identity theft hackers financial crime
intrigue and the Internet of Things
sounds exciting doesn’t it what is but
maybe not for the reasons that you’re
thinking right now you see I’ve been a
victim of data breaches and identity
theft and while it has been pretty
exciting I have to say it’s been for all
the wrong reasons about a year ago my
personal information was stolen from a
company that I do business with in fact
more than one and what started out as a
hassle having to get new credit cards
set up new bill pay change my recurring
payments quickly got worse as the
realization set in that the criminals
had much more information about me first
a new account was opened with a bank
that I don’t do business with I know
this because i received a welcome
package in the mail about this new
account clearly the criminals were still
learning how to do their business so in
a situation like this happens I took all
of the right steps that you should take
when that happens I called the company
and I told them the account had been
open fraudulently and I closed it I
place fraud flags on all three credit
bureaus I filed a police report I filed
a complaint with the FTC I changed all
my account names and passwords on my
accounts because I didn’t know what
other information the criminals had on
me and even taking all of those steps
not long after they were back and this
time they were able to gain access to
one of my financial accounts and commit
financial fraud and the story continues
but let’s look at some data on the
subject in 2015 data loss org reported
that over 700 million records of
information had been compromised just
the year earlier the FBI reported that
over 500 million records of information
had been compromised that’s a nearly
fifty percent increase in one year
alone now let me put that number in
perspective if we assume there are about
250 million adults in the United States
today then that means that five records
of data have been compromised for every
adult in this venue tonight welcome to
my club now when the data that’s
compromised as a user ID and password
things get a little more challenging
data loss reported that thirty-eight
percent of the time and all that data
that was compromised the data that was
compromised was a user ID and password
houston we have a problem that’s
especially true because a survey done by
CSI d showed that 61 percent of
respondents admitted to reusing their
user ID and password across multiple
websites they’re using the same security
credentials everywhere they do business
now I’m normally a fan of reduce reuse
and recycle but in the case of passwords
I have to say don’t do that identity
theft is even more impactful the
criminals are out to get the keys to our
identity our social security number once
they have our social security number and
other personal information they’re able
to commit financial fraud open accounts
ruin our credit and more in 2014 17
million consumers were victims of
financial fraud just like me it turns
out what kind of fraud do they come in
well they sell the data to others that
want to commit financial fraud so one
piece of the business which is really
big is getting the data and the other
piece of the business is selling the
data to the folks that want to commit
financial fraud here’s a terrifying
example in 338,000 cases last year the
IRS reported that individuals had their
entire tax record compromised from the
IRS service get transcript they probably
see where this is going but back to my
story so on a cold spring day in
Minnesota
ie a couple of weeks ago I got a call
from my tax preparer telling me that my
tax returns had been rejected by the IRS
because someone had already filed tax
returns on my account great so now I’m
also a victim of tax fraud he went on to
explain that this is actually pretty
common and that they have a process in
place to deal with it and that I
shouldn’t worry not worry are you
kidding me it’s 2016 and we rely on the
internet almost exclusively to shop find
a cool restaurant socialize with our
friends get concert tickets submit our
papers for review and yet it’s 2016 and
we still rely on the same security
technology that was around when the
internet was invented predominantly the
user ID and the password there has to be
a better way our digital footprints are
about to get a lot bigger with the
Internet of Things or smart devices what
do I mean by that well imagine a smart
refrigerator that is able to keep track
of your supplies and reorder them and
have them delivered when you run low or
maybe the fitness tracker that you might
be wearing tonight keeping track of your
steps and counting your calories
consumed or a smart energy meter that’s
helping you manage your energy
consumption more effectively these all
fall under the umbrella of Internet of
Things or smart devices and they’re
expected to grow exponentially under the
current model all of these things have
some element of our personal information
in them why does your thermostat need to
know your name and address so that’s a
real issue and as the threat increases
as the number of places that our data is
stored and so this is a real problem
that needs to be solved as a chief
innovation officer I have the privilege
of leading a team of visionaries that
imagine what might be they think about
the art of the possible they study
emerging to
technologies and trends and they imagine
how we might simplify our customers
lives in building products and services
data privacy and security are critically
important for a bank so that should make
a lot of sense right so when we think
about this we’re trying to think about
how could we help solve this problem in
