Comic Con Controversy Highlights Digital ID Opportunity for Banks
Holy oversharing, Batman! This October, the organizers of New York Comic Con will likely know the secret identities behind the masks — and a lot more about the thousands of attendees.
To discourage ticket scalping, event organizers ReedPOP required fans to authenticate themselves online before ticket sales began. Would-be buyers were asked to put down a number of credentials — including phone numbers, addresses, and credit card information — in what was dubbed the "fan verification process."
Prospective attendees were also asked why they were attending and their favorite features of the annual convention. Sharing the information, however, was no guarantee they'd score a ticket and buying tickets in person in a local comic store was no longer an option.
WASHINGTON The Federal Deposit Insurance Corp. does not require all its administrative users to log into its systems using multifactor authentication, according to an audit released Friday by the agency's Office of Inspector General.August 12
The federal government recently began to discourage companies from using SMS-based authentication in their two-factor authentication schemes. So do banks need to completely eliminate authentication via text message? Not entirely.August 12
To help people safeguard their card information when they shop online, a handful of fintech startups are developing ways of keeping that information hidden, providing merchants with tokens instead.August 9
The process rubbed many fans the wrong way, not least of all for privacy reasons. After all, Comic Con hosts a variety of vendors — many of which might be very interested in collecting verification submissions for marketing purposes. "This just comes across as consumer data digging to me, even if they say it won't be passed to outside companies," groused one online commenter.
Though it concerns a whimsical event, the Comic Con controversy captures the serious challenges of protecting identity in the digital age. It is an issue banks and fintech firms are exploring as they look at how to build trust and weed out bad actors while safeguarding privacy for legitimate users.
Most people don't understand online identities, operating constantly under an "illusion of control," said Mary Hodder, a technology consultant in the Bay Area. Even legitimate actors will attempt to protect themselves by providing incorrect information, she said. However, all most companies really need to profile a user is a name, birthday and ZIP code, Hodder said.
In her estimation, scalpers would have little trouble surpassing the convention's fan verification process. (Indeed, immediately after they went on sale, tickets were listed on eBay and StubHub, according to fans who complained online and to American Banker reporters.)
Using an outside vetting service would be a better way to verify identity, said Hodder, who is a board member of the Identity Ecosystem Steering Group, a body that sets standards for identity management practices and allows companies to benchmark their compliance. (Bank of America, Citigroup and U.S. Bank are members.)
But banks are in a distinct position to take on this role, given that they already are required to know a lot about their customers before opening accounts, she said.
"Banks verify," Hodder said. "We already have a strong identity relationship with banks. Banks have brands they want to defend — if they leverage their brand and the desire to defend it and the desire to defend customers, I think they could have a fantastic business."
If banks could focus on the bigger picture, and not get swept up in the "solid money attached to marketing," they would recognize the profit potential in identity management, she added. The problem is, such a business line is still in the conceptual stages, Hodder said.
U.S. Bank, based in Minneapolis, is one of a handful of banks that are investigating such an opportunity.
"We've got this interesting problem to solve and at the same time, are thinking through our role as financial institutions and as the provider on the security side of things," Dominic Venturo, the bank's chief innovation officer, said during a June presentation at American Banker's Digital Banking 2016 conference.
He gave the example of Voder, a fictional Netflix-like streaming service that asks its users for a lot of personal information, in part so it doesn't violate regional copyright restrictions or allow children to view inappropriate materials. Why not authenticate through their banks, Venturo suggested; they could attest that someone is over 18 and located in a certain part of the world without giving their name or address.
The $438.5 billion-asset U.S. Bank could build its own identity service, but solving the problem is not something one bank can do on its own, Venturo said, calling for the industry to collaborate. (Other banks that are taking a serious look at identity management as a service include BBVA Compass and USAA.)
It should be noted that scalping is a real problem. On Sunday, Sen. Chuck Schumer, standing alongside "Hamilton" creator Lin-Manuel Miranda, called on his fellow lawmakers to support legislation to crack down on scalpers, specifically those who use computer programs to game the system.
Banks would need to be careful if they were to assume the role of identity providers.
Steve Ehrlich, lead analyst for emerging technologies at the advisory firm Spitzberg Partners, agreed that identity management is something banks could handle efficiently. But it would only work with certain regulations, he said. Banks would have to be transparent about what they collect, and what they use it for, Ehrlich said.
The system would be more equitable than the status quo if banks offered to compensate consumers for using their information, he said. "People don't realize how valuable their data is," Ehrlich said, but "they understand their data is worth something. You have to give something to get something."
James Varga, founder and chief executive of miiCard, an online identity verification service based in Edinburgh, Scotland, said that simply asking for someone's phone number, address and credit card information is a weak authentication measure.
"It may help in little ways, but it's easy to find this information and hard to verify that it's you that this information belongs to," he said by email.
Varga agreed that banks have a valuable role to play in solving the identity problem, in part because "the bank knows you really well — it's already done that full identity check when you opened your bank account." His company's model piggybacks off that work done by banks. Customers verify themselves to miiCard by sharing their online banking credentials, then use miiCard to log into other sites, much like they'd connect via Facebook or Twitter.
The pitch is that the consumer then doesn't have to share personal information with anyone other than the bank and miiCard.
"Let individuals prove their real identities without having to remove the masks," Varga said. "Put individuals in control of their personal information and just ask for only what they need."
Campbell Loeber is an editorial intern at American Banker.