Richard Tsai, Head of Markets, Product Marketing, Global Fraud Solutions
01/19/2023
Blog
The entire TransUnion TruValidate team is thrilled to have been named as a Leader in The Forrester Wave™: Identity Verification Solutions, Q4 2022. We believe we were recognized for delivering value to our clients with real solutions to real problems, which is incredibly gratifying. Beyond the value of an independent vendor evaluation, it’s helpful to point out what we learned about Identity Verification (IDV) from the rest of the Forrester report.
The reality is that our identity is not private — chances are that some or all our personal identity has already been stolen. The unrelenting pace of data breaches resulted in 165 million individuals impacted by data compromises from January to the end of September 2022, according to Sontiq, a TransUnion Company.
“With the rise of identity theft across all industries, digital IDV is becoming more central to the customer digital journey. Firms should only issue login credentials to legitimate users after the successful completion of an IDV process,” according to the Forrester report.
As a fraud professional, one’s default perspective should assume all identity data is compromised: living somewhere on the dark web where criminals can access it and will attempt to use it. Taking steps towards ensuring that consumer information is not being used to open fraudulent accounts, nor that parts of consumer identities are used to create synthetic identities to bypass fraud controls, is all of our responsibility.
The critical issue is determining how to keep our fraud controls from becoming overly intrusive or burdensome on the customers we’re trying to serve. This is especially true for organizations whose prospective customers require an application to access services. Online applications are the gateway fraudsters use to leverage stolen identities to open new accounts and perpetrate fraud:
Bank accounts
Credit cards or other loans
Store cards
Mobile phone accounts
Government benefits (e.g., unemployment benefits)
The great challenge with online applications is that the applicant is basically anonymous at the start of the process. Identity proofing, the process of verifying the identity of a person, involves collecting and verifying information about a person's identity to establish they are who they claim to be. But because the interaction is happening digitally, the device and the user session becomes the proxy to the applicant. The device should be assessed for fraud risk without causing unnecessary friction to the applicant, such as delaying their auto-approval, or waiting for more information to complete a data append, both of which can feel burdensome for the user.
According to the Forrester report, customers looking for IDV methods should search for these key IDV capabilities:
“Provide phone-number-based verification for low-friction, implicit IDV.”
“Allow for email-address-based verification that is inexpensive and unobtrusive.”
“Detect known fraudsters and nonhuman activity with behavioral biometrics.”
Device proofing assesses the risk of the identity operating the device by evaluating information about a device in order to establish that it is has not been used to commit fraud in the past, and that it is in the hands of the authorized user, and that it is being used in a way commiserate with typical consumer behavior (as opposed to fraudster behavior). Device proofing leverages a multi-prong approach to risk assessment:
Device fingerprinting
Device-to-identity linkages
User-behavior analysis
Device fingerprinting (or device reputation tracking) plays a prominent role in assessing risk online, applying historical activity and consortium data to determine whether a device has been linked to fraud in the past. The reputation of known devices helps organizations assess risk. But there’s a danger in relying exclusively on device reputation: fraudsters often cycle through real or emulated devices to thwart the tracking of previously seen devices. Unknown devices may present a question mark to a device fingerprinting solution, leading to an increase in fraud risk, false positives and unnecessary friction. Without additional risk signals, there’s no way to determine whether the users behind new devices deserve a warm welcome or additional scrutiny.
Device-to-identity linkages are the linking of online and offline consumer data with data inherent to the device; this provides additional signals to help determine whether a device is in the hands of the individual who owns it, and these hundreds of signals and their interrelationships provide the clear intelligence needed to help distinguish legitimate consumers from potentially risky parties. The more positive signals connecting a device to the person behind the device — including email address, phone number, carrier reputation, whether the phone has recently been ported and IP-based behavioral attributes — the more confidently organizations can decrease manual reviews and unnecessary friction, reduce false positives and mitigate fraud.
User behavior analysis focuses on the way that users physically interact with their devices and engage with organizations’ online properties. This further distinguishes genuine consumers from the typical activity of fraud rings. For example, legitimate users enter personal information into an account application with minimal hesitation or correction, while bad actors attempting to impersonate consumers may pause to look up required information or edit answers. The discrepancy in behavior serves as a multiplier, calling greater attention to risk signals that may not otherwise command the scrutiny of a fraud prevention program.
Device proofing is the amalgamation of these complementary identity verification techniques, layering insights about device reputation, device-to-identity linkages and user behavior into a decisioning rubric that helps identify good consumers while reducing false positives, undue escalation friction and manual reviews. Low-risk devices and behavior receive expedited customer experience, while higher-risk devices and behaviors encounter additional verification steps. By leveraging a wide range of identity signals in the background and assessing the connections between these signals, organizations can more confidently secure trust across channels, while delivering improved customer experiences.
To receive even more insights on the IDV landscape and Forrester’s criteria and methodology in their latest Identity Verification Wave, attend our upcoming webinar featuring Andras Cser, Forrester vice president and principal analyst and the lead author of the Wave. You can also click here to receive a complimentary copy of the Forrester Wave™.
Register for our webinar, Navigating Identity Verification Solutions.
Learn more about TransUnion’s TruValidate Device Proofing, and how it has made a difference for TransUnion customer Poshmark.