Identity Startup Builds Trust Network to Devalue Stolen Data

An identity protection startup called Civic wants to tackle data breaches by giving consumers control over who uses their information.

The Palo Alto, Calif., company, which launched the beta version of its app Tuesday, notifies users when their Social Security number is being used by one of its partners and allows them to report fraud before a new account is opened or approve and deny transactions. Users will also receive push notifications from credit bureau TransUnion with any updates to their credit reports.

The goal is to get to the point where a Social Security number — originally designed to track Social Security benefits rather than as an all-purpose identifier — is used for credit approval only when consumers (or their parents, if they're under 18) permit it, Vinny Lingham, co-founder and chief executive, said in an interview.

Two years out, Civic wants to have more partner organizations than any credit bureau, and Lingham says the market for identification information is much larger than the one for credit bureau information.

"With the recent spate of data breaches, most consumers have had their identifying information like Social Security number stolen and it's currently sitting on the dark Web waiting for someone to purchase and use it," Lingham said, adding that this puts banks at risk from a compliance perspective as well as a credit perspective. Following anti-money-laundering and know-your-customer guidelines "ensures that the name on the account is in good standing. It doesn't prove that the person who is opening the account is in fact that person. With the recent introduction of EMV, fraudsters are moving online now – and new account fraud has more than doubled this past year."

Application fraud (when someone opens an account using fake or stolen documents in another person's name) is one of the most harmful types of fraud and represents 20% of the $10.9 billion that U.S. card issuers lose each year to fraud, according to LexisNexis Risk Solutions. Javelin says there are 13.1 million fraud victims in the U.S. and there was a 113% increase in new account fraud in 2015.

Civic is effectively a trust framework that sends push notifications or emails to consumers in real time when their Social Security number is used. The firm says it verifies the institution to the consumer and vice versa through a two-way authentication process, which "allows [members] to approve or decline the usage of their details and will prevent unauthorized accounts from being opened up," Lingham said. Even if a user neither confirms nor denies identity, that person is made aware of who is using his or her information, he added.

"Companies need to recognize not all identity information is created equal," he said, making an example of blemishes on credit reports of minors who carry them into adulthood. "You can't trust that information. … Identification is fundamentally based on trust. It's all relative, the only thing not relative is your DNA."

Civic consumer clients receive a $1 million lifetime identity theft protection policy when they sign up as well as access to identity theft consultants via a 24/7 hotline to guide them through document replacement, email compromise, employment ID theft, financial ID theft and tax ID theft situations, among others.

The startup says it will never charge consumers for the product, but organizations that join the network will pay "a small fee."

Because Civic identifies itself as a data privacy company, it is naturally consumer driven – and the privacy of users' data is paramount, Lingham said. Civic users can choose to store personal information on their devices but Civic itself doesn't hold any of that information. It uses a blockchain to hold "the minimum amount of information" it needs, like a username and password.

"It's hard to hack a blockchain," Lingham said. "If you lose your phone we can replace information using multisig technology," which allows users to request cryptographic signatures by more than one user to validate a transaction on the premise that bad or malicious actors would have to breach multiple machines to transact on one user's behalf. The blockchain-based architecture will be invisible in the user experience, to businesses and consumers. Civic plans to reveal more on its blockchain-based features in the fourth quarter.

Lingham is a co-founder and former CEO of the mobile gift card wallet Gyft, where he gained insight on consumer fraud trends, he said.

"One of the biggest problems that Gyft encountered was dealing with payment fraud – it's one of the highest categories of online fraud," he said. "My observations from dealing with this problem at scale is that card not present is not the problem. The real problem is PNP [person not present]. The internet needs a reliable way to remotely confirm identity."

First Data purchased Gyft in 2014.

Civic raised a $2.75 million seed funding round in February, led by early stage fintech investment fund Social Leverage. It is now in the process of signing partners from industries that would use a Social Security number as a form of identification, like background check companies or banks. Background check startups GoodHire and Onfido have joined the network.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER