Examples of Identity Fraud Prevention By Means of High Assurance Authentication
Let's first define "identity fraud" more precisely to include:
- Using stolen credit card numbers to make purchases.
- Using stolen checking account information to steal money from someone's account via ACH transactions.
- Breaking into someone else's online financial accounts using stolen passwords and other credentials.
- Making fraudulent onlline payments using someone else's payment account.
- Establishing new credit accounts under another person's identity.
- Accessing online government services to make changes to addresses, beneficiaries, or other personal information.
- Medical
identity theft; i.e., obtaining medical services and having the charges
falsely billed to someone else, or fraudulently accesssing the
electronic medical records of others.
This
definition encompasses a range of identity-related crimes that can
harm the victim in a number of ways. This harm includes privacy
breaches when sensitive financial and medical information is obtained
by an unauthrized person, money stolen from the victim's bank account, charges billed to the
victim that were incurred by the thief, erroneous and detrimental information appearing
on the victim's credit report, and erroneous medical information
appearing in the victim's medical record.
Higg assurance authentication can help to prevent these crimes by:
Higg assurance authentication can help to prevent these crimes by:
- Enabling single-use / one-time credit card numbers. A token could be used for online credit card payments by acting as a delivery vehicle for single use / one-time credt card numbers. The use of tokens would presumably be easier to use and less cumbersome than current methods of generating single use numbers.
- Preventing an unauthorized person from making an online payment from a checking account. A token could be used for authentication to an online banking account. A long-lived token would be sufficient, since it should not be necessary to use a trusted third party to provide verified identity claims each time the account is accessed. If the same token that was initially created and "bound" to the account during enrollment is used for subsequent account access, unauthorized persons would be unable to access the account unless they were able to somehow access and use the token. The private key for authentication of the token would act as a "something you have" authentication factor in a multifactor authentication scheme. >more
- Preventing an unauthorized person from accessing an online financial account; i.e., account takeover. The same token used for online banking access would also protect against fraudulent payments from the user's checking account, if new payment options such as Secure Vault Payments are used. This is because authentication to online banking would be accepted as authorization to make payments from a checking account linked to online banking. >more
- Preventing an unauthorized person from making a payment using an online payment service. A token could also be used for authentication to an online payment service, if the payment service can initially bind the self-issued card to an authorized user of the account. >more
- Enabling
a trusted third party to authenticate claims of identity. A token issued by a trusted party such as a bank or motor vehicle bureau, and
that can serve to provide verified identity claims on the basis of
identity attributes such as name, address, birthdate, Social Security
Number, etc., could be used to verify the identity of someone seeking to
establish a new credit account, or a new relationship, with a service
provider. >more
- Enabling a consumer to easily authorize a credit reporting agency, or credit bureau, to release the consumer's credit information only in response to legitimate requests for credit. A token issued by a credit reporting agency (credit bureau) could allow a consumer to authenticate to the credit bureau and authorize release of his/her credit file to a credit grantor. >more
- Preventing an unauthorized person from accessing electronic medical records. A token could be used as an electronic version of a medical insurance card, or other form of identification used for medical purposes. Such an Information Card might be used for online access to medical records. >more
Note that the kinds of authentication required to prevent
these different forms of identity fraud do not necessarily involve
authentication of a person's identity. In fact,
authentication of a claimed identity is really needed only when a new
account (or relationship) is being established, and it is important to
know the true identity of the person opening the account.
Once the account is established, authentication for subsequent
access to the account requires only verification that the person
seeking access is the same person who initially enrolled, or is otherwise authorized to do so. By analogy, consider the
ATM card. Possession of the card, and knowledge of the associated
PIN, doesn't serve to authenticate the holder's identity. It only
authenticates the holder's authority to access the account and withdraw
money.