As consumers increasingly transact over mobile phones and social networks, banks, payment networks and policy experts are rethinking the nature of consumers' digital identities.
What were once good identifiers are quickly becoming obsolete as device ID and other, newer methods take hold. Social network connections, for instance, have the potential to give banks insight into who their depositors do business with and become a piece of digital ID.
"Digital identity is very broad, it is passwords for Facebook, LinkedIn, and Twitter, as well anonymous identities, and fingerprinting or even cookies on the Internet," says Molly Crawford, the policy director at the Future of Privacy Forum, a think tank and advocacy group.
The question she asks is: "How can we link these across multiple devices to benefit consumers?"
A panel at the Visa Security Summit in D.C. Wednesday highlighted the web of attributes banks and payment networks use for data mining and understanding customers.
(Full disclosure: I moderated that panel.)
Crawford, as well as experts from Visa, the University of Texas at Austin, The Open Identity Exchange and Bank of America participated.
"People and businesses have a lot of identity attributes and these identities are connected, they become 'identity assets,'" says Dr. Suzanne Barber, the AT&T Endowed Professor in Engineering and director of the Center for Identity at The University of Texas at Austin. "It's a good news, bad news thing.
"The bad news is those connections are used by fraudsters."
Of course cyber criminals are innovating just as fast, if not faster, than the security technology banks use. Security — at least in the way we think of it now — is a reactive science.
And the concept of identifying your customer is nothing new. It's as old as KYC — the process banks throw their customers through before account openings.
Somewhat recently, in 2011, the FFIEC presented guidelines on what was then a predominantly consumer-oriented way of identifying customer history and behavior, says Jason Malo, CEB Towergroup research director, who did not take part in the panel.
"These are still framed as ways to authenticate a user," he says in an email. "They are still based on a cumulative measure of identity rather than recognizing explicitly that defining attributes such as account numbers and even Social Security numbers also have identities of their own."
Meanwhile, banks and payment networks are already thinking past the regulators.
"Visa has long viewed identity as a 16-digit account number, and we build profiles around it. What is a normal behavior for this account number? We have been building risk models for years around account numbers," says Mark Nelsen, Visa's head of risk and authentication products. "It is a limited view of identity, and we are expanding that to devices, [asking]: What has this device been used for?"
He adds that at the heart of Visa's efforts are its issuers.
"We are creating digital identities to benefit banks," says Nelsen. "Static passwords need to be replaced. We are working on EMV chip cards, one-time passwords and app-based security technology."
So far, however, no one is adequately protecting customers, says Donna Turner, Bank of America's senior vice president of policy and control in charge of fraud and claims.
"Consumers expect a highly technical platform, and we're not keeping pace," she says. "Our customer base is changing."
She says that data at flight is data at risk and it takes accountability, responsibility, and liability to keep it safe.
"There is a delicate balancing act on how we share information," says Turner. "Banks know there is a brand risk and a financial risk."
PaymentsSource reporter David Heun contributed to this report.