the digital era how could we create a
digital identity and help manage digital
identities for our customers and for
others let me explain what I mean it’s
pretty unusual for someone to ask you
for this to open a social media account
you may not know this but financial
institutions by law have to verify the
identity of people that do business with
us so we have to make sure that the
person is who they purport to be and
there are regulations and laws in place
that that ensure that but you don’t need
to have one of those to open a social
media account yet how do you know that
the person you’re interacting with on
social media is actually who you think
they are you don’t and I’m not
necessarily going to solve that problem
tonight but the solution I’m proposing
in the framework could solve that
problem into the future now let me offer
a couple of suggestions and catch you up
a little bit on what’s happening in the
industry more broadly first of all
you’re probably familiar with the advent
of mobile payments and I’ve heard about
or maybe using Apple pay Samsung pay
Android pay and the like what you may
not know is that the payment credentials
that are stored on that mobile device
are actually what we call tokenized so
the account number that’s on that device
is different than the number that’s on
the plastic that might be in your wallet
or in your purse it’s also bound to the
mobile device which means that when it’s
used for a transaction if it came from
anything other than the mobile device we
know that it’s fraud the risk of theft
has been greatly reduced as a result
there’s some other important work
happening in the digital identity space
under a white house initiative called
the national strategies for trusted
identities in cyberspace or n stick it’s
quite a mouthful
under that initiative the government and
enterprise are collaborating to try to
solve this problem and develop digital
identity ecosystems and both of these
are important steps in the right
direction but they won’t completely
solve the identity problem and the
reason is because it isn’t clear who can
create a digital identity and and vouch
for you and me say that we are who we
say they are and so what I’m proposing
is that financial institutions because
of their obligations and knowing their
customers are uniquely positioned to be
able to do something like that in a
digital ecosystem but you actually have
to have an entire ecosystem so what do I
mean you need a system that has broad
reach and is widely accessible across a
number of platforms and services we need
to leverage existing technologies and
expertise if we hope to do this anytime
soon we need to enable support for
anonymous ensued 0 anonymous use what do
I mean if you wanted to participate in
social media or comment on a news
article or discuss things in a chat
forum you shouldn’t have to put your
personal information at risk in order to
do so if it isn’t legally required but
yet at the same time the companies that
provide those services need to be able
to comply with federal laws like child
data protection laws so they might need
to be able to verify your age but they
may not need to know your name and
birthday we also need transparency of
data collection I mentioned the Internet
of Things and our data being everywhere
our data is everywhere and you probably
don’t even know it so we need to
understand before data is collected that
it’s being collected and why a system
such as this needs to be robust highly
secure have backup and recovery oh and
while we’re at it it needs to be
cost-effective to now how might a system
like this work let’s use a made-up
company name voter voter is a hot new
video streaming service that has the
latest and greatest
10th faster than everybody else and so
you want to sign up under the current
model you’d go to voter and you would
register and you would provide your name
and your address and your birthdate your
phone number and your credit card and
your expiration date your security code
and more and then you would trust voter
to keep that information safe it’s
worked out pretty well for me so far
under the future model you would go to
voter and you would use your digital
identity key that’s been securely stored
for example on your mobile device you
would authenticate the voter via your
bank and all voter would know is one a
bank has vouched for you about verified
your identity to that you’re over 18
years of old but not of age but not your
birth date the region of the world
you’re coming from so they can comply
with licensing and copyright laws and a
tokenized version of your payment
credentials only for good for use on the
voter site so you can see in this
example none of the data is useful to
the criminals the risk of theft has been
virtually eliminated now let’s talk
about the IRS example in the case of the
IRS they already have your data they
just need to be able to decide whether
or not you’re the one that should get
access to it and so similarly you could
use a solution like that only for the
verification step in order to be able to
solution like this is not science
fiction in fact our friends to the north
and Canada have been using a solution
like this to grant access to their tax
information by authenticating to the
financial institutions in Canada a
secure digital future is in our site but
we can’t do it alone it requires broad
collaboration with federal and state
government financial institutions
throughout the US education business
community and more I hope that someday
identity theft is a thing of the past
and we can sleep a little bit better
knowing that our information is secure I
know I sure will thank you you