Secure, Frictionless Digital Services During COVID-19 and Beyond
Digitally, there is also an increase in fraud and identity theft, which makes it more difficult to reliably verify that online visitors are who they...
Secure, Frictionless Digital Services During COVID-19
<strong>The Covid-19 pandemic and subsequent economic recession is increasing the demand for federal, state and local government services, often online, like never before.</strong>
At the same time, government agencies must contend with increasing cybersecurity threats. New expectations of customer service are driving agencies to revise their approaches to digital identity management as more people transact and interact with government services online.
Digitally, there is also an increase in fraud and identity theft, which makes it more difficult to reliably verify that online visitors are who they claim to be. To provide constituents with frictionless access to critical services while preventing fraud, it’s critical for government portals to have a global view of their citizens and customers so they can assure identity.
How can you confidently verify that the person on the other end of the line is who they claim to be?
This ebook will discuss a critical missing piece in many digital government strategies: global digital identity assurance – and how LexisNexis® Risk Solutions can help agencies defend against cybercriminals while protecting the experience of legitimate and trusted users.
What is digital identity assurance?
Digital identity assurance is a way of verifying that a citizen’s claimed identity really matches with their digital footprint online.
Before allowing access to an account or green lighting any high-risk transaction, government agencies must authenticate the citizen’s identity and assess the overall risk of the transaction.
You need fast, automated, digital authentication to differentiate a trusted citizen from a cybercriminal, beginning with account origination to every visit and transaction that follows.
From a high-level perspective, digital identity verification is using analytical models to match digital intelligence that’s gathered during that online event with known digital identities and threat intelligence. For example, these analytical models might look to see if a citizen is:
• Gaining access using the same device they’ve used before
• Located in the typical places where they normally access government services
• Employing similar typing patterns that they usually do
• Using a direct connection or is it going through an unusual route to get to the site
The models also look for any signs of compromise around the device that may have put it at risk.
What are the most common threats to government digital services?
Government agencies may find themselves wondering if fraudsters will ever really get into their systems. The answer is yes they will, if proper securities against risks aren’t in place. We should be thinking about the kinds of cyber threats that are going to come to us – and what methods they use.
The biggest threat is that fraudsters are using stolen identity data to register for services or to take over existing accounts because they got access to a citizen’s credentials.
Synthetic identities are another threat, whereby identities are pieced together from real identities – they can pass certain verification tests but ultimately they’re creating a fictitious person that can be used.
And, there are sites being used to test stolen credentials to see if those credentials are valid. This is typically done through automated bot attacks, as well as complex multi-channel attacks – they may just be doing a single attack on your site or it might be a sign of a larger network attack.
How real is the threat for government services?
Isn’t it more lucrative for bad actors to be looking at e-commerce and online banking? Let’s take a look at how these threat vectors are coming at government agencies.
Historically, e-commerce, along with banks, were the biggest targets for fraud. Above is an example of a fraud network from the H2 2019 Cybercrime Report where we analyzed the events in our global network and looked to see where the fraud was occurring.
The different colors in the network reflect different industries: dark blue is banks or financial institutions, light blue is e-commerce, and green is media, such as streaming media or telecommunications. Note the countries as well – what we’re seeing is that these fraud networks are cross-industry, cross-geography and ultimately they’re looking for where they can get financial gain.
Here is an e-commerce example that’s parallel to government services:
Airline loyalty programs – For many years, people collected air miles and you couldn’t do much with them aside from buying a ticket or maybe an upgrade. You have to be a brave fraudster to take over an airline account, book a ticket, and then try to get on the airplane. But we’ve seen changes to air mileage programs in the last few years – they can be monetized in a variety of ways now, such as using miles to buy expensive cosmetics free or a large new TV. Suddenly, we have a real problem with fraud in airline loyalty programs.
With government services, it’s very similar. Most government services interactions were physically face-to-face, but we’ve seen a shift into the digital space, which has accelerated since the COVID-19 pandemic.
Fraudsters are absolutely aware of this and see an opportunity because ultimately there’s money to be made from defrauding those services.
Aren’t multiple user codes, difficult passwords for our accounts, one-time passwords sent by short messaging services (SMS) or email for verification, enough to keep us protected?
