The Non-Intuitive World Of Authentication And Social Media

A cyberthief walks into a bank branch, fully prepared to impersonate his intended high-net-worth victim. Not only is he equipped with fake IDs in the victim’s name, lots of personal information courtesy of social and search engine research, but the thief has even taken the precaution of breaking into his victim’s social accounts and replacing his thief-like face for the victim’s on the victim’s own social sites. If anyone tries to check on the Facebook or LinkedIn site of the victim, the thief’s face would be confirmed.

The banker in this case sits beneath a tiny video camera, one that is aimed at the seat where customers sit and specifically the facial area of those customers. Controls of the banker-facing screen allow the image to be precisely aimed for customers of varying heights. And while the banker is pitching her safe-deposit boxes and other bank services, software does a quick check on the thief’s face. Sure enough, it matches the social media images—but the software notes that those images were all recently changed. The software’s database maintains a record of the last 10 images of everyone it can find—and that history of images foiled our thief’s efforts.

That is the scenario—based on systems in trial with various financial institutions today—spun by a security company called Socure. Their interesting approach is to leverage the vast data of social media—if I say “big data,” please punch me—but to use it authentication in non-traditional ways.

Consider facial recognition and image confirmation in general. In an online application, instead of using a desktop or mobile’s live facial image capture and trying to compare it with Web images of that person, the software does the opposite. It searches for an exact match for that image, on the premise that most thieves will use stock art images and photos they found somewhere on the site. It’s like visiting someone’s LinkedIn site and doing a right-click on that image to use Google Images to search for any instances of that image out there.

Another twist is trying to leverage social-media and geolocation. Scenario: Someone is trying to make a purchase in Argentina, but the software sees that they updated some social sites from New York ten minutes ago. Does that necessitate a fraud alert? The truth is that it depends on which social media site had just been updated.

Why? For a lot of business people, a Twitter or LinkedIn account could be populated by an assistant or colleague. Hence, a geographic difference there would be less of a concern than say Instagram, which is much less likely to be updated by anyone other than the actual user.

And social media is also, well, social. Bogus information or images are likely to generate baffled or suspicious comments from someone’s followers, friends or connections. That’s something else that the Socure software looks for.

“The basis of verifying a customer hasn’t changed much over the years,” said Ken Allen, Socure’s senior VP and the former VP/head of payments at Western Union and senior VP/fraud and debit operations at Capital One. “Banks are slowly starting to evolve on this.”

What is the biggest fraud problem with payments players and banks today? “We need to break apart customer authentication and credit worthiness,” Allen said.

It’s a non-trivial point. The time-honored financial institution focus on credit worthiness is giving identity thieves the distraction they need, one where customer identification/authentication is treated as a footnote. By separating the two important functions, it allows financial players to fight fraudsters much more effectively. (No surprise: Socure solely deals with identification/authentication and offers no credit worthiness services. Plenty of other folk do that.)

It’s frightening that, as Allen pointed out, many of the oldest fraud tactics still work today. This includes criminals using social security numbers associated with minors—so that no one is likely to notice until the victim turns 18—and deceased people. That is because Social Security requires next to zero meaningful authentication before it issues a number, meaning there is little to be verified against later.

It’s not clear how effective social media fueled authentication will prove to be, but for now, it’s better than what most financial institutions are doing.