Identity theft is all too common these days, but a shocking new report from the Federal Trade Commission highlights just how bad the situation’s become. Identity theft isn’t just the top complaint in America — which it’s been for the past 13 years — complaints “surged by 32%” in 2012, bringing the total estimated number of victims to 12.6 million. Even worse, the so-called “low-hanging fruit” of identity fraud, filing tax returns to wrangle free money from Uncle Sam using someone else’s name and Social Security number, have become the identity theft du jour, with that and wage-related fraud accounting for 43% of all such complaints.
That’s why it makes sense for financial and government sectors to explore high-tech ways to counter the problem, even if it means making consumers a little uncomfortable in the process.
[Related Article: Can You Really Get Your Credit Score for Free?]
Most recently, the state of New Jersey launched a photo-matching program called Operation Facial Scrub, which aims to keep fraudsters from obtaining a second driver’s license using another resident’s identity. So far, the facial recognition program seems to be working — it’s “yielded 38 criminal prosecutions and more than 600 potential cases,” according to a CBS report. It remains to be seen whether other states will adopt the technology, though New Jersey reportedly shared it with 20 other states.
“I think some of these things will definitely be beneficial,” says Raul Vargas, team leader of fraud operations for Identity Theft 911.
But there’s more to the security puzzle than just facial recognition. “Security is all about layers of protection,” says Robert Siciliano, a security expert with McAfee. “Whether it’s two or three-factor authentication, that’s what we need to take it to the next level. Right now, we don’t have that. The system is flawed.”
Galvanizing Your ID Online
One such two-step authentication comes from the FIDO (Fast IDentity Online) Alliance, which was formed in July 2012. Though its platform has yet to be widely adopted, it signals the future of crime-fighting tech. FIDO, which combines hardware, software and Internet services, offers users two types of screening for users: an identification token that’s presented each time a user logs in to his or her account, and an authentication token that asks the user to perform an action, such as flashing a password or PIN, or swiping their finger. But that’s not all the FIDO system does to protect against fraud. It also includes a browser plug-in that connects to the actual system being used, a validation cache to ensure that tokens aren’t being “spoofed,” plus a FIDO Repository to store and validate information about new tokens. In this way, FIDO rolls several security measures into one, making it harder to get past red tape with merely a user login and password, or even a fingerprint.
Combining a password with a physical token is something Chester Wisniewski, senior security advisor at Sophos, approves of. “It’s not that passwords are impossible to use correctly, but most people aren’t. We really have to get toward this two-factor solution,” he says.
Unlike facial recognition technology, such as the Kansas startup EyeVerify, which scans users’ retinas, FIDO isn’t relying on an unchangeable aspect of your body, such as your iris or fingerprint, which can be stolen, compromised and used. “If someone steals that digital description of my fingerprint or retina, suddenly you’re able to authenticate as me and I have no way to ever change it,” he says.
Still, Siciliano is quick to point out that the biometrics have fewer “false positives,” or risks for mistakes, than two-step authentication. A biometric takes a dynamic snapshot — for example, an iris scan showing how your pupils dilate, focus and view surrounding objects — rather than a static one wherein there’s no movement. However, “we’re still a good decade away from seeing biometrics used by the masses in everyday transactions,” he says.
Less Convenient, More Secure?
And let’s not forget that “combining [a token] with something in your head is a lot easier,” Wisniewski says. The less extreme the tech is, the more consumers are likely to use it.
“Several bank executives have told me our customers would quit using our bank because they don’t want the inconvenience” of having to remember more than one thing, or having their body scanned, Wisniewski chimes in. “Even Facebook doesn’t turn on their two-step authentication because they don’t want to risk losing users.”
What’s more, “the technology behind biometrics and in which biometrics are used has not been standardized through companies or major banks,” Sicliliano says, nor has it become standard at government agencies. For biometrics at least, ‘the pain of fraud hasn’t yet eclipsed the benefits of the security,” and it may be three or five years until we begin to see this technology being used.
Take the IRS, which is dealing with massive amounts of tax fraud this year. “There’s a big move to update the system,” Siciliano explained, “but the IRS is only a few years into this as we speak,” though they’ve known about the problem for almost five years. “It’s usually situations like that, like the worst kind of scenario, that can facilitate a change in the system.”
For now, at least, it looks like consumers will just have to go the old-fashioned route: shredding sensitive papers and keeping strong passwords to themselves, and of course, checking their credit report regularly.
More from Credit.com