It gets tricky because we have to balance security and user experience. You can have username and password together combined with a secondary authentication step, which might be one-time password or knowledge-based authentication (KBA) questions, but as they’re put in place it’s not always the most streamlined experience for the citizen. At the same time, you’re trying to give them access to your services as easily as possible.
In addition, each of those authentication techniques in turn has a risk of compromise – who doesn’t use the same password maybe on one or two different sites? All you need is a breach somewhere that may not have to do with a government service, but fraudsters will test that username and password across any site they can think of using automated techniques, putting government agencies at risk.
The one-time password virus seems to affect the ability to effectively take over someone’s mobile phone number – redirecting where those one-time passwords are going is a known problem so that needs to be considered as well. And with KBA questions, fraudsters can sometimes answer those questions better than we can if they do their research ahead of time on social media.
It isn’t that these techniques aren’t effective, but the idea is to build some kind of layered approach and put risk assessment in place ahead of using these different authentication approaches.
What is a layered approach to identity assessment and how do citizens actually interact with it?
Most of us have experienced signing onto a site and the site offers to give us a password we will never remember, so we often take an easy way out and use existing passwords.
<strong>How would a layered approach help with this situation?</strong>
The first layer should be a risk assessment for digital identity. Imagine this as being an entry checkpoint as you begin to access your services. What is the risk right at the beginning? This is an invisible digital identity check, or the gathering of user interactions in digital environments without interrupting their activity.
That leads to the three layers – a multi-layered approach:
Physical identity assessment. Historically, identity verification meant validation of physical customer identity data. You verified a person’s physical documents. However, as more transaction channels have been adopted, physical documents alone aren’t enough. We know that physical identifiers could be compromised, or even synthetic.
To gain a more holistic view of the identity, risk and opportunity you must combine physical identity verification with digital identity proofing solutions. You need intelligence related to devices, locations, identities and past behaviors to accurately distinguish between trusted and fraudulent users.
Authentication. With this in mind, an authentication layer such as a username and password can help further validate. This approach is sufficient if we can see that the user is accessing with their usual device in their usual location, and that they get their username and password correct. However, if the risk assessment early on has highlighted some discrepancies or concerns, then extra layers of authentication can be added. This may include sending a one-time password or asking a series of knowledge-based authentication questions or out-of-wallet questions, which are not based solely on identity data, for example.
Investigation and review layer. The last layer is typically for a very small percentage of high-risk events that are placed in a “holding pattern” or on a temporary block while the person is validated in a different way. Or, they may be allowed entry but an alert is sent internally for someone to physically validate– especially if it’s an onboarding process when someone is registering for a new service, in order for a human to review, as well and not allow it to be fully automated.
One last point on this: LexisNexis Risk Solutions publishes a True Cost of Fraud Study every year where we look at the financial impact of fraud and how to prevent it. The two graphs above show the difference between using a single or limited layer for prevention approach versus a multi-layer approach using the layers we’ve described. It’s clear that if you’re using a multi-layered approach, you can not only reduce the number of successful fraud attempts, but you can also reduce the actual cost of any fraud that still actually gets through. It’s quite clearly defined across the different industries that we mentioned that having a layered approach can be financially valuable to agencies.
How does that digital identity assessment actually work?
When we talk about the layered approach, the entry point is the digital identity assessment. How is that different from our traditional thinking about identity management and how can we think about having a layered approach that’s still citizen-centric, so the citizen may not necessarily have to see or know that there’s a layered approach and it’s going on in the background?
The fundamental difference is that digitally, you’re able to gather digital intelligence in the background on the site that the citizen is navigating. That assessment can be done unobtrusively and can also be combined with physical identity data that’s being entered into the form, whether it’s a login page or an onboarding form. That’s a great user experience because we can be making the assessment before we decide to potentially step into the journey. It’s a rules-based policy, it’s a model where you know how to define the risks and could potentially be find-tuned accordingly based on certain levels and risk thresholds.
The key is that this is a pure “software as a service” approach that is also future-thinking, so as we see new threats emerging and different trends occurring, the models update the intelligence that you can gather digitally and continue to develop with new browser versions and new mobile app versions. And, it’s used across the customer base, so private sector organizations, such as banks and e-commerce sites, that were those early targeted organizations, are always looking to push the boundaries for risk prevention for their customers.
