• United States




What happens when half the nation’s information gets stolen?

Apr 04, 20185 mins
Data and Information SecurityData BreachHacking

The Equifax data breach exposed personal account data for nearly half of all adult Americans. Now that it’s in the hands of criminals, we need to reconsider traditional approaches to financial identity verification.

CSO slideshow - Insider Security Breaches - Weak link breaks among a larger chain in a network
Credit: Adventtr / Ivanastar / Getty Images

Let’s face it. The credit bureau data used by financial services organizations for identity verification and risk assessments is also in the hands of fraudsters. It’s been stolen. So how do we protect businesses and consumers against the effects of fraud that leverages compromised personally identifiable information (PII)?

From a financial standpoint, stolen PII is generally used one of two ways: to access an existing online account or to open a new account online. Accessing an existing account is generally more difficult even if the victim’s username and password has been compromised. This is primarily due to the layered protections most financial institutions have in place. For example, biometric authentication technologies are being used in place of older technologies like device intelligence and rules-based anomaly detection, which are becoming less effective. 

Stolen data and new account fraud

For cybercriminals, the most expedient use of stolen PII is for opening new accounts online. Since the organization being targeted has never done business with the victim being spoofed, these attacks pose several unique challenges.

First, the personal information requested in most online applications is exactly the same as what credit bureaus then use to validate the application. Recently, Equifax reported that another 2.4 million Americans were impacted by that enormous data breach, bringing the total number of affected American businesses and consumers to 145.5 million. Meanwhile, according to the Privacy Rights Clearinghouse, more than 4,500 data breaches have been made public since 2005, with more than 816 million individual records breached. This doesn’t include the breaches that have not been reported.

Second, a large swath of the millennial, generation Z, and recent immigrant populations do not have sufficient financial and credit history to be verified, leading to erroneous denials. For example, millennials own 22% fewer credit cards than Gen Xers did at the same age (21-34), according to a TransUnion survey. In addition, a Fed survey found that 18- to 24-year-olds prefer to pay cash more than other age groups. Meanwhile, if they do have a credit card, millennials prefer prepaid or debit cards, according to TD Bank. New account applications using stolen, but known, PII are more likely to slip past fraud filters than “thin file” applicants, even if they are qualified.

Third, advanced authentication technologies, while highly accurate, do not work for new clients whose identity has not been verified by the company. It’s a chicken and egg problem. To protect a new account using biometrics, the applicant’s identity must first be verified. If stolen PII is used (and accepted) to open a new account online, then advanced authentication tools only serve to provide another layer of validation for fraudulent accounts. 

Credit bureau data in is the crosshairs

As mentioned earlier, most businesses rely on the three largest credit bureaus – TransUnion, Experian and Equifax – for verifying online identities. This complicates matters, since most of the information housed by these companies has already been compromised in innumerable data breaches over the past few years. In fact, virtually every type of business, government agency, or educational institution has been affected. Since many breaches have gone unreported or even undetected, the problem is much greater than the estimates.

While we want to believe that the personal information contained in the credit bureaus’ databases is safe and secure, much of it is openly available in online black markets.

The government has taken notice. Proposed government legislation is in the works to make companies accountable if they expose consumers’ data to hackers. The bills are focusing on what happens after the data is stolen, not prevention. Nevertheless, it’s a step in the right direction.

Digital footprints harder to spoof

What has become apparent, however, is the approach of using centralized, static – and largely compromised – credit bureau data for identity verification has outlived its useful life.

A more dynamic approach, based on a wider range of data including online, offline and social sources that are difficult to steal and replicate, is needed such as email, phone number, IP address, etc., provided by the applicant.

The technology to do this is available. In fact, many financial services organizations are using artificial intelligence and machine learning techniques to detect fraud after an account is opened. These same techniques can be applied to mine a wider set of data sources than static credit bureau databases, to verify an applicant’s identity when they apply to open a new account.

Supplementing traditional information sources with digital footprint data provides more accurate and reliable digital identity verification. Reducing our reliance on “Stolen PII” can not only reduce account opening fraud, but also boost acceptance rates for so-called “thin file” applicants with little or no credit history, like millennials.

Bringing identity verification into the digital age is long overdue. It’s good for corporate profitability, good for consumers and ultimately, good for the economy.


George Tubin is Vice President at the identity verification and fraud prevention company, Socure, and he is a recognized expert in online and mobile banking and payments security and cyber-fraud prevention. He was previously a senior research director with the leading financial services research firm CEB TowerGroup (acquired by Gartner, Inc.) where he delivered thought leadership and insights to leading financial services institutions, technology providers, and consultancies on business strategies, technologies, and market trends in retail, Internet and mobile banking, and fraud management.

George has held several positions at BayBank, BankBoston, and Fleet (now Bank of America), including director of e-commerce planning and development and vice president of planning and analysis for the consumer and small business banking divisions. He has also been a senior security strategist for financial services at IBM Trusteer and ThreatMetrix.

George has appeared in print, radio and televised media, including The Wall Street Journal, Newsweek, CIO Magazine, American Banker, CNN Money Online, Bank Systems and Technology, USA Today, NPR Nightly Business Report, and Associate Press Television News syndication. In addition, George has been a chair and featured speaker at dozens of major industry conferences and webcasts, and has authored dozens of research notes and articles for numerous media outlets.

George received an MBA from Babson College and holds a Bachelor of Science degree in industrial engineering and operations research from the University of Massachusetts, Amherst.

The opinions expressed in this blog are those of George Tubin and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.