Congress Hears Ideas for Battling ID TheftExperts Call for Rethinking Identity Management in Financial Services Sector
As cybercriminals adopt new methods to steal and manipulate victims' identities, the U.S. financial services industry needs to rethink how to protect customers' information using emerging technologies, such as artificial intelligence, security experts testified at a recent U.S. House committee hearing.
See Also: Password Reset: Self-Service, Anywhere
The U.S. House Financial Services Committee held the hearing Thursday to learn more about how adopting new technologies can help fight ID theft - and how threat actors are already using these same technologies to further expand their crimes.
Security experts told the committee that financial services companies, as well as government agencies, need to adopt AI to counter new threats to identity such as "deep fakes," which uses advanced imaging technology and machine learning to convincingly superimpose video images, and "synthetic identities," where cybercriminals use stolen information to attempt to mimic a person to carry out identify-related frauds.
"Artificial intelligence is only enhancing cybercriminal's arsenal. AI can be used more quickly to find vulnerabilities in a bank's software and used to impersonate someone's voice or face in a phishing scam," says Rep. Bill Foster, D-Ill., who chaired the hearing.
Financial institutions face increasingly sophisticated cyberthreats.
For instance, in March, a cybercriminal used AI technology to mimic the voice of the CEO to demand a fraudulent transfer of $243,000.
In his opening remarks, Foster noted that identity forms a crucial component of the digital economy in the U.S., and that in 2018, almost $15 billion was stolen from American consumers through identity-related fraud.
To better understand the role technology can play in fighting financial fraud, committee members heard from Anne Washington, an assistant professor of data policy at New York University's Steinhardt School; Valerie Abend, managing director of Accenture Security; Jeremy Grant, coordinator of the Better Identity Coalition; Amy Walraven, president and founder of the Turnkey Risk Solutions; and Andre Boysen, chief identity officer of SecureKey Technologies.
Revamping Authentication Systems
The experts told the committee that financial services companies as well as government agencies need to move beyond longstanding authentication systems and deploy AI-based verification processes instead.
"Identifying yourself through passwords, login details and security questions is no longer working," Abend of Accenture told the committee. "Hackers are using new capabilities to commit their attacks in ways we haven't thought of yet. That's why we need AI to thwart them at the speed of cyberattack as they occur."
Grant of the Better Identity Coalition testified that relying on Social Security numbers to identify citizens who are seeking government services creates security issues. He suggested federal agencies should build advanced systems to verify identity.
"For instance, the FIDO [Alliance] and World Wide Web Consortium have developed a standards for ... authentication steps that can be embedded in operating systems and browsers to enhance security and privacy," Grant testified. "The government can thus play a larger role by adopting the standards."
Government should work with industry to deliver next-generation, remote identity proofing tools to help ensure that Social Security numbers, driver's license numbers and passport numbers are protected, he added.
A recent report from the U.S. Government Accountability Office discouraged federal agencies from relying too heavily on outdated authentication methods (see: GAO: After Equifax Breach, KBA No Longer Effective).
"The challenges here are what I call the 'identity gap,' where all of these systems are still stuck in the paper world," Grant says.
Effectiveness of State Laws
The security experts who testified also addressed the effectiveness and appropriateness of state privacy laws, such as the California Consumer Privacy Act, which will give consumers new rights regarding the collection of their personal information when it goes into effect on Jan. 1, 2020.
"Under CCPA, a consumer can go to a ... company that has information that is used for security and fraud prevention and ask for that information be deleted," Grant testified. "So, the concern here is, even if 2 percent of the consumers ... ask them to turn off the security analytics tools, which could prevent attacks like credential-stuffing attacks, then it is going to put people, business and consumers at risk."
Some of those who testified urged Congress to consider passing a federal data privacy law to help protect against ID theft, rather than relying on various state laws.
Over 50 CEOs from U.S. businesses recently signed a letter urging Congress to pass a comprehensive consumer data privacy law that establishes a national privacy framework and strengthens protections for consumers. Signers included Amazon CEO Jeff Bezos, Bank of America CEO Brian Moynihan and Dell Founder Michael Dell.
"Now is the time for Congress to act and ensure that consumers are not faced with confusion about their rights and protections based on a patchwork of inconsistent state laws," the letter states.