Another data breach; another record fine
As another financial services provider is fined for not adequately protecting customer data, how can we expect the industry to make any significant inroads in the battle to protect customers against identity theft when they cannot even get the basics of secure data storage right?As the fight against financial crime heats up in a bid to keep pace with increasingly sophisticated forms of attack, solution providers are trying to up the ante with increasingly sophisticated and varied means of combating the theft of personal information. Yet, very few of these newfangled technologies actually appear to make it into real-world application as most of us are still using passwords to access our bank accounts and other financial and personal details and basic encryption of confidential customer data at rest or in transit is still not being widely applied.
Some solution providers tout one-time passwords, which expire after a certain period, as being an antidote for password theft. That would certainly solve the issue of people having to remember their passwords or using the same password to access multiple sites, thereby making them more susceptible to being easily copied or stolen.
Experian, which enables people to check their credit reports, has just launched an identity verification tool for businesses that provides electronic verification and security by asking customers a range of randomly generated questions that only the genuine customer should know the answer to. The questions draw on Experian's vast database of current and historical data to provide a number of relevant and understandable questions for the applicant or customer to answer.
Experian believes that the detailed and robust level of questioning that its Identity IQ solution provides will give businesses added confidence that they are dealing with genuine customers. But the question is how are customers likely to respond to these questions. Will they be able to answer them easily and should their personal information be used in such a way?
Once an individual is authenticated, they can set their own security questions for use in the next interaction, but while this may be a useful tool, it is undermined by the fact that corporate databases containing confidential customer data are not being adequately secured. One only has to look at the record £2.3 million fine that the Financial Services Authority recently imposed on Zurich Insurance following the loss of 46,000 customers; personal details, including identity details, and in some cases bank account and credit card information, details about insured assets and security arrangements.
Until the industry gets the basics right; encrypting data or storing it on secure devices that are not easily removable; then the latest whizz-bang technologies to combat identity theft and fraud are going to have only a limited impact. It's like giving fraudsters the combination to the safe and then acting surprised when they decide to open it.
Date Posted:25th August 2010