This solution that’s continually being fine-tuned against the latest attack trends can also help government agencies.
We’ve mentioned this is a “software as a service,” so it’s not anything that has to get implemented on the user end and there is some integration involved. We’ve also talked about how it helps from a fraud, waste and abuse perspective.
What are some of the other benefits that agencies can receive with that mindset of digital identity assessment?
The critical step is that you’re able to do that risk assessment before moving fully into the onboarding or authentication process, so right at the beginning you can decide if there a threat — and if there is, you can choose to intervene and do some extra validation. You can layer on top of what you already have in place so your existing digital and physical identity verification and authentication tools don’t have to be taken away.
You can just layer on top and use those layers in a more dynamic process. It also allows the opportunity to gain that single view of the citizen from a digital identity point of view, which could be very useful if you’re offering multiple government services. Ultimately, the goal is to prevent external threats and protect your customers, while reducing friction and improving the overall citizen experience.
As to the software as a service approach, it sounds like this is something that can be and should be implemented enterprise-wide. While individual agencies, for instance state or local governments, might bring it on, is this also something that would be an important approach across the enterprise?
Also, as we talk about digital identity assessment as well as the overall layered approach, what’s the potential for a false positive in terms of what the process would detect?
First, anywhere there is a digital interaction, either with systems or with employee access, the digital identity assessment can be layered.
As far as false positives, with a risk-based approach, it’s not black and white. You’re getting a risk score that’s between 100% risk and 0% risk — so, for example, if the risk is above a certain threshold you may not refuse access, but you’ll put them through an extra challenge question or some other authentication technique that enables you to verify that they are who they say they are.
A risk-based approach is completely different from a traditional authentication approach where you either do or don’t get in – here, you have the ability to effectively define how the customer journey works and determine those thresholds in the model that will enable you to decide how you want to work with the false positives. There are always false positives in every system and you look to use layering in the most effective way to enhance the customer experience, while still keeping the majority of the fraud and cyber threats out.
Let’s talk about behavioral biometrics. This solution looks at the behavioral side to track how someone normally uses their device and then uses that as an identifier.
Where do you see behavioral biometrics coming into play and how are they part of digital identity assurance?
With pure biometrics, you’re looking at fingerprints, or facial or voice recognition — which of course impacts the customer journey. Users have to put their fingerprints on their device’s sensor or look at the screen, which can be strong authenticators in the same way as a username and password are, except people can’t steal your thumb or your face!
So biometrics are very effective for authenticating that the person is who they say they are, but they can be quite intrusive into users’ system journey.
Behavioral biometrics, on the other hand, is an extension of traditional digital intelligence because it’s an extra layer where you can transparently gather certain patterns associated with how users type or hold a device. With all the sensors in a modern mobile phone, why not use them as part of your digital intelligence analysis, from a risk point of view?
Behavioral biometrics help with validating that it’s the same user who may be using a new device or doing something slightly different. For example, if the signature and the way they interact with their device matches the signature that we’ve seen before, this is another indicator that it really is the digital identity that we’ve known before associated with you.
When talking about biometrics and behavioral indicators, are there concerns in terms of citizen privacy?
The way our digital identity verification solution works is that the digital identities are tokenized, so they’re anonymous. What that means is that in our global digital identity network, we have digital identities that we can match to validate whether this the same digital identity that is now actually accessing the account — but we don’t need to know who that digital identity is or who they’re linked to that’s outside of what our solution does.
Our solution is purely saying that for this login right now, this application online, can we confirm that the digital intelligence we’re gathering matches a digital identity that we’ve seen in the network? And, have either the government or other organizations assigned trust to that digital identity, or highlighted that there’s potential risk associated with digital identity — all without knowing who that digital identity actually is.
To wrap it up...
These days, the demand for online federal, state and local government services is at an all time high. This also means that agencies must contend with ever increasing cybersecurity threats.
LexisNexis® Risk Solutions provides government agencies with a precise risk perspective that enables them to better identify and isolate fraud without impacting trusted customers. Our solutions leverage the power of more than 83 billion data records augmented by digital identity coverage of the LexisNexis® Digital Identity Network® combined with machine learning, Artificial Intelligence (AI) and technology automation.
Click here to learn more about how our suite of solutions can help government agencies optimize data quality and security without compromising the citizen's online experience.