This blog post has been coauthored with Karen Lewison
In recent posts we have been concerned with online credit card fraud and how to fight it using cardholder authentication. In this post we are concerned with another kind of financial fraud, known as application fraud or new account fraud. Both kinds of fraud have been rising after the introduction of chip cards, for reasons mentioned by Elizabeth Lasher in her article The Surge of Application Fraud:
“Due to the high volume of data breaches, Social Security numbers, mailing addresses, passwords, health history, even the name of our first pet is all for sale on the Dark Web. When you combine this phenomenon with the economic pressure applied on fraudsters to find a new cash cow after chip and signature plugged a gap in card-present fraud in the US, there is a perfect storm.”
The term “application fraud” refers to the creation of a financial account, such as a bank account or a mortgage account, with the intention to commit fraud. Application fraud can be first-party fraud, where the account is opened under the fraudster’s own identity, or third-party fraud, where the fraudster uses a stolen identity. Here we are primarily concerned with the latter.
Third-party fraud in online applications
Third-party application fraud is greatly facilitated by the trend to allow new customers to create accounts online.
In the old days, to only way for a customer to open a bank account was to go to a branch and present a physical credential such as a driver’s license or password, and paper documents such as, in the US, W2 forms, tax returns, pay stubs and bank statements. Similar documentation had to be provided in person to the lender when applying for a mortgage. This provided reasonably strong assurance as to the identity of the applicant. The process of verifying the physical credential and documentation is sometimes called “identity proofing”.
Today accounts are often opened online, relying on knowledge-based authentication (KBA) to identify the applicant, in combination with AI software that uses machine learning for fraud detection. But as the answers to KBA questions are often available on the dark web, such identification is unreliable. That’s a problem.
Selfie and photo ID is not the solution
Some identification service providers try to solve this problem using a physical credential such as a driver’s license or a passport for remote identification. They require the applicant to upload a selfie and a picture of the credential and they use a face recognition algorithm to compare the selfie to the photo of the applicant in the credential. But this identification method is insecure. The combination of the selfie and the picture of a driver’s license can be phished and used to impersonate the applicant, just like a password can be phished and used to log in as a web site user, credit card data can be phished and used for card-not-present fraud, and, before chip cards, data in the magnetic strip of a card could be skimmed and used to clone the card.
If the bad practice of asking for a selfie and a picture of a driver’s license for a variety of purposes proliferates, it will not take long before images of driver licenses and corresponding selfies become available for purchase on the dark web, if they are not available already.
Some identification service providers ask for a video instead of a selfie, for “liveness detection”. If liveness detection is understood as just meaning that the face of the applicant is seen moving in the video, this is also insecure because the video is just as phishable as the selfie. Unphishability requires full-fledged presentation attack detection: the video must be taken in real time and uploaded as a visual or audio-visual stream where the applicant is seen performing actions in response to prompts; and the entropy of the set of actions that the applicant may be asked to perform must be high, just like the entropy of a password must be high, so that the probability that those actions are the same as those in a video purchased on the dark web is negligible.
Using a financial credential to apply online for a financial account
We propose to solve the problem by using a digital financial credential for remote identification instead of a physical general-purpose credential. The financial credential would be issued to a financial customer upon successful in-person proofing, and would then allow the customer to open financial accounts online without having to go through the in-person proofing again. This would combine the security of in-person proofing with the convenience of online account creation.
An ordinary cryptographic credential, consisting of a private key and an X.509 public key certificate, could be used as the financial credential. Modern web and mobile technology would allow the financial credential to be stored in an ordinary web browser, where it would be controlled by a JavaScript service worker and protected by the same origin policy of the Web, or in a native app provided by the credential issuer. A cryptographic credential is unphishable because the private key never leaves the computing device where the credential is kept, and would thus provide strong security.
But we propose a solution that provides even stronger security, together with privacy protection and convenience for the customer.
As the financial credential we propose to use a novel kind of cryptographic credential called a rich credential. A rich credential also contains a private key and a public key certificate, but the public key certificate is a rich certificate instead of an ordinary X.509 certificate.
An ordinary certificate contains a public key, attributes that identify and provide information about the subject of the certificate, metadata such as a validity period, and a digital signature computed by the issuer on the contents of the certificate other than the signature itself. A rich certificate provides stronger security because it also contains verification data that supports multifactor authentication.
