The whole point of fraud prevention is to stop the bad guys. What if a tool used to do this resulted in stolen personal data?
Privacy is a huge concern for both businesses and customers. In light of the recent discussion sparked by Apple, everyone seems to be talking about the security of mobile devices. This leads to the question, how does preventing fraud affect privacy?
By nature, preventing fraud involves collecting data. Based on the tool, different types of data may be collected and stored to inform fraud prevention. What type of data is collected is extremely important. If this data involves personally identifiable information (PII), it’s possible a security breach could compromise your customers’ information.
Personally identifiable information is anything that can be used to identify an individual. This information can either be used on its own to do this or with other information to figure out who a person is.
Even if they don’t have the exact name of a person, hackers can often find more information to connect the dots. For example, a hacker that knows a username might be able to access an account that is always logged in and find personal information about a user. Many account users have weak, easy to guess passwords, which makes a hacker’s task of connecting the dots a lot easier.
Here are examples of personally identifiable information that are commonly used to verify users and give insight for fraud prevention:
- Static biometrics like face, fingerprints, handwriting
- IP address
- Login name
- Credit card numbers
- Name, address, telephone number
- Birth date
In many ways, the internet has made personally identifiable information a lot easier to come across. For example, if you have an uncommon name, a quick Google Search can often bring up your address, telephone number, social media handles, and more. In the information age, breaching security measures to steal someone’s identity is a lot easier than it used to be.
When thinking of adding a new fraud prevention tool, ask yourself whether it stores personally identifiable information. The answer to this question will help you decide if the tool is worth using.
Here are some considerations concerning fraud prevention tools and personally identifiable information:
How easily can customers recover from stolen PII?
In addition to thinking about what personal information is stored by a certain fraud fighting technique, think about how customers will respond to having that information stolen.
Can a customer easily change that information to hide themselves from hackers? This varies depending on the fraud prevention tool used. Passwords, for example, can easily be changed to make hacked accounts private again.
Other authentication measures like fingerprints can’t be replaced. Biometrics involve something you are, and measures of who you are can be difficult or impossible to change. Once this personally identifiable information is out there, it can’t become private again.
These types of static biometrics are becoming increasingly common (think of Apple TouchID) as users demand a simplified digital experience. As they become more common, the risks associated with personally identifiable information must be considered.
If you think it’s impossible to steal fingerprints, think again. Early in 2015, the Office of Personnel Management was hacked and the fingerprints of 5.6 million United States government employees were stolen. For these people, an extremely personal piece of them they can’t change will be public forever.
How is PII stored?
If personally identifiable information collected by a fraud prevention tool is stored in a centrally located place, beware. This creates a wider target for hackers. One breach and thousands, even millions, of people’s information is lost. This was the case in the Office of Personnel Management attack.
Tools that store personally identifiable information locally on a user’s phone are also susceptible to breaches, but they might not have as large of a consequence in the course of one security breach.
Also, some data like static biometrics aren’t stored as the actual biometric. They are stored as a mathematical version that is unable to be traced back to the user. Knowing how data used to identify fraud prevention is stored is an important thing to check.
Consequences of Stolen PII
The consequences of fraud (lost customer trust, lost employee morale) are, interestingly, also consequences of stolen personally identifiable information like fingerprints. The consequences may, in fact, be larger.
If a customer’s information is stolen, it becomes a public relations nightmare. Fraud can also affect customer trust, but a person (or many people) having their identity stolen is likely to hit home harder, resulting in loss of customer loyalty. This mark on a company’s image can affect sales for years.
In addition, the company collecting the personally identifiable information may be liable for reparations to the users who suffered from the data breach.
Instead of avoiding fraud prevention altogether, choose fraud prevention methods that don’t involve personally identifiable information.
One example is behavioral biometrics. Behavioral biometrics does not store personally identifiable information. Rather, it stores behavioral data that cannot be used to identify the name of an individual. While an individual can be identified by a fingerprint, they can’t be identified by the combination of a swipe pattern on a mobile device, finger pressure on the screen, etc.
The multiple data points collected through this method are too complex and diverse for hackers to trace, especially because these biometrics aren’t something that can easily be found through other sources. Moreover, the profile in this method forms a statistical representation of the user's behavior rather than an exact biometric template that can be easily matched to a specific person. This makes behavioral biometrics perfect for businesses concerned about the security of their customers. Safe customers means happy customers!