer in the United States had their information stolen. While identity theft monitoring and insurance services can help to identify when your identity is being abused, this doesn’t solve the actual problem. The information taken was more than enough for identity theft (someone to impersonate you), to create synthetic identities (fake identities made using pieces of your real information) and to enable account takeovers (where fraudsters have your credentials and take over your online accounts). Given the breadth of the breach and the attack vectors, a credit freeze offered by credit bureaus will not fully protect anyone whose information has been compromised in the breach. And, when combined with the still-unwinding Yahoo breach and the long line of others, our data is increasingly exposed.
The real solution to this problem starts by not relying only on the static identity data held by credit bureaus and most other identity data sources as means for verification of an identity.
Static information is the most frequently used method for identifying someone and ostensibly providing security. Most every financial company or merchant where you have an account uses static information to verify your identity. Static information was thought to provide security because that information was supposedly outside of the hands of criminals and not guessable. This information might be your social security number, driver’s license, mother’s maiden name or other special security questions, generally referred to as knowledge-based authentication (KBA).
However, identity verification databases that use static data don’t update very often. And, the longer data is out there, the more likely it is to become compromised. All it requires is one slip up with one of the multitudes of companies that hold your data, and your information is compromised. For Equifax, this may have been as simple as not installing a security update. However, the bottom line is that static information by itself was never a fit for the digital world, where information is easily shareable and readily accessible through normal or nefarious means.
There is another fundamental problem with identity databases. They store our identity information in ways that can be utilized for identity fraud when they are compromised. Most identity databases have an unfortunate dual purpose; they are used for identity verification, but mostly, and by far more lucrative, they are used for marketing.
Marketing applications require these databases to store lots of searchable user data. The more data they store, the more valuable they are in the marketing world. However, identity verification doesn’t need to store users’ data in a way that can be reused. Cryptographic technologies provide several mechanisms to match and compare data without the need for storing the actual identity data.
The digital world can be rough on the old way of doing things, and it demands stronger solutions than the old static credit bureaus can provide. Digital identities are a stronger and more relevant solution for our ever-growing digital world.