Blog

Facial recognition has a central position at the high-tension intersection of privacy debates, security requirements and consumer demands for increasing convenience. Digital identities are critical to companies competing to offer their services quickly while demanding less input from customers. Facial recognition is in many ways the best tool for verifying identity. It is considered the best biometric, and is ultimately convenient. In fact, it can require no action by the consumer, unless identity confirmation fails.

Since the release of the iPhone X (and its groundbreaking facial recognition capability) many consumers have come to understand the allure of, and accept, facial recognition. And it is gaining greater adoption in all areas of e-commerce—especially in the security-conscious financial industry. FIthas already been accepted as valid identification method by Europe’s banks. JetBlue has started using it instead of boarding passes. And it is rapidly becoming big business: Allied Market Research predicts that the global face recognition technology market will generate sales of $9.6 billion in 2022.

Synthetic identity fraud, in which an identity is created instead of stolen, has been around in some form for a long time. Estimates are that it produced over $6 billion in losses in 2016 alone. But as the security community has been able to successfully address other forms of cybercrime and fraud, synthetic identity fraud has become much more popular.

Synthetic identity fraud is uncommon in that it requires both a long-term view and long-term expenditures—often for years—before the identity can be exploited. But the crime is also very difficult to detect. In fact, it is impossible to know how many “busted out” identities still exist, inactive and tagged with an abysmal credit rating.

The crime begins with a social security number. It is often a child’s, but criminals can also simply make up a number. The rest of the identity will consist of a mix of stolen and made-up PII (personally identifiable information) and a “home” address controlled by the criminal.

The SSN should have no credit history attached to it. The criminal sets about building one. The simplest way to do this is to apply for—and get rejected by—credit cards. This will establish a credit history. Eventually they will get a card with a very low limit. Then they diligently work to improve the credit rating and increase card limits. Some pay credit repair agencies and for-profit “credit piggybackers” to hasten that process.

Eventually, perhaps after years, the criminal will “bust out” the identity, running all the cards up to their limit and walking away from the identity.

A developed synthetic identity can also be assumed by a real person, for instance an undocumented immigrant or even someone who wants a better credit score.

Any company that doesn’t employ in-person verification at some point is vulnerable to this type of fraud. It is difficult to detect because there is no way (yet) for companies to verify SSNs with the government. Another is that SSNs have been randomized since 2011 and are no longer correlated to date or place of birth. Security programs lost those critical verification factors.

For consumers, once the issue shows up on your credit report it is too late. But you may want to freeze your children’s credit score (if that is allowed in your state). Companies have the larger challenge, but a sophisticated verification system that looks at depth and consistency of PII will help.

Formjacking is an increasingly popular tool in the ever-escalating war for your data. It is the digital equivalent of card skimming: Where a skimming device captures your card data when you swipe it at a gas pump or ATM, formjacking code captures it the moment you submit an order entry form on an infected website.

As a consumer there is nothing you can do to prevent it (short of making all your purchases offline). It is not your device that is infected with the code, it is the website. Even well-established, well-regarded online retailers are vulnerable, if cybercriminals are able to infect less-protected third-party software down their supply chain.

Symantec reports almost 4 million formjacking attack attempts in 2018, with an average of about 4,800 sites successfully infected monthly. The cyber security community can protect against these attacks, but as always systematic and comprehensive vigilance is the key.

As a consumer you won’t know you’ve been formjacked until your data is used. So, this is another good reason to monitor your financial statements and credit reports carefully. You should institute a credit freeze the moment you suspect a problem—and strongly consider doing it now.

If you are responsible for an organization’s cybersecurity, challenges are part of your daily life. Building a talented and cohesive team is among them.

The demand for cyber professionals far surpasses the supply of those that have training or experience in the field. A study by ISACA’s Cybersecurity Nexus (CSX) reports barely 50 percent of organizations can count on receiving at least five applications for each cybersecurity opening.

In such a competitive market the talent will be choosing you as much as you are choosing them.

You need to be proactive and creative in your talent search. Include relevant technical schools and professional organizations in your pipeline. Take pains to show you welcome diverse talent such as women and minorities into your department—data show both are underrepresented and underpaid in this industry.

Finally, cybersecurity talent should have analytic skills, attend to detail, and in the best case have communication skills that allow them to collaborate effectively across every area of your company. Those are the traits to look for in junior hires. The techniques of cybersecurity can be taught. New hires should have a passion for cybersecurity, but a background in mathematics, analytics, problem solving, and investigations can be just as promising as one in programming.

So think expansively. Core skills can be more important than certifications. Creating a supportive environment where employees continually learn new skills from other seasoned pros in the group (in addition to formal training) helps guard against another hazard of this competitive market—talent poaching by your industry peers.

Firewalls and infrastructure-level cybersecurity tools have proven themselves unequal to contemporary cybercriminals—and to the demands of contemporary business. Data breaches occur at an alarming rate, and the traditional castle and moat tools won’t be enough to protect the sensitive data in your organization. Your adversaries will try to penetrate your infrastructure so they can gather and monetize your sensitive data. By shifting to a data-centric cyber defense you focus on what is important: identifying that sensitive data and surrounding it with rings of defense.

The central mandate in the data-centric approach is to maintain control over your sensitive data at all times. That involves an extensive process of, first, identifying where all of that data is and what system processes, applications and functions use it. Second, classify it by determining whether it involves business sensitive data, intellectual property, account level data, or customer info. By using the correct level of encryption and data protection tools for each type of information you create the first line of defense against the adversary.

Just as important is restricting access by using the proper authentication and access control tools and procedures as well as by monitoring access to these files. This simplifies tracking the movement of those assets, and real-time monitoring will readily identify suspicious behavior and unauthorized use.

A good data-centric approach will provide the core foundation for integrating additional layers of cyber defense, including network monitoring, endpoint, DLP, vulnerability identification and remediation, behavioral tools, and privileged access monitoring.