Solving CEO Fraud with 3 New Identity Solutions
How could fraudsters convince the CEO and CFO of the Dutch company, Pathé to transfer almost 20M Euros to them? It wasn’t rocket science — the criminals used known cyberattack methods: spearphishing, social engineering, and fraudulent documentation to make their case. We were conducting research for a DHS Cybersecurity award on digital identity market gaps in the banking sector when a subject matter expert told me this story.
CEO fraud, is known as Business Email Compromise (BEC) and according to a September 10, 2019 PSA by the FBI, it’s worth $26 billion to criminals, and reported losses have increased 100% the past 14 months. The Pathé story is one of the largest publicly reported stories — most of these losses go unreported. No one wants to admit they’ve been conned.
Cybercrime has a direct GDP cost of $275 billion according to a RAND report. And it’s not going down anytime soon. Attack vectors are increasing — the Wall Street Journal reported an unusual case where criminals used AI technology to impersonate a CEO’s voice to convince a subsidiary company to transfer $243k to the criminal’s bank accounts.
This is a complex problem and companies, banks, and governments must work together to solve it.
A Complex Problem
Companies are their own legal entity, but they authorize individuals to take action on their behalf. These authorized individuals can conduct financial transactions at a bank. Many corporations have subsidiaries that operate in different countries — it’s easier for a local subsidiary to follow local laws and regulations which often differ from a parent company’s home jurisdiction. To make things more complex, these subsidiaries may have bank accounts and business relationships with companies in multiple national jurisdictions and transfer funds across borders — for activities of the subsidiary and in some cases on the direction of the parent company.
Banks have well designed processes to verify the identity of authorized individuals in order to comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations; but it is costly and there are limits.
Three Solutions
Our research identified three potential solutions for using blockchain, verified credentials, and decentralized identifiers to decrease risk and compliance costs, while increasing trust in legal identity.
- Establish an international consensus for organizational KYC identity standards, a kind of G8 of KYC. Companies could use decentralized identifiers (DID) to give companies a digital endpoint for their verified data. The data associated with a DID can be self-asserted by a company, and/or verified by a government or legal entity (an EIN or VAT tax code).
- Develop a verifiable credentials-based ledger system for corporate ownership and shareholder tracking. If shareholding is reported to a shared ledger, you can see who owns a company and what percentage they own. This would increase the speed of complying with KYC checks, decrease costs, and increase transparency.
- Corporations could use verifiable credentials issued from a corporate entity to authorized individuals that contain the rights they have been delegated. These credentials are presented to the respective institutions (like a bank) which authorize the individual to take actions. Since these credentials are digitally native, they can be updated in real-time in theory.
These ideas become more powerful when companies, governments and businesses work together to create a “Business Web of Trust.”
Legal entities have numerous different kinds of identity information, that start from the initial business or tax ID code (EIN in the US or VAT in the EU). With this initial identification, businesses can get additional identifiers, like bank accounts, CAGE code, or a D.U.N.S. number. Corporations may have their own internal identification systems to manage vendors and suppliers. And businesses may make transactions with many subsidiaries, especially in the case of the supply chain and logistics sector.
Verified Credentials, decentralized identifiers (DIDs) and distributed ledgers make it possible to issue and exchanged digitally native credentials. Companies can self-issue corporate data, collect and share verified data, and keep the information up to date.
Each business must verify corporate identification information separately. This takes time and financial and human resources. For example, a corporation may have several bank accounts. Each bank must verify the KYC and authorization data individually. There may be three banks verifying the same set of data from a single company. With a business web of trust, a company opening a new bank account at Bank C, could provide their verified credentials from Bank A, Bank B, US Government, and the Secretary of State. Bank C would need to go through their own checks, but the process would be faster and less costly.
As we conduct more of our critical business activities online, our identity systems must evolve to enable real-time trusted business relationships. Verified Credentials, decentralized identifiers, and distributed ledgers are new technologies that have the potential to reduce costs, while increasing security of business identity.
Learn more in the Comprehensive Guide to Self Sovereign Identity.
Read more in Entities, Identities, Registries: Gaps in Corporate and IoT Identity.
