Editor’s note: A version of this piece first appeared on Chris Skinner’s blog, The Finanser.
Last week, Equifax disclosed a data breach that may have compromised personal data of up to 143 million U.S. consumers. The compromised data includes customers’ Social Security numbers, names, addresses, dates of birth, driver’s license numbers and other sensitive info. In other words, all the information you need to open new accounts and access existing accounts were compromised in the breach.
As we have known for a long time now, it is no longer good enough to use customer’s personal information for account access. Scores of companies from Ashley Madison to JPMorgan Chase to the Federal Reserve have had data breaches.
It’s no wonder the system is no longer working. We’ve been using this identity system for almost two decades. True, some banks have added two-factor authentication to ID customers. However, many institutions still rely on personal information for when someone, say, calls a call center to access an account — a requirement that is just annoying. Yes, I may need to know my mother’s maiden name, first pet’s name and favorite rock band when I ring my bank. But when the agent inevitably says “we just need to ask a few more questions before we access your account,” my heart sinks. In particular, questions like “name a regular monthly payment set up on your account and the amount paid” or “name the last three transactions where your card was last used and for how much” leaves me irritated, as I’m sure they do for everyone else.
A monitor displays Equifax Inc. signage on the floor of the New York Stock Exchange (NYSE) in New York, U.S., on Friday, Sept. 8, 2017. The dollar fell to the weakest in more than two years, while stocks were mixed as natural disasters damped expectations for another U.S. rate increase this year. Photographer: Michael Nagle/Bloomberg
Michael Nagle/Bloomberg
Is there a solution to the broken system that is annoying at best and too easily hacked at worst? Of course. In fact, there are two options.
The first solution is biometrics technology — voice, eyes and other biometrics can easily be used by banks to authenticate their customers via their smartphones. Why banks aren’t incorporating these authentication methods into their onboarding and access mechanisms defies belief. Sure, banks would need modern core systems to use such newer authentication techniques, which is a big ask. But it sure beats relying on name, address, date of birth and all the information the hackers stole from Equifax to authenticate someone.
Nonetheless, I’m not a huge fan of biometrics if I’m being honest. If it is data, and biometric solutions are, the “solution” can still be compromised and replicated and mimicked. That’s why I am far more a fan of the second solution: a self-sovereign identity scheme, which is explained really well by Rhodri Davies, a program leader at the Charities Aid Foundation, in a blog. Davies writes:
“The basic idea behind self-sovereign identity is that rather than have our information held by third parties (often without us even knowing what that information is) and used to guarantee our identity and make decisions that affect us; we could turn the entire model on its head and give each individual control over their own digital identity.”
He then goes on to detail how people can record ID information on blockchain technology to rethink the identity model as an immutable record of transactions that is public — an idea I really like as it flips the ownership, verification and authentication process from third parties (trusted and untrusted) to me. In this model, I own my identity and I allow access to a persona of my identity on demand.
I have blogged about such concepts before and even wrote a long blog entry more than a year ago about digital identity ledger-based systems. Nevertheless, I am not advocating that blockchain solves everything, as illustrated by this proof of concept summary paper from Rabobank. However, the distributed ledger technology does get us along the way in solving identity issues.
All in all, it is pretty frustrating that time is passing by so fast and the industry is not moving to keep up with the needs for improved online authentication. Hopefully the banking industry will eventually catch up.
Srini Nallasivan, who was born in India, claims in a lawsuit that the Minneapolis-based bank harassed and fired him in order to replace him with a white executive. U.S. Bank denies the accusations.
The tests modeled how Fannie Mae and Freddie Mac would fare after absorbing losses like a total $36.1 billion provision in credit losses in a severe downturn.
The Office of Management and Budget under President Donald Trump has not apportioned any discretionary awards to financial institutions in the fiscal year of 2025, according to new documents released by the agency.
Brex's second license in the European Union is a key step in cementing turning payment relationships in the EU into broader financial relationships, including card issuing and cross-selling.
The Treasury Department issued a request for comment Monday, seeking input on four categories of technology that could be used to detect and combat illicit financial activity in crypto assets.
The American Fintech Council requested a 30-day extension for buy now/pay later providers to submit information about their businesses to the New York Department of Financial Services. New York is the first state to institute a law specifically regulating BNPL.
