Verifying identity in customer-not-present situations

How can a Web-based business verify the identity of a person with whom it has no prior relationship? This simple SaaS solution from IDology challenges a person to answer personal questions whose answers are unlikely to be known by others. The result is a high level of confidence that the person using the Web application is precisely who he says he is.

We've all seen the classic cartoon of the dog using a computer, with the caption that says, "On the Internet, no one knows you're a dog." It's funny, but true.

When you have any sort of Web-based business, you really don't know who is on the other end of the network. For many interactive Web applications, it's critical to verify the true identity of the consumer. Just ask Sarah Palin, whose Yahoo! account was hacked, presumably by someone usurping the politician's credentials to log in. Clearly this is identity theft as well as invasion of privacy. Even though Palin is a public figure, she is entitled to her online privacy.

There are several business drivers behind the need to know the precise identity of someone coming into a Web application. It's important to know who you are dealing with in an effort to prevent data breaches. For example, you wouldn't want sensitive customer information to be viewed by someone who doesn't work for your company. If you operate an e-commerce site and accept electronic payments, you want to know that the credit card data really does belong to the person buying your goods. Payment processing companies must meet strict Know Your Customer (KYC) regulations. Some Web sites need to verify the age of consumers; the Children's Online Privacy Protection Act (COPPA) forbids the collection of private information from children under the age of 13.

Data breach costs top $200 per customer record

One of the most common identity verification processes in use today depends on you having a prior relationship with the customer. When a person creates an account, he establishes some "shared secrets" that are used as challenge questions the next time he logs in, or when he forgets his password. The "secrets" are often pieces of information that really aren't secrets at all, such as a mother's maiden name, a high school attended, or the city the person was born in. If these were the types of challenge questions that had to be answered to get into Palin's e-mail account, anyone could have looked up the correct answers by reading her biography.

What if you need to verify the identity of a customer with whom you have no prior relationship? Let's say an online lending company is accepting an application from first time customer John Doe. The company would need to establish that the loan taken out in Doe's name is not really going to an underground crime syndicate instead. In this case, shared secrets wouldn't help verify Doe's true identity.

This is where solutions from IDology come in. IDology has a range of products that help you determine precisely who you are dealing with:

* ExpectID is the base level product that locates a valid ID based on the person's name and address only, or you can incorporate his date of birth or last 4 digits of the Social Security number.

* ExpectID IQ verifies someone is who he claims to be through a series of dynamically generated multiple choice questions. There's no need to have any prior relationship with the person to verify his identity

* ExpectID Age confirms that someone is age 18 or older. This function supports COPPA guidelines and rules of the Credit Card Association.

* ExpectID GeoTrace verifies that someone is where he says he is by correlating the IP address with the ID.

All of the ExpectID products search public data records to get information on the person and use analytics to return a result. ExpectID works in less than a second and the consumer isn't even aware the verification is happening.  

The best way to explain how the technology works is through an example. Let's say I am going to order a new PC over the Internet. I go to my shopping site, which happens to have ExpectID IQ integrated into the shopping cart. I enter my name, address and credit card information. Without ExpectID IQ, a shopping application will simply verify that a credit card is valid and not that the person presenting the credit card number is the authentic owner of the card. With ExpectID IQ, the card is associated with me, Linda Musthaler, and I am challenged with some personal questions that someone other than Linda would have a hard time answering in the time allotted. Example multiple choice questions might be: What car have you owned? Which of these people do you know? Where have you lived?

The real Linda could answer those questions correctly in a few seconds. Someone who has stolen my credit card probably couldn't come up with the correct answers without doing some research. The questions are random and are based on personal information about Linda in public data records that are not necessarily accessible to the public.

ExpectID is a software-as-a-service solution that is flexible and configurable by your own internal administrator. There is a portal that allows you to run one-off verifications as well as administer how the solution is configured; for example, how many and what type of questions to ask. You can integrate the solution with a next-level identity management system if desired.

Don McNelley, chief risk officer at the mobile payments processor Obopay in California, says ExpectID IQ is one of the arrows in his identity management quiver. "IDology's product is one application in a vast suite of tools that we apply to get a good understanding of the people who are registering for our service. We use it to help reduce a financial risk as well as to meet our obligations to prevent money laundering," McNelley says. Like any payments processor, Obopay has to adhere to strict KYC regulations, and so being able to absolutely identify a person is mission-critical for Obopay. "We like IDology's solution for its functionality, configurability and services," McNelley says.

WikiLoan is another IDology customer. WikiLoan offers peer-to-peer lending in which two private parties that typically know each other agree to establish a loan without using the services of a bank. One person lends to another, and WikiLoan acts as the middleman to provide a credit score and the loan documentation and to setup automatic payments. WikiLoan verifies the parties to the loan to ensure that a thief is not clearing out someone else's bank account to give a "loan" to an accomplice. Company president and CFO Ted Defeudis says ExpectID allows WikiLoan to do a thorough verification of the people involved within seconds instead what used to be days

While both of these examples are in the financial industry, ExpectID is really a horizontal solution that fits any industry that needs to know who they are dealing with before any relationship is ever established.

Poor Fido. So much for no one knowing he's a dog.

Learn more about this topic

Identity theft fears weigh on Americans

Medical identity theft strikes 5.8% of American

Identity theft on the rise

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT