My name is Priya Sarathy. I started volunteering with WID 7 months ago. I have been connected with the financial services industry for 10+ years. Identity and Fraud has been a key theme I have worked on as a data scientist, industry consultant, and more recently as a data product leader at a fintech. After listening to WiD's interview with Rola Turk, I learnt more about Identity Access Management (IAM).
Oftentimes ID & Fraud terms can be confusing. In this short write-up I wanted to share my perspective on IAM, which is a role born from securing access to data containing enterprise information vs. Identity Authentication, which is a service provided to external customers. Both are susceptible to Fraud!
Identity Authentication vs. Identity Access Management (IAM)
From birth to death, an individual gets associated or linked to several bits of personal information, data, which define the identity of that individual. From the moment you are born, your name is linked to your parents, your date of birth, and the location where you were born through a birth certificate! The information in the document authenticates you as the person entering school, getting immunization shots, entering college, registering your marriage, or joining your first job. At each step, you are creating additional documents that are linked to you. Your health care profile, your education profile, and your job profile. With growth in online digital transactions, we are creating our ‘digital profile’. The digital profile is created through your participation in social media platforms (Meta, Instagram, Snapchat, Reddit etc.) or online interactions through searches, product, or service purchases, accessing your banking, mortgage accounts online. Extracting touchpoints, behavioral patterns, and channels (your IP, device ID, email etc.) identifies you in the digital space.
Why is this important to think about?
A significant part of our identity resides in our smartphones! The device ID, the credit card information in our wallet, pictures with your face, IM, mail/ email etc. Sometimes this smartphone makes you most vulnerable. Several years ago, a fraudster stole my sons’ iPhone- at a bar. It hit us a day later when we saw that someone had opened an apple card account on his mobile wallet and charged $60K to the account. How was the account authenticated? How did Apple issue a new account without speaking to my son? The phone was unlocked! This gave the fraudster a chance to commit the crime easily, probably using the OTP code sent to his device to authenticate the request. Had there been more rigorous Identity authentication such activities may not have happened.
Identity authentication uses one or more facts associated with you to verify your digital identity.
When you Login to an account- online banking, retail purchases or signing up for some service. Multi Factor Authentication (MFA) is one way to address the challenge. With digital crimes, like my sons, both the companies using online platforms and you as a user need to review authentication processes. Think about the smart chip embedded into your driver license, your credit card, your passport. A document and device are corroborated with an in-person image- this is used by TSA officials at the airport. There are other features that are now being used to improve digital authentication shown in the image below.
Identity access management (IAM) is concerned with the access within an enterprise to secure data, processes, and applications.
Consider, what happens when you swipe your credit card? Your transaction is linked to a name, an account number (checking account number say), an address, your SSN or other national ID and your Date of Birth. If this were to get into the hands of someone else, they would be able to assume your identity! The financial burden of an Identity theft can be significant if not discovered. The control and management of employee and customer information is the responsibility of the company storing it. If the company is open to fraud vulnerabilities, it can cascade into fraudulent activities outside the company. Other vulnerabilities like security patch updates and virus infiltration can create channels for fraudsters to access enterprise systems.
Why do enterprises care about IAM?
Enterprise Risk and Security Frameworks oversee these processes to ensure data or information is not leaked, hacked, or mishandled by internal or external resources. The stiff penalties imposed by regulatory agencies, and the negative reputation effect can be detrimental to the business following the incidents. With access to aggregated consumer profiles, the fraud perpetuation is far greater than a single 1-to-1 fraud event. Identity access management safeguards customers like us from potential identity theft. IAM sets up the peripheral and internal protection against access to such data.
Read more about digital Identity in the World Bank’s Digital Identity: Towards Shared Principles for Public and Private Sector Cooperation Report
Inclusion in Identity and IAM is essential. Read more about Women in Identity’s research here:
Human Impact of ID Exclusion Report
Literature Review – A Summary of the latest ID Inclusion research
Women in Identity Research is funded by our generous sponsors. If you are interested in being involved in sponsorship, please email: info@womeninidentity.org
WiD’s Canadian Ambassador, Rola Turk is leading the charge in IAM at the Royal Bank of Canada.
Written by Priya Sarathy