Editor’s note: A version of this piece first appeared on Chris Skinner’s blog, The Finanser.
Last week, Equifax disclosed a data breach that may have compromised personal data of up to 143 million U.S. consumers. The compromised data includes customers’ Social Security numbers, names, addresses, dates of birth, driver’s license numbers and other sensitive info. In other words, all the information you need to open new accounts and access existing accounts were compromised in the breach.
As we have known for a long time now, it is no longer good enough to use customer’s personal information for account access. Scores of companies from Ashley Madison to JPMorgan Chase to the Federal Reserve have had data breaches.
It’s no wonder the system is no longer working. We’ve been using this identity system for almost two decades. True, some banks have added two-factor authentication to ID customers. However, many institutions still rely on personal information for when someone, say, calls a call center to access an account — a requirement that is just annoying. Yes, I may need to know my mother’s maiden name, first pet’s name and favorite rock band when I ring my bank. But when the agent inevitably says “we just need to ask a few more questions before we access your account,” my heart sinks. In particular, questions like “name a regular monthly payment set up on your account and the amount paid” or “name the last three transactions where your card was last used and for how much” leaves me irritated, as I’m sure they do for everyone else.
Is there a solution to the broken system that is annoying at best and too easily hacked at worst? Of course. In fact, there are two options.
The first solution is biometrics technology — voice, eyes and other biometrics can easily be used by banks to authenticate their customers via their smartphones. Why banks aren’t incorporating these authentication methods into their onboarding and access mechanisms defies belief. Sure, banks would need modern core systems to use such newer authentication techniques, which is a big ask. But it sure beats relying on name, address, date of birth and all the information the hackers stole from Equifax to authenticate someone.
Nonetheless, I’m not a huge fan of biometrics if I’m being honest. If it is data, and biometric solutions are, the “solution” can still be compromised and replicated and mimicked. That’s why I am far more a fan of the second solution: a self-sovereign identity scheme, which is explained really well by Rhodri Davies, a program leader at the Charities Aid Foundation, in a blog. Davies writes:
“The basic idea behind self-sovereign identity is that rather than have our information held by third parties (often without us even knowing what that information is) and used to guarantee our identity and make decisions that affect us; we could turn the entire model on its head and give each individual control over their own digital identity.”
He then goes on to detail how people can record ID information on blockchain technology to rethink the identity model as an immutable record of transactions that is public — an idea I really like as it flips the ownership, verification and authentication process from third parties (trusted and untrusted) to me. In this model, I own my identity and I allow access to a persona of my identity on demand.
I have blogged about such concepts before and even wrote a long blog entry more than a year ago about digital identity ledger-based systems. Nevertheless, I am not advocating that blockchain solves everything, as illustrated by this proof of concept summary paper from Rabobank. However, the distributed ledger technology does get us along the way in solving identity issues.
All in all, it is pretty frustrating that time is passing by so fast and the industry is not moving to keep up with the needs for improved online authentication. Hopefully the banking industry will eventually catch up.
The Jackson, Mississippi, company will use proceeds from the sale of its Fisher Brown Bottrell Insurance unit to restructure its investment portfolio, moving $1.6 billion of low-yield securities off the balance sheet.
The store-branded card issuer is raising annual percentage rates and adding fees for paper statements to compensate for lost revenue. The Consumer Financial Protection Bureau's new regulation is scheduled to take effect on May 14.
At the banks' annual meetings, shareholders at both companies struck down proposals that would have split the board chair and CEO roles. Two other proposals also failed to win shareholder support, one concerning energy financing and another on pay gap analysis.
Congressional Review Act resolutions are ramping up ahead of the 2024 election cycle. Experts say that, although none are likely to become law, the resolutions are still powerful messaging and political tools.
The ABA is testing an information-exchange network to allow banks to share their fraud data with each other. Companies including Baselayer are also building solutions.
Republicans on the House and Senate Small Business committees are accusing the SBA of being irresponsible in granting Funding Circle permission to participate in its flagship loan-guarantee program.