Verifying identity in customer-not-present situations

The CIO-level business angle on the latest tech

We've all seen the classic cartoon of the dog using a computer, with the caption that says, "On the Internet, no one knows you're a dog." It's funny, but true.

When you have any sort of Web-based business, you really don't know who is on the other end of the network. For many interactive Web applications, it's critical to verify the true identity of the consumer. Just ask Sarah Palin, whose Yahoo! account was hacked, presumably by someone usurping the politician's credentials to log in. Clearly this is identity theft as well as invasion of privacy. Even though Palin is a public figure, she is entitled to her online privacy.

There are several business drivers behind the need to know the precise identity of someone coming into a Web application. It's important to know who you are dealing with in an effort to prevent data breaches. For example, you wouldn't want sensitive customer information to be viewed by someone who doesn't work for your company. If you operate an e-commerce site and accept electronic payments, you want to know that the credit card data really does belong to the person buying your goods. Payment processing companies must meet strict Know Your Customer (KYC) regulations. Some Web sites need to verify the age of consumers; the Children's Online Privacy Protection Act (COPPA) forbids the collection of private information from children under the age of 13.

Data breach costs top $200 per customer record

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

We've all seen the classic cartoon of the dog using a computer, with the caption that says, "On the Internet, no one knows you're a dog." It's funny, but true.

When you have any sort of Web-based business, you really don't know who is on the other end of the network. For many interactive Web applications, it's critical to verify the true identity of the consumer. Just ask Sarah Palin, whose Yahoo! account was hacked, presumably by someone usurping the politician's credentials to log in. Clearly this is identity theft as well as invasion of privacy. Even though Palin is a public figure, she is entitled to her online privacy.

There are several business drivers behind the need to know the precise identity of someone coming into a Web application. It's important to know who you are dealing with in an effort to prevent data breaches. For example, you wouldn't want sensitive customer information to be viewed by someone who doesn't work for your company. If you operate an e-commerce site and accept electronic payments, you want to know that the credit card data really does belong to the person buying your goods. Payment processing companies must meet strict Know Your Customer (KYC) regulations. Some Web sites need to verify the age of consumers; the Children's Online Privacy Protection Act (COPPA) forbids the collection of private information from children under the age of 13.

Data breach costs top $200 per customer record

One of the most common identity verification processes in use today depends on you having a prior relationship with the customer. When a person creates an account, he establishes some "shared secrets" that are used as challenge questions the next time he logs in, or when he forgets his password. The "secrets" are often pieces of information that really aren't secrets at all, such as a mother's maiden name, a high school attended, or the city the person was born in. If these were the types of challenge questions that had to be answered to get into Palin's e-mail account, anyone could have looked up the correct answers by reading her biography.

What if you need to verify the identity of a customer with whom you have no prior relationship? Let's say an online lending company is accepting an application from first time customer John Doe. The company would need to establish that the loan taken out in Doe's name is not really going to an underground crime syndicate instead. In this case, shared secrets wouldn't help verify Doe's true identity.

This is where solutions from IDology come in. IDology has a range of products that help you determine precisely who you are dealing with:

* ExpectID is the base level product that locates a valid ID based on the person's name and address only, or you can incorporate his date of birth or last 4 digits of the Social Security number.

* ExpectID IQ verifies someone is who he claims to be through a series of dynamically generated multiple choice questions. There's no need to have any prior relationship with the person to verify his identity

Linda Musthaler is a principal analyst with Essential Solutions Corporation.