“It is not a bad idea to type “data breach” into Google News once a day to see who the latest victim has been.”
That’s the foremost piece of advice to suspected victims of credit card fraud found in a recent Forbes article. So extensive is the vulnerability of our data that the best we can do for victims is to shrug, suggest they sit tight and hope for the best. That’s little help to the now reported 700,000 Brits who had 15 million data records stolen in the Equifax breach earlier this year, or the 57 million Uber accounts we now know were hacked last year.
But with the launch of Yoti, we have a proactive solution to the problem. Because despite what the pundits say, the Pandora’s Box of personal data can be sealed again.
Yoti fixes what is otherwise a depressingly difficult problem to solve: it helps users reclaim control, no matter who has their personal data. With our most personal information attached to verified digital identities, and businesses relying solely on accepting verified digital identity details, we make our data useless if it falls into the wrong hands.
I can explain. John Doe is one of the sorry 143 million who had their personal information stolen in the Equifax hack. John cannot protect himself from identity theft by changing his date of birth. And changing his name and moving home is an inconvenience to say the least.
Any devious hacker could pay a few pence to buy John’s data and use it to create an account with a username and password login. Receiving the data, the website will verify it against an identity provider, like Equifax or Experian, resulting in a match. And with that, John’s identity is, unbeknown to him, ripe for exploiting and there is nothing he can do about it.
Until now, that is. With Yoti, John Doe can take control of his data by downloading the free Yoti app and creating his own digital identity. He verifies his personal information with a government photo ID, like a passport or driving licence, that is matched to both a selfie and live video. This one-off live video requires John to record himself saying three randomly generated words to be sure it’s the real John Doe and not a video, photo or mask of John Doe. Everyone that wants to set up a Yoti has to do this.
Yoti uses leading facial recognition software as well as human checks by a trained team, carried out in a secure ‘cleanroom’, to ensure the selfie and video match the photo ID, and that the document is authentic.
John is now set up with a verified digital identity only he can control. This is because the unique private encryption keys that are needed to gain access to his identity details are placed on his phone. No one else can access his identity details without his phone, his PIN code and his biometrics — even Yoti can’t.
Any business can easily integrate with Yoti to receive verified data. Given the logic and popularity of the solution, it will become increasingly unacceptable for businesses to accept self asserted attributes entered into a web form in the half-hearted hope that it is the right person entering the details, and not an identity fraudster.
Any hacker with John’s data will, in years to come, find it increasingly difficult to exploit that data because they cannot transfer the details through John’s digital identity on his phone.
Businesses relying solely on checking data to traditional, or even new, identity provider databases will not gain the assurance they need that the person submitting personal data is the rightful owner of it. The hacker will hit more and more dead ends. The data our hacker bought in the breach becomes increasingly useless and John sleeps more comfortably again.
This isn’t a utopian vision for data security some 10 or 20 years away. It’s here now.
People are voting with their fingers in the app stores. To date, more than 160,000 people from around the world (over 100,000 in the UK) have downloaded Yoti. Consumers can download the free app and create a Yoti in a matter of minutes. Once set up, proving their age or verifying their identity details takes just seconds.
Businesses Yoti is already working with include Worldpay, NSPCC, Axa Healthcare, NHS Ipswich Hospital, Jagermeister, Deltic (the UK’s largest nightclub chain), Reed and Freeads. Businesses can integrate with Yoti in 10 minutes using one of our Plugins (WordPress, Joomla and Drupal), or Yoti Pages with no technical resource required. For larger businesses, integration via one of our seven SDKs takes just 2 to 3 hours.
In time, more and more regulators will get tougher on businesses that overly rely on increasingly ineffective, unverified identity checks instead of digital identities like Yoti’s. With that, regulators will monitor whether fraud rates plummet where quality digital identities are used and elsewhere remain unacceptably high where form filling is still in place.
With GDPR nearly upon us, businesses must start to take responsibility and financial liability for losing customers’ data through poor security. When the story broke that Uber had covered up a massive 57 million account data breach it attempted to assure customers and employees that it did not believe any fraudulent activity was occurring on its platform. Which of course is not reassuring at all. It’s on other platforms that the fraud will be committed.
I know it’s hard to believe, but all is not lost. There is a silver lining to these data hacks. Our data belongs to us, and now it’s time to take it back.