In part two of the Entrust Cybersecurity Institute podcast on the trust paradox in payment security, host Ken Kadet chatted with Entrust experts Simon Horswell and Andy Cease as they continue the conversation and discuss the role of biometric ID verification, the evolving regulatory landscape, and how banks can get ahead of fraudsters.
Ken Kadet: So, let's jump back into this. Let’s talk about the reason we need security. A recent industry report that I was reading found that one in five ID verification attempts were actually fraudulent. Our own identity fraud report last year found that a deepfake attempt occurs every five minutes. What are some of the new threats that we are facing, and how much should we worry about?
Simon Horswell: I think you'd be very foolish not to be as aware as possible and at least be concerned. It means you need to be putting a lot more thought into your identity verification process at the beginning. Your KYC process has to be robust. What we're talking about here with deepfakes, with identity verification, this is the cutting edge of confirming that someone is who they say they are.
And this is someone proving who they are. It's the most robust way that you can verify yourself currently, although that may change in the very near future. But this is the best it is. And even still, you're seeing fraudsters who are going to adopt these rules and make the best of it. And that's why we're seeing deepfakes. This is relatively new technology; it's certainly become a lot more accessible and easy to use to your average layperson. It doesn't require a whole research suite and hours and hours of learning. That's already been done. People can now just pick up models that are ready to go. Other people are putting together tools for attempting to attack this type of process because this is where the money is.
Fraud goes where the money is. Fraud doesn't just sit where it's comfortable. It learns to adapt. I always think of it, I described it before as being like water. It will always find a way. It will always look for the weakest point. You have to make sure that you're watertight. And if there is a little leak, then that's where the fraud is going to seep through. It's just going to look for the lowest and easiest point to get in, which is why you have to have a well-rounded approach. I mean, we've seen deepfakes, right? I'm personally involved in the identity fraud report that we put out every year. 2023 was the year that we saw deepfakes spiking. And it's now a stable part of what we do. But that was the year where it broke, for identity verification at least. But what we've seen happen subsequently is this new idea of rather than doing a deepfake, is taking someone's actual photograph and going back to the very early forms of deepfake, to automate that selfie.
And they’re taking that and now make it do what KYC demands, which is some kind of liveness challenge or movement challenge. Or the very latest form of video generation and getting an entirely new person generated that's doing this movement. So we’re seeing forces that are adopting and experimenting with this new technology to see how it fares against these kind of pillars that have been put in place in terms of identity verification.
So you have to be very aware of it and to make sure that you're defending yourself as well as you can against this. And let's not forget, we're not just talking about the onboarding process. We've already seen stories and they go back again, a couple of years of people already, they're finding that they're being scammed into giving away personal information, giving away bank details by people that are either doing deepfake in a video or audio call to elicit details out of people over the phone, or getting them to make payments because “someone's in trouble.” So it's the same scams, but being perpetrated with these new tools that make them more convincing to people. And it's getting harder and harder as an individual. So you have to be very aware of where this technology is going, because if you're not aware, then it's easier for you to be caught out.
Andy Cease: And yes, wholeheartedly agree, Simon. And I think that's where having robust upfront KYC really protects not only the institution but the consumer. Also, keep in mind that as that consumer is moving through the world of payments, while education is great, we know that that can't be the end-all be-all, is relying on that human being to know what the latest threats are in the legacy payment ecosystem. For example, like the skimming where a bad actor would install a mock facade on a point-of-sale system at a gas station or ATM . And that could extract all the necessary information off that magstripe. As we move towards a world that is increasingly tokenized, increasingly front-ended by biometric IDV, once you've established that biometric IDV in many instances, you can do subsequent IDV, but you're actually making that process easier because you can store the government document in some cases. And so you're able to establish this iron-clad KYC using a government document that's been validated, a human that's been proven ; who is who they say they are.
And then going forward, if you want to reissue a card at an ATM, for instance, you could play back, we want to do a liveness detection without necessarily pulling out that original government ID. The reauthentication use case – so we can see how Simon said this biometric IDV is the latest innovation. In some ways, I see it as like the final frontier.
But I think it's safe to say that if you're moving towards biometric IDV, you're moving towards the source material, if you will, which is the person you're trying to validate. All payments are is value being passed from one identity to another. So it's all about the identity. And I think sometimes we worry so much about the security of the payment when in fact we have to worry a bit more about the security of that identity in the first place.
Ken Kadet: Is there a regulatory aspect that we need to think about? Right now, it seems like the most robust regulations are in the card industry, with standards like PCI and then on the other side with data protection laws in Europe. Where do you think the regulatory regime is headed?
Andy Cease: That's a good question. So in this conversation, right, we've covered a few different realms of regulation. There's KYC; we've spanned from the first instant that you're trying to assert an identity and prove an identity, out to that person is using it to make transactions, using it to generate new identities in some cases. That is to say, there's also the consumer-facing regulation. So, what protects me as a consumer going about my day and my relationship with my bank and merchants and the card networks. And then there's also regulations that, for instance, we here at Entrust and nearly every bank and processor have to abide by when we're operating cloud networks, for instance, the as-a-service solution.
Simon Horswell: It’s also about how you’re protecting someone's data, how you're storing that data, how long you're holding it for, what access they have to it, what your deletion policy is. And there's regulations for almost every step of the way. There's compliance that you have to meet. They're different from one region to another. But there's also a core to it. Recently, I've been working a lot on the latest regulations that are coming out in Europe. And I kind of see this as the stepping stone. You see quite a lot with compliance regulations. One region will set something up, another region will be monitoring it closely, and then their regulations will kind of take some of those core ideas and maybe expand on it a bit or tweak it a little bit for the region and what is more palatable in that region. But with eIDAS and the version two that’s coming out is all about establishing an identity with an idea that once you've established that identity, that onboarding process is key because you're then going to create a portable identity or a digital identity, so that someone now has something that's pre-verified, that they can bring as their token to everywhere; that already establishes that identity.
