Yesterday, Marriott, the 3rd largest international hotel chain in the world announced it had exposed the personal information of an estimated 500 million people. The information leaked by the company included names, addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, and more.
500 million is a ridiculous number of people, so let’s quickly put that in context. 500 million is roughly 6.5% of earth’s population, 1.5 times the population of the United States, or enough people to fill Madison Square Garden 24,000 times. Marriott’s data breach is only second to Yahoo’s 2016 breach where they exposed the data of an estimated 3 billion users.
Mass scale data leaks seem to be the new normal. Between Marriott, Equifax, Yahoo, and others it’s safe to assume your data is easily accessible to anyone who wants it. Data leaks, such as this one, are one of the major reasons we founded Passbase in the first place.
The reason data breaches are so harmful is, the more information you know about someone, the easier it is to impersonate them and thus steal their identity. That’s why we at Passbase aim to help companies neutralize this threat from two different angles:
- Harm Reduction: Reduce the harm someone can cause using your stolen person data
- Prevention: Reduce the amount of personal information companies store about you
(1) Harm Reduction
Reduce the harm someone can cause using your stolen person data
To understand how we can reduce harm, first we need to understand how leaked data can be used to cause damage. The type of data leaked by Marriott can be used to impersonate you online and cause major social and financial damage. Opening credit cards, taking out loans, accessing sensitive or damaging personal information, etc. The more information a hacker knows about you, the more successfully they can outsmart the existing identity verification methods.
You may not be familiar with the identity verification industry, but you are definitely familiar with many of their methods. The goal of the industry is to put checks in place to ensure you are who you say you are AND ensure you are a real person. Most companies employ a mix of the following strategies to do this:
- Knowledge-Based Authentication: Ask you something only you should know (E.g. Mothers Maiden Name)
- Database Verification: Check to make sure the information you provided matches a verified database (E.g. Credit Bureau)
- Two-Factor Authentication: Check to make sure you have access to something else only you should have access to (E.g. Phone Number, Email Account)
- Online Identity Verification: Check your biometric signature and ensure it matches a government ID or other database (E.g. FaceID)
As more and more data breaches occur, Knowledge-Based Authentication (KBA) and Database Verification become less and less effective. It’s quite simple. As more data about you is made public, whether via social media or data breach, the probability someone can impersonate you goes up. Database verification has become increasingly challenging since so much of our personal data is now public. Equifax, one of the databases used to check data against, was even breached. The future of these methods do not, in my opinion, look bright.
Two-factor authentication (2FA) is another mechanism used to protect existing accounts against hackers. Companies such as Duo, Okta, and Auth0 have built huge businesses around helping other companies secure their users accounts. 2FA, however, is ineffective against fraudulent account creation. This is because the second factor used to authenticate the user is collected at sign up. For example, a four digit code sent via text message is sent to the number you entered at sign up.
So this leaves Online Identity Verification, the primary method used by Passbase, to help companies protect their platform from fake and fraudulent accounts. This method is the digital equivalent of showing a bouncer your ID to enter a bar or showing a TSA agent your passport to board a flight. Using machine learning, we check to ensure your ID is real, and that you match the picture on the ID. This method is not a silver bullet BUT it does help companies prevent bad actors from creating fake accounts with leaked information.
In a world where most of our personal information is becoming public, our goal is to give companies the tools they need to easily integrate online identity verification. This will help keep your digital identity secure even as these mass scale data breaches continue to occur.
Reduce the amount of personal information companies store about you
To understand how to prevent data breaches, first we have to understand why these massive databases of personal information exist in the first place. So why do companies collect all this information about you?
Companies collect data about you for three primary reasons:
- To improve your product experience by increasing personalization
- To improve targeted marketing
- To verify your identity
We can debate the merits giving your data away for the sake of an improved product experience or marketing. This is the deal we have made with most of today’s technology titans. Google, Facebook, and Amazon all know a huge amount of information about us, but they also use this information to build great personalized product experiences. This type of data collection is up for debate… but not in this article.
Today, I want to focus on the second, more boring, type of data that companies collect about us. The information collected to verify your identity. This data is far less useful to companies and, yet, is far more damaging to consumers if allowed to leak. I don’t care very much if Facebook leaks my favorite football team, you can’t do much damage with that information. However, when Equifax leaks my social security number or Marriott leaks my passport number, we are in much more dangerous territory.
That’s why we are developing a cryptographic method to ensure (1) the information you provide to a company has been previously checked against an ID and (2) that you are the true owner of the information being provided. This concept allows for what we call zero-knowledge authentication, where you can give a company a small amount of information (E.g. First Name, Last Name) along with evidence that your information has been previously checked (E.g. a cryptographically secured-token). This structure will allow businesses to collect less personal information about you, while still being confident that you are who you say you are. This is where we believe the future of identification verification is heading.
With new regulations such as PSD2 requiring more companies to implement strong user identification, we believe companies must rethink how they are collecting and storing this personal information so that, together, we can prevent more breaches like Marriott, Yahoo, and Equifax.
We at Passbase help companies painlessly verify their users’ identities using AI-driven facial recognition and document scan all available through a simple to integrate SDK.
Visit our website and check out our demo of how we can help to prevent fraud, data breaches, and fake accounts.
Passbase (www.passbase.com) is building the first self-sovereign identity platform backed by verified government documents, linked social media accounts, and biometric signatures. This allows people to securely & privately share their login credentials and verified government documents with the companies that need them.