Fido exposed through identity verification: “Please provide name, DOB birth and species”

Linda Musthaler
By | May 02, 2012

Posted in: Network Security Trends

There’s a classic cartoon depicting a dog using a computer, with a caption that says, “On the Internet, no one knows you’re a dog.” It’s funny, but true. When you have any sort of web-based business, you really don’t know who is on the other end of the transaction.

Most online businesses address the identity verification issue by requesting or requiring a person to register on the website to establish baseline identity information. But what if a business needs to verify the identity of a customer with whom it has no prior relationship? The website registration process often collects the barest information, such as a person’s name and email address. How can the business owner gain confidence that the data provided is legitimate? Here are two non-intrusive approaches to web authentication that are growing in popularity.

Technology called “identity verification” provides an automatic way of comparing information provided by a person – for example, name, address, date of birth — against information found in thousands of trusted public data sources. Let’s say John Doe registers for a web service and gives an address and DOB. An identity verification application can check the data the person provided against various databases to see if there really is a John Doe born on the birth date and living at the address that was given. If yes, then we know that a real John Doe exists — although it’s possible the person who just registered with this identity might have usurped the information from the real John Doe.

A more advanced form of the verification technology is called “knowledge-based authentication” or KBA. This process uses a series of multiple-choice challenge questions based on someone’s personal history to determine that person is who they claim to be. The questions are non-intrusive and dynamic, and they are unlikely to be answered promptly and properly by someone who is faking the identity.

For example, our John Doe might be asked, “Which of these cars have you owned? A Chrysler Concorde…A Ford Taurus…A Dodge 600…A Chevrolet Camaro?”  John has just a few seconds to respond with the correct answer. The KBA application might ask a total of three or four questions. In theory, only a person with intimate knowledge of John Doe’s life would know all the answers.

While neither method provides absolute identity verification, each helps a business make more informed choices about how further interactions or transactions with that person should be handled. What’s more, the process takes place in-line with account registration or check-out and it’s non-intrusive to the consumer. Even though the KBA challenge questions are about the person, they are on the public record and aren’t so intimate as to feel creepy.

Having a level of confidence about a person’s identity is important for numerous reasons. Businesses that operate an eCommerce site and accept payment by credit card want to know that the credit account really does belong to the person buying the goods. Financial institutions and payment processing companies must meet strict Know Your Customer (KYC) regulations to prevent money laundering. Businesses such as online dating sites want to screen out inappropriate prospects — convicted felons, teens, etc. And, some websites need to verify the age of consumers: the Children’s Online Privacy Protection Act (COPPA) forbids the collection of private information from children under the age of 13.

Use cases for identity verification

The best way to explain how the technology works is through a couple of hypothetical and real use cases.

Let’s say I want to open a new email account on one of the free email services such as Gmail. Instead of opening the account with my own name, I provide a fictitious name so that I can hide my true identity in the messaging system. To establish an account, the system asks for my first name, last name and date of birth. When I type in the deliberately misleading information, an identity verification application can determine that the data given does not exist in known public databases. The messaging system can reject my request for an account on the grounds that I not have provided valid information and have violated the application’s terms of use.

A couple of teenage boys want to view content on a sexually graphic website. To register for the service, they make up a name and birth date to appear older than they are. Using identity verification, the website can determine that the person at the keyboard is not someone to do business with.

Now for real implementations…

The mobile payments processor Obopay uses a solution from IDology as part of a vast suite of tools that helps the company understand more about the people who are registering for its service. Obopay uses identity verification to help reduce financial risk as well as to meet its obligations to prevent money laundering. Like any payments processor, Obopay has to adhere to strict KYC regulations, so being able to absolutely identify a person is mission-critical.

WikiLoan offers peer-to-peer lending in which two private parties that typically know each other agree to establish a loan without using the services of a bank. One person lends to another, and WikiLoan acts as the middleman to provide a credit score, loan documentation and to set up automatic payments. WikiLoan verifies the parties to the loan to ensure that a thief is not clearing out someone else’s bank account to give a “loan” to an accomplice. The company is able to do a sufficient verification of the people involved within seconds instead of what used to be days.

While used most often in the financial industry, identity verification is really a horizontal solution that fits any industry that needs to know who they are dealing with, even before any business relationship is established. Situations where identity verification can be useful include:


  • Password resets

  • Call center transactions

  • Access to age-restricted content or purchases

  • Social network memberships

  • Claims processing

  • Account changes and updates




  •  
  •  
  •  


A range of identity verification products

here are numerous identity verification solutions that compare entered data to that which is found in data bases. Among the vendors in this category are:


  • Electronic Verification Systems

  • Equifax

  • Experian

  • IDology

  • LexisNexis

  • RSA

  •  

Now, getting back to our dog on the Internet…

With identity verification, someone might just discover that Fido is a dog before he ever gets to create his online dating profile. Poor Fido.

You May Also Be Interested In: