Hot Topics
Identity & Access Security Bloggers Network 
SBN

5 Ways to Modernize Customer Onboarding and Defeat Account Takeover

Avatar photo by Mike Engle on February 23, 2023

In this vlog, 1Kosmos CMO, Michael Cichon, is joined by 1Kosmos Chief Strategy Officer, Mike Engle, to discuss how to deliver the privacy, security and convenience people have come to expect online.

Michael Cichon:
Oh, hello everybody. This is Michael Cichon, Chief Marketing Officer at 1Kosmos. I’ve invited Mike Engle, our Chief Strategy Officer, Co-founder here today to talk a bit about customer authentication and onboarding. Slightly different than what we see on the workforce side, but sometimes the two get conflated as if the users are one and the same. Mike, can you talk a little bit about the differences on the customer side versus, for example, passwordless authentication for the workforce?

Mike Engle:
Yeah, there’s really one big difference. You can, for the most part, make your employees do something in order to keep your company safe. For example, you have to connect to your remote systems and log into your workstation. You can just give them all the tools and say, “If you don’t use these tools, you’re not coming to work.” But with customers, it’s much different. Customers have choice. They can go to bank one, bank two, or whatever site it is, and so you have to treat them very nice and almost entice them to do the right thing.

Michael Cichon:
So on the customer side, there’s a little bit stronger of a business need to balance the convenience, the user experience with this need to manage fraud and keep fraud in a small box.

Mike Engle:
Right. On the employee side, there’s very little acceptable risk. For example, it’s not okay if 10 people log into my infrastructure that aren’t who they say they are. Just not okay, not one. On the customer side, a lot of organizations have an acceptable level of fraud, and the reason they do that is because there’s this dial between how much friction you put in versus how much fraud you allow. You could turn the friction up all the way and make them authenticate every five seconds or do all kinds of things, and then you’ll have no fraud, but you won’t have any customers either. So that’s where there’s a little yin and yang going on there.

Michael Cichon:
Right. I totally get it. So the very first touchpoint that a customer has with a digital business, it’s the onboarding process, or arguably one of the first. So what are you seeing out in the field as far as organizations addressing or modernizing their new account origination process?

Mike Engle:
Yeah, I’ll put them into two buckets. One is in either highly secure or highly regulated environments. So that’s banking where you have anti-terrorism laws, know your customer type rules that have to be followed. Then there’s just general e-commerce websites. So you’re going to sign up for a new shopping account. They do not have a requirement to really prove who you are. They just want to transact business, collect money, and really hope that it’s the right person and get paid. And so for the KYC, right, say banking, crypto or government resources, healthcare, where you really need to know who it is, that’s where you introduce some of the modern mechanisms where you can prove that this is the person remotely doing things like document verification, identity verification, et cetera.

Michael Cichon:
So how do you do this and still deliver an avant brand experience? I mean, as a marketing person, certainly you want to be regarded as a contemporary brand, not one that’s out of step with the times. So talk about the brand experience. How do you this? You combat things like synthetic identity. I realize some businesses aren’t required to deal with that, but who wants to do business with a fake person or a fake identity? So how do you modernize the brand experience and still manage the impersonation issues?

Mike Engle:
Well, it’s using modern tools. So the way that we’ve opened accounts for 10, 20, 30 years really is type your data in, ask some questions maybe, and then try to verify it either now or later. The data that’s been used there is all been stolen, leaked on the dark web, et cetera. That’s your credit file data. What’s the first car you purchased or did you ever own property at this address? Unfortunately, that’s still the standard here in the US for most financial institutions, but they’re all trying to figure out how to se modern tools. And those modern tools are scanning your driver’s license or tapping into an existing identity that’s trusted. This driver’s license is pretty trusted. Can there be fakes? Of course. But the bar becomes much higher when you’re inspecting something that has some real providence.

Michael Cichon:
Okay. All right. So my driver’s license goes in my wallet and online you’re collecting this information and some businesses are providing now digital wallets, correct?

Mike Engle:
They are, yes. We’re seeing the war of the wallets right now starting to slosh around. That’s right.

