NextBillion - An Initiative of the William Davidson Institute at the University of Michigan

“Who are you?” may well be the world’s most frequently asked question. Whether it’s on a website or in front of a bank counter, everyone wants us to prove that we are who we say we are. Whilst citizens in developed countries often take identity for granted, in emerging markets governments are investing in building identity infrastructure that can be deployed to open bank accounts, order goods and services, file tax returns, receive government subsidies and more. Secure national identity is foundational to delivering the benefits of a program and democratizing access to the digital economy, where the bulk of transactions involve online interactions between remote entities.

For example, Aadhaar, India’s National Identification Program that now covers 99 percent of the adult population, is an open identity verification system that a range of applications can access. Likewise, in Nigeria, the National ID Program links customers’ biometrics-enabled bank verification numbers with their national identity cards and can be used for a range of payments, including ATMs and money transfers.

With the exponential growth in identity-dependent digital transactions, safeguarding identity credentials and preventing unauthorized access becomes exceedingly important to secure public trust. Identity theft is the primary mechanism for account takeovers, a severely damaging experience for the victim, especially when their identity is linked to financial instruments. In fact, compromised biometric data presents even greater difficulty as it is unique and, once lost, cannot be re-issued or reclaimed like traditional identification such as a PIN. It’s relatively easy to change a bank account or get a new credit card number, but issuance of a new national identity number, particularly for a poor person, is incredibly difficult.

Many identity issuers have adopted a multi-layered security model to secure a citizen’s identity. Current measures to safeguard identity include anything from basic access controls to advanced encryption techniques and use of hardware security modules for key management, backed by stringent risk monitoring, management and governance frameworks

Typically, an identity exchange takes place among three parties:

• the individual,
• the issuer, which is usually an organization like a government agency, and
• the relying party, a bank or a telephone company conducting know-your-customer checks on the individual

The growth in the number of relying parties means individual identity information is scattered across different databases, devices, platforms and networks, creating potential points of infiltration and interception, and opening the door for data breaches.

The challenges are compounded by varying levels of security and enforcement, and it requires only a single slip at one of the companies holding the data for information to be compromised.

Across enterprises, common security-related vulnerabilities include:

• Centralized Data Storage: The national identity data resides in a central database where other customer credentials are housed, providing easy access to sensitive information assets.
• Weak Access Controls: Lax and inadequate access controls, leaving data susceptible to unauthorized access.
• Security Misconfigurations: These misconfigurations can expose companies to data breaches.
• Broken Authentication: Inability to protect user credentials using hashing or encryption, exposing accounts to attacks.

Several incidents have come to the fore. For instance, Equifax, one of three main companies that monitor people’s credit in the U.S., was compromised by hackers, exposing the data of 143 million people, including people’s social security numbers. In November 2017, 200 government sites in India exposed Aadhaar numbers, including names and addresses of citizens, stoking worries that private information is vulnerable to hackers. In yet another incident, in October 2017, approximately 30 million identity numbers and other personal and financial information of South African citizens was hacked and leaked on the internet.

Tokenization in Action

Given the growing number of breaches and sophistication of attack vectors, existing fraud prevention measures need to be enhanced. In response to concerns from consumers, issuers are formulating regulations that require businesses to take appropriate care when handling personal data. The Unique Identification Authority of India, for example, has recently mandated all organizations to store Aadhaar numbers with a reference key to facilitate the broad adoption of consistent data security measures.

Tokenization is an emerging processing and authentication method. Substitution techniques like tokenization isolate data in a virtual vault, providing an additional layer of defense against data breaches. The concept is not new, having been successfully deployed by Apple Pay and Samsung Pay for mobile commerce transactions, and it can be extended to national identities. The ID vault can be hosted off-premise to mitigate costs for enterprises.

Tokenization de-identifies sensitive information, replacing sensitive identifying information with substituted credentials that appear as a random string of characters. So, if someone weasels into the enterprise’s system, all they see are randomly generated tokens. Further, any fraud attempt, or specific data breach, impacts a specific token (or domain), meaning re-issue is only required for that specific token (or domain). There is no impact on the underlying identity credentials resident at different service provider locations, mitigating the risk of fraud. In addition to end-to-end security, tokenization reduces compliance overheads, bringing the impact of a data breach within acceptable risk tolerance levels.

Transforming data using tokenization, however, presents challenges in the context of national identity numbers. Unlike credit cards’ Primary Account Numbers (PANs), national identity numbers do not follow a standard global format. For instance, unlike the first six digits of the PAN, which indicate the bank identification number (BIN) globally, the first 11 digits of the Aadhaar number are random numbers and the last digit is a checksum. A South African citizen’s identification number is a 13-digit number containing only numeric characters, and no whitespace, punctuation or alpha characters. The Nigerian National Identity Number consists of 11 non-intelligible numbers, randomly chosen and assigned to an individual upon enrollment.

If digital identity tokens are used as a payment instrument in the future, the underlying technology must be able to scale to support new use cases encompassing data in transit.

Outsourced tokenization systems, such as FSS Token Vault – created by my company – are designed to give companies access to sensitive data when they need to, and not store data that is at rest. The solution supports preserving personally identifiable information, enabling companies to efficiently address objectives for securing and anonymizing sensitive assets.

Governments, companies and consumers have taken major steps toward financial technology access for many underserved people. But these efforts must be met with an equally intense focus on security, or risk the progress that fintech promises.

Suresh Rajagopalan is president of the products business unit at Financial Software & Systems.

Images courtesy of FSS.

Homepage image via Pexels.com.