10 Aug 2022
Identity theft is one of the most common and largest scale crimes in the unfortunately consistent and growing threat of global online crime.
At the heart of the threat, in almost everyone one of these hacks, is the breach of privacy and theft of personal data – data which can then be used to commit further crimes.
“Cybercrime on a massive, organised scale is unfortunately now part of our lives and it must be tackled on multiple fronts. Secure, efficient and trusted Digital IDs are a key weapon. But critically, we must also be able to trust those who are providing and managing the Digital IDs …”
That’s why one of the most important challenges facing society - and particularly digital financial services and commerce - is identity security. A stolen identity can be used against the individual and against a financial institution or merchant.
For those old enough, there was a time when the internet promised complete anonymity – a New Yorker cartoon captured the times perfectly with a dog on the keyboard and the caption “on the internet, nobody knows you’re a dog”.
Today, not only does almost anyone know you’re a dog but they know what kind of dog, where you live, what dogfood you like, what you like to bark at and even that, secretly, you’re quite fond of cats.
Moreover, criminals will try and hack your personal dog details and sell them on the dark web where someone else – not necessarily another dog – will try to use them for illicit purposes such as stealing your NFTs (non-fungible token) of bones.
That means one of the great challenges for the digital world is identity security.
I’ve had my own identity stolen and used to set up fake bank and telco accounts. According to the investigation, the necessary details – name, address, mobile phone number, licence number – were obtained from the breach of systems at a car rental firm.
A former colleague had a similar experience after providing personal details to a real estate agent.
The challenge is how do we balance the genuine need for firms like these and many others to know you are who you say you are while you remain comfortable those very specific details are secure and can’t be used for nefarious purposes?
A secure system of digital identification is a logical answer. You can provide your Digital ID to a company, a financial institution, a government agency without the tedium and security risk of providing evidence such as photos, passport or licence numbers or other details.
Banks, because they are heavily regulated and trusted (even if they are not always liked) are very well positioned to play a role in the provision and custody of these identities. And trust is even more essential in a digital world.
“The banking system exists on a web of trust. Indeed, the etymology of the word ‘credit’ stems from the Middle French term for belief or trust,” says Pablo Hernández de Cos, Chair of the Basel Committee on Banking Supervision and Governor of the Bank of Spain, in a speech “Trust, digitalisation and banking: from my word is my bond to my code is my bond?”
“Trust outranks virtually every other factor – including price and service quality – when it comes to consumers' choice of banks.”
Consultancy McKinsey & Co sees opportunity as well as risk management: “(our) research indicates that organisations that are best positioned to build digital trust are also more likely than others to see annual growth rates of at least 10 per cent on their top and bottom lines. However, only a small contingent of companies surveyed are set to deliver.”
Banks however don’t have a monopoly in this new world. De Cos went on: “You may have noticed that I have been referring to ‘banking’ and not ‘banks’. What matters when it comes to securing trust in banking is not so much the specific entities involved, but rather the extent to which entities that provide banking services are subject to relevant regulatory and supervisory requirements.”
Identity security is fundamental.
A BIS research paper on cyber risk in central banking noted “the new digital perimeter that must be protected has shifted to identity – the cornerstone of modern security controls in the cloud – and the primary control enforcement on users, devices and data.”
To de Cos’s point this is about banking and not banks per se. As new competitors such as big techs, fintechs, neo-banks and non-banks enter the market and the provision of banking services becomes more fragmented, the importance of secure – and efficient – identity management becomes more and more important.
Inevitably, all financial services are going to outsource more of what they do as they seek to expand their ecosystems, partnering with fintechs, using the cloud, joint venturing with other organisations. “Banking as a service” – BaaS – is already entrenched in the financial system.
That brings its own risks.
“The growth of the fintech industry, of banking-as-a-service (BaaS), and of big tech forays into payments and lending is changing banking, and its risk profile, in profound ways,” argues Michael Hsu, the US Acting Comptroller of the Currency in a paper “Safeguarding Trust in Banking: An Update”.
“How do banks and their third parties view and treat customers in bank-fintech arrangements - when do customers go from being the client to becoming the product and how are consumer protections maintained? How resilient are banking services to stress at fintechs? What happens when fintechs fail?
“The ‘de-integration’ of banking services that is taking place now has its roots in technology, data, and operations and is affecting all banks, not just the large, money centre banks. My strong sense is that this process, if left to its own devices, is likely to accelerate and expand until there is a severe problem or even a crisis.”
Like so many elements of our new digital world, the attractions are immediate but the risks – and costs – only become obvious after things fail and we have the mass hacking of personal details or failures like those in the cryptocurrency world.
Trusted Digital IDs are not the complete answer but they are certainly a vital step forward.
And they are an opportunity.
According to digital intelligence service CB Insights, in a report on Web3, “while a fully decentralised, third version of the internet may still be a distant vision, there are a number of use cases that are gaining traction” - and digital identity provision is one.
CB Insights acknowledges a major challenge for Web3 is “how to verify and track user identity. This is where a decentralised identifier (DID) comes into play.”
This particular version of a Digital ID, a “DID is a string of numbers and letters that underlie apps called ‘identity wallets’. These wallets contain verified credentials and other data that a user generates on the blockchain. The identity wallet grants its owner access to applications.”
DIDs allow users to create a decentralised identity, encrypting digital identity attributes and decentralising the storage of identification documents, like ID cards and passports.
“This is particularly useful for secure identity verification for Know Your Customer requirements (required by banking regulators),” according to the firm.
Cybercrime on a massive, organised scale is unfortunately now part of our lives and it must be tackled on multiple fronts. Secure, efficient and trusted Digital IDs are a key weapon. But critically, we must also be able to trust those who are providing and managing the Digital IDs …
Andrew Cornell is Managing Editor of bluenotes
The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.
10 Aug 2022
24 Aug 2022