Rethinking ID to keep travelers' payments from getting stranded
Even the most honest customers can look risky if they frequently travel. Their movements can throw off traditional vetting techniques that authenticate transactions by looking at location as a risk factor.
"There are difficulties in recognizing good customers with little or no friction, and also ensuring the company is segmenting high risk or likely fraudulent accounts properly with more aggressive tactics," said Keir Breitenfeld, a senior business consultant for Experian. Much of the information that establishes trust or consistency to confirm ID for transactions is hard to migrate, he said. Social Security numbers, credit history and residential or work histories are movable from the U.S. to another country for an extended stay, but are not as easy to transfer as between states in the U.S., for example.
Certain sources of data are easier to transfer and widely used, such as email, Breitenfeld said. Experian just launched a collaboration with Emailage, a Chandler, Ariz.-based email risk company, to include email data security through Experian's CrossCore platform as part of authentication. This process is meant for companies that need to vet IDs for U.S. residents who spend extensive time outside of the U.S.
There are pieces of information that are associated with an email account that can help prove a person's identity, such as birth date, gender, location, employer and the date of establishment. There's also additional helpful information in domain and IP addresses, Breitenfeld said.
Many financial institutions use one-time passwords at part of their customer authentication strategy and for certain high-risk transactions, said Shirley Inscoe, a senior analyst at Aite Group. "While one-time passwords are most often delivered via SMS text, several executives I've spoken with say they allow consumers to choose how they prefer to receive the code; choices may include, text, voice or email."
Travelers often choose email because text delivery can be unreliable, particularly outside of the U.S., Inscoe said.
"We're looking at email and the devices that are used to access and open accounts, whether that's a payment or a loan or a savings account," Breitenfeld said.
The added element is a necessary response to the growth of breaches and to address the difficulties of authenticating someone overseas, Breitenfeld contends. "It's safe to assume that the vast majority of personal identification information has been part of at least one breach and is available for malicious use," he said.
While device fingerprinting has grown over the past couple of years as a factor of authentication for ID, email is yet another way to match someone's personal information with the actual person, Breitenfeld said.
"There is really no single source of data or piece of technology that can solve the problem entirely," he said.
Payment technology experts have considered making email part of the mobile payments security chain for some time. Google recently introduced email as a way to initiate P-to-P payments. Email is also used as an identifier for P-to-P apps such as the bank-led Zelle. Mobile ID is also gaining support as an alternative ID option.
"Email has become a practically universal service among consumers," said Al Pascual, a senior vice president and research director for Javelin Strategy & Research. "Relying on the established history and association of an email address with a particular identity should provide an added degree of assurance among populations where direct verification of identity elements or documents with government agencies is impractical, or where other sources of identity information are few and far between."