A rich certificate supports authentication with the golden combination of factors consisting of something that the subject has (the device containing the private key), something that the subject knows (a password or PIN), and something that the subject “is” (a person having a biometric trait). If a password factor is used, the password is verified against data included in the certificate, rather than against data such as a salted cryptographic hash previously registered with the verifier (the verifier being the financial institution where the new account is being opened in the case at hand). If a biometric factor is used, a biometric sample is submitted to the verifier with presentation attack detection, and also verified against data in the credential. In the financial credential that we are proposing the biometric factor would be face recognition supported by the inclusion of a facial image in the rich certificate, and presentation attack detection could be performed by conducting a video interview of the applicant using an AI-powered robot, with human back up.
Protecting the applicant’s privacy
Besides containing data that supports multifactor authentication, a rich certificate differs from an ordinary certificate in that the signature is computed on selected data that includes an omission-tolerant checksum on the attributes and verification data instead of the attributes and verification data themselves. This makes it possible to omit attributes and/or verification data when the certificate is presented without invalidating the signature.
When a customer applies for a financial account, using a rich credential as the financial credential for applicant identification will allow the financial institution to only see the attributes of the applicant required for opening the particular account that the customer is applying for, thus fulfilling the privacy principle of data minimization. It will also allow the applicant to only disclose the data needed to verify the authentication factors required by the financial institution. In particular, the applicant will be able to omit the facial image when presenting the rich certificate if the financial institution does not require face recognition.
When the financial institution does require face recognition, using a rich credential as the financial credential protects the applicant’s privacy by the fact that the face recognition is performed against a facial image contained in the credential rather than in a database of facial images. Not storing the facial image in a database eliminates the risk of exposing it to a database breach, which is the main privacy concern raised by the use of face recognition.
Modulating the risk/convenience tradeoff
Besides privacy, the use of the omission-tolerant checksum provides convenience for the applicant by making it possible to adapt the amount of effort required to prove his or her identity to the level of risk associated with the account to be created. For a low-risk account, the financial institution may only require the proof-of-possession factor, which can be presented automatically without any effort by the applicant. For a higher risk account it may require the applicant to supply the password. For a very high risk account, it may further require face recognition with presentation attack detection.
The level of risk to be used in adjusting the risk/convenience tradeoff need not be determined exclusively by the kind of account being applied for and by account parameters such as a credit limit. It may be evaluated by risk assessment and fraud detection software using all knowledge about the application gathered by the financial institution.
Who will issue financial credentials?
Good question.
Cryptographers refer to an entity that issues public key certificates as a Certificate Authority (CA). So a company issuing the financial credentials that we are proposing would be a Financial CA. But that does not mean that it would have to be one of today’s existing commercial CAs. Issuing certificates requires specialized hardware, software and expertise, but all that can be readily acquired from a CA industry that is highly mature. On the other hand a Financial CA must be widely trusted by the financial industry, and that trust is not something that can be readily acquired.
A Financial CA must have fraud detection expertise, for two reasons. First, at credential-issuance time, the expertise is needed to avoid issuing a financial credential to a suspected fraudster. Second, although applicant identification is an effective defense against third-party application fraud, it does nothing against first-party application fraud. At account-creation time, a Financial CA must provide revocation-checking services and may also provide credential-verification products. It would make sense to package together those products and services with products and services for detection of first-party application fraud and evaluation of credit risk.
Therefore a good candidate to become a Financial CA would be a company that is widely trusted by the financial industry and has fraud detection products and services.
Cryptographers also have the concept of a Registration Authority (RA). A CA may outsource to an RA the task of in-person identity proofing, thus allowing the CA to issue a certificate without having to interact face-to-face with the subject of the certificate. This division of labor would be well suited to the case at hand, because a company may be a good candidate to become a Financial CA but not have the brick-and-mortar facilities required to perform in-person proofing. Such a company could outsource the in-person proofing to a network of Financial RAs.
In addition to performing in-person proofing, a Financial RA would obtain the facial image to be included in the rich certificate component of the financial credential. The Financial RA would transmit the image to the Financial CA and then delete it from its own image acquisition and computing equipment. Then the Financial CA would include the image in the rich certificate and delete it from its own computers. After issuance of the financial credential, the image would only exist in the rich certificate.
We now have another good question: who will be the Financial RAs?
It would be make sense for banks with brick-and-mortar branches to perform the role of Financial RAs. They already perform in-person proofing for a new customer who visits a branch to open an account. A facial image could be obtained during the visit and provided to the Financial CA together with the results of the in-person proofing, thus allowing the new customer to obtain a financial credential in addition to opening the account. This would be a valuable benefit that the bank could advertise to attract new customers. Furthermore, the in-person proofing could be simplified or omitted for existing customers by relying on their on-going relationship with the bank and earlier proofing for identification. This would make it easy for those customers to obtain a financial credential that could be used to apply for mortgages or open any kind of financial account online with security and convenience.