And then if I'm coming to buy liquor from you, for example, or alcohol as we call it in the UK, all you need to confirm is that I am of legal age. You don't need to have my name and address, which is what's on your identity document. You don't need to have my date of birth. The only thing you actually need to know is , am I legally allowed to buy alcohol? That's it.
And that's kind of the idea with this portable identity is that the consumer actually controls their identity rather than putting all of it out there every time they're asked for it. They're just giving across the credentials that are relevant for that particular transaction or moment or interrogation. But that's why the eIDAS regulations are so strict, so that you get this right at the beginning. But it's standardizing it across all of the European Member States. Everyone's going to have this much higher level of proving identity and it's got different levels depending on what the requirement is.
The enhanced burden of proof is so much higher. Biometrics is definitely in there, but with liveness checks, document checks are in there, but you've got to verify a specific number of security features, which means that the document has to be up to scratch by definition, right? So, it's setting a much higher standard. So you've got a far greater amount of trust in that process. And this is where I've really got behind this latest compliance piece. And what I see is likely to happen is once that's adopted in Europe, you'll probably see the States bringing in similar kind of regulations, similar kind of compliance laws. You'll see APAC start to follow as well. It's going to be a bit of a sort of domino effect, but no one wants to have the worst compliance laws in the world, right? So there's a reason why certain things are put in place. And when you read through these documents, you can see the scenarios that they're trying to block and they're trying to preempt. And then you can see the kind of preemptive measures they're building in so that it isn't just right, this is the snapshot of where it is today. They're trying to be future-thinking so that when technology shifts, you aren't completely blind to it and end up with masses of loss or huge amounts of fraud because something came from left field. They're trying to keep all the checks in place so that you can spot it as it emerges and still deal with it.
Andy Cease: And that is especially critical because we're not only talking about with eIDAS and this type of portable identity. It’s not just payments, which we'll call for this conversation it’s your identity expression. It's a financial expression of your identity, but you also have a healthcare expression of your identity that you take to the hospital. You have an educational identity that you express, you have an identity as a citizen that you express when you go to vote or pay a tax. What Simon's describing is it's not just payments. We're talking about the full expression of your identity across these domains. It has to be done right.
Ken Kadet: So, how far away are we from that kind of world?
Simon Horswell: Discussions have been happening for a while. There's a few things that still need to get ironed out. I think the principles of it are starting to really shape up. You've got digital wallets already and that's kind of like the first step of the idea. But you've got digital wallets that are owned by private companies. But then you've got government organizations that are trying to set up national ones or federal ones. Like in Europe, they're trying to do like a European identity wallet. And it's a direct response of trying to ensure that maybe private industry doesn't have too much control over this, that it doesn't become too privatized, that there is actually some state protection in there as well. I think we're still ironing out some of the details, but I can see it happening with the next five years.
Ken Kadet: Well, maybe just some last thoughts. Say if there was a consumers movement and they demanded more secure payments, more privacy, better protection for PII, etc., what should they be looking for from their financial institutions for that? Andy, why don't you go first?
Andy Cease: I think when we look out across what have been some of the recent trends that we've seen come up in the banking and financial services space, especially those that have been driven by the younger set of consumers, we see things like Buy Now, Pay Later.
We see things like crypto. Things that are new and continue to be adopted by some of the bigger banks and financial services providers. And so I think it really comes down to that agility, that ability to not only continue to provide an extremely safe demand deposit experience for your consumer, but also attract them with a variety of options that today really no single provider can offer because it's challenging to assess an identity and provide the right level of risk to that individual based on non-traditional assets, right? Be that on the financing side, something like Bitcoin, or on the payment side, something like a Buy Now, Pay Later. And so I certainly don't know how this will all play out, but I will expect that five years from now, we're going to see a payments ecosystem that is more secure than it's ever been. It's more private than it's ever been. I mean, Simon described a beautiful world where you can go in somewhere and assert an identity through your mobile phone, it gives a green thumbs up or a thumbs down. And the world of handing over your driver license that has your height, weight, home address, whatever else is on it, right? Those days are gone. And so we're moving in this world that's extremely dynamic, but just because it's dynamic doesn't mean it can't continue to get safer, continue to get easier, but also continue to be more accessible to more people, which really at the end of the day is the name of the game. The more people who have a secure, trusted identity that they can leverage to go do financial things and citizen things and healthcare things and academic things is a good thing for the world. It's probably a good thing for GDP.
Simon Horswell: I think Andy sort of hits on a really solid point there. For me, I don't think I've ever seen a time where identity has been as prominent in conversations, where it's become so much a part of what everybody is talking about. You know, I've been in this industry around identity for about 25 years and it's so rare that I would come and have a conversation with someone that would be related to what I'm doing. But now it seems most articles you see are around this idea of identity and protecting your identity and keeping your credentials safe. So it is so important that it's become such a central part of what we're doing, because it's such a key thing to who we are and how we're going to move forward. As Andy says, it's establishing those things, it's going to become more secure because there's much more awareness around the dangers that we've got at the moment, the threats that are emerging, the threats that already exist. So as fast as they're moving, you are now seeing, and certainly in the last two years, I've seen a real kind of acceleration in the way that people are approaching this problem. And they're really starting to think about how this is happening, really starting to monitor where the emerging threats are coming from, and taking it very seriously.
And I think you have to have a secure setup from the beginning to try and identify who someone is. As things move forward, that is going to change. How that looks is going to change, what we're going to be asked to provide is probably going to change, and when we have to do it maybe.