Michael Cichon:
So what makes a good digital wallet from a bad digital wallet, if there is such a thing?

Mike Engle:
Yeah, no, the standards are, they’re out there, but there’s just so many people adopting either parts of the standard or there’s a couple different standards out there. So there’s services that will tie wallets together. For example, something called WalletConnect, and you have different security models and you need to also be able to address, but what if I don’t have a phone or an app? So we’ve handled all of these edge cases, and that’s really important is that you have the breadth of tools at your disposal to proof who somebody is, right? The big word now is inclusion for banking, for identity verification and all these things. So how do you include the most people into this program? And then flexibility. So again, I don’t have an app or some other thing that you provide alternate mechanisms and that’s maturing really quickly.

Michael Cichon:
Okay. All right. So we talked about combating identity fraud on the front end, but you also have identity impersonation after the account’s created with account takeover. Those attacks are rampant on consumers these days. So are there some wallets that are better at combating ATO than others?

Mike Engle:
Not really. The wallets aren’t really involved in this much yet here in the US In some other countries, there’s either government sponsored or maybe bank sponsored wallets, Singapore, South Korea, a couple in the Nordic regions, where the wallet really is trusted. And you can reach out remotely and say, “Let me see your credential.” Can you do your biometrics? And it’s very trusted. So in the meantime, we can leverage a couple things. For example, a friend of mine got a call with a Zelle scam yesterday, and it’s amazing what they’re doing. So they will send you a Zelle message. So your phone number, Michael, I can find that right now. I can send you a Zelle message that says $2,500 requested, and then I call you pretending to be the bank, right? Pretty convincing. All I need you to do is go in there, press 1, 2, 3, and you’re sending me money.

It’s kind of the ole switch-a-roo trick.so how could you mitigate that? Well, imagine if I had to look into a camera and verify who I am before I try to perpetrate this fraud. There’s no way that I’m giving my face to the bank, but that would stop it dead in its tracks. So these are some of the tools. Or maybe ask me to verify my identity by scanning my Pennsylvania driver’s license, right? There’s ways that you can up the level of trust inside of the network and even between multiple parties.

Michael Cichon:
Okay. All right. Well, when you start to take, again, this information, this personal information, we’re all familiar with the GDPR rules or the right to be forgotten rules. It would seem to me that as you acquire this information about customers, you have to start seeing after privacy and control. Using the physical wallet as a metaphor, my wallet’s certainly private. It’s under my control to the best of my ability. How is this managed online?

Mike Engle:
Very much the same way. So think about your wallet being in your possession. The way we do that digitally is with cryptography. So what I do is I will give you your own encryption key and think about that as your digital wallet. As long as you have that key and nobody else does, you’re in control of the assets inside of that wallet, your driver’s license data, your biometrics, et cetera. So modern cryptography, public, private, key pair technology is really the enabler here and what is going to allow us to interact. It’s what’s behind decentralized finance as well, like Web3 type stuff.

Michael Cichon:
Okay, great. Well, listen, I think that’s about all the time we set aside for this morning. We do have the webinar coming up, folks seeing this before the webinar. It’s on February 23rd at 1:00 PM Eastern Time, 10:00 AM Pacific time. It’s called The Five Ways to Modernize Customer Onboarding and Defeat Account Takeover. After that February 23rd, that webinar will be on demand available on our website. So Mike, thanks very much for your time today. Appreciate your sharing your expertise.

Mike Engle:
My pleasure. Talk soon.

The post 5 Ways to Modernize Customer Onboarding and Defeat Account Takeover appeared first on 1Kosmos.

*** This is a Security Bloggers Network syndicated blog from Identity & Authentication Blog authored by Mike Engle. Read the original post at: https://www.1kosmos.com/authentication/5-ways-to-modernize-customer-onboarding-and-defeat-account-takeover/

Mike Engle
Avatar photo

Mike Engle

Mike Engle, Chief Strategy Officer for 1Kosmos is a proven information technology executive, company builder and entrepreneur, as well as an expert in information security, business development and product design/development. He was previously head of information security at Lehman Brothers and co-founder of Bastille Networks.

mike-engle has 14 posts and counting.See all posts by mike-engle