We all know that there is a strong connection between identity and fraud but getting a real picture of the identity-related fraud problem is not always easy.
Identity-related fraud can be thought of as ’any type of fraud that is enabled by a false representation of identity’. In a payment transaction, this could mean that either the payer’s or the payee’s identity is compromised in some manner. There are many techniques fraudsters may use, including:
Impersonation – by using someone else’s identity information.
Account takeover – by gaining access to someone’s account credentials.
Money mules – by using other people to act on their behalf.
Synthetic identity – by exploiting information from real people to create fictitious identities.
Identity-related fraud concerns people and organisations. Either can be falsely represented. The identity-related fraud landscape is complex and constantly evolving, as fraudsters find ingenious new ways to get around whatever controls are in place.
Getting a true picture of the shape and size of identity-related fraud is hard. Firstly, there is no single taxonomy for categorising fraud. And so, for example, when you compare the various fraud reports published by governments, industry bodies, and vendors, it can be difficult to know if you are comparing like with like.
Secondly, not all fraud gets reported. In some cases, fraud may go undetected for a period of time. In others, the victims of fraud may not wish for it to become known.
Thirdly, not all identity-related fraud is reported as such. In the UK, for example, identity theft is not a crime, and so, only the resultant crime will be reported. Last and most definitely not least, there is comparatively little information on the perpetrators of identity-related fraud.
However, available information suggests it is a big problem. In 2022, the FTC processed over 1.1 million identity theft reports in the US equating to billions of dollars in losses. And this only includes the incidents reported to the FTC, so the actual size may be far higher.
In November 2022, the UK House of Lords published a detailed report on the state of fraud in the UK, and many of its findings undoubtedly apply, in equal measure, in other countries too. The report noted that the shift to digital, accelerated by the COVID-19 pandemic, has created large opportunities for fraudsters who are able to undertake their activities from anywhere in the world, acting with relative impunity. The scale and pace of change have made it difficult for authorities and the criminal justice system to keep pace, with funding often inadequate or applied in the wrong places. Many of the areas of fraud growth that it cites are identity related.
Sometimes, the incentives to fix the problem are not well aligned. The UK-based TSB bank, recently reported that 80% of authorised push payment fraud affecting its customers originates on platforms operated by Meta. In cases like this, regulatory intervention may be needed. The question will then be whether controls can be designed that are effective and economic, whilst not undermining whatever privacy exists on those platforms.
The answer to most of these issues is to come up with robust digital identities that are designed for the digital world, and which provide assurance about both the payer and the payee. Unfortunately, this is far from reality.
Great progress has been made in document scanning and selfie-checking solutions, which are now in wide use for onboarding. These solutions are a definite improvement on some of the earlier methods of identity verification, but they introduce friction and only work for individuals, as opposed to organisations. This means that, in many cases, they can only provide assurance about either the payer or the payee.
Open Banking goes a step further as PISPs are regulated, and so, users can have greater assurance about where the payment is going.
What we really need are strong digital forms of identity evidence – such as cryptographic verifiable credentials – that can be issued to payers and payees, allowing them to easily present verifiable information to each other. Implemented well, these are both hard to counterfeit and hard to steal. They also rely on well-understood cryptographic key management processes to keep ahead of the fraudsters – processes which the card payments industry has been following for a decade or more.
Those credentials would not necessarily be assertions of identity but, instead, would provide strong, authoritative evidence that could be relied upon. For example, a bank could issue a credential asserting that the holder of the private key, to which the credential relates, has a bank account with a certain name.
Banks often view digital identity as a potential profit centre, but there is a lot to be gained by preventing spiralling fraud costs. This requires an overall increase in trust in the digital world, which banks can help with by giving customers (whether individual or business customers) credentials to digitally prove they are indeed legitimate bank customers. These credentials, potentially combined with others, would allow bank customers to form trusted verifiable digital relationships in the digital world, which is the foundation for a trusted digital economy.
Instead of having to pay for a verified account on a platform, people could simply present their bank-issued credentials. That would save the platform money and benefit the bank by reducing identity-related fraud.
This editorial is part of The Paypers' Fraud Prevention in Ecommerce Report 2023-2024, the ultimate source of knowledge that delves into the world of fraud prevention, revealing the most effective security methods for companies to stay one step away from bad actors and secure their businesses.
Steve is the CEO at Consult Hyperion. He has extensive experience advising payment schemes, banks, governments, and vendors around the world on digital identity strategy and implementation, fraud prevention, AML, and privacy. Steve has worked on several groundbreaking digital identity programmes – both public and private sector-led. He is very active in the industry as a speaker and contributing to standards and trust framework development.
Consult Hyperion is an independent strategic and technical consultancy, based in the UK and the US, specialising in secure electronic transactions. With over 30 years’ of experience, we help organisations around the world exploit new technologies to secure electronic payments and identity transaction services. We offer advisory services, technical consultancy, software development, and testing using a practical approach and expert knowledge of relevant technologies.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now