Blog article
See all stories »

Facebook isn't the problem - Identity is the problem

At an event in Indianapolis two weeks ago a banker in the audience ardently challenged me over the transparency of social networks and the subsequent risk of identity theft. There are a lot of identity theft specialists who will warn you of the risks of exposing your identity on social networks and the possibility of compromising your personal information. This is becoming a common bandwagon, that of the risk of exposure via social media – the big bad Internet is the real problem! How do we solve it? How do we educate our audience so they stop giving their personal information away?

The problem with this approach is that it is simply getting easier, not more difficult, to find out personal information about individuals and use this to create a bank account or similar based on their identity. The efforts of banks to ensure I am really me, are also getting more than a little ludicrous and frustrating. Recently I endeavored to open an account in the US with a global bank that I have a relationship with in two other countries. As part of the process of the KYC identity checking, I was asked to provide 3 months worth of bank statements from the account I held with the same bank in Hong Kong, along with proof of a permanent residential address. It turns out in the end that in order to satisfy the KYC criteria of the bank it was easier to get my father in Australia to open a utility account in my name, so that it would appear I had a permanent offshore address, even though I have not lived in Australia since 1999. I was forced to game the process because it was the only way my identity was acceptable from a policy perspective based on my passport.

Our notion of Identity, as embedded and enforced through KYC rules and bank policy, and our attempts to protect that fragile identity through firewalling personal details is laughable in today’s environment. The era of the identity based on a data profile is clearly at an end.

Complaining about transparency and social networks is counter productive

Phenomenon like social media and networks, increased transparency and visibility of your personal details and phishing attacks are not going away. The reality is that thinking that you can rein in social media so that it reduces the incidences of identity theft, is a fool’s errand. Educating customers on the perils of sharing their personal information is a loosing battle. There are two reasons for this:

  1. The amount of information we’re required to share online for registering at sites, etc and for service providers, means the risk of exposure through security flaws grows exponentially, and
  2. Y-Gen and Digital Natives, are increasingly choosing a much more transparent approach to their personal profile because they are comfortable with an increased level of exposure through social media, etc

The thought that I will stop registering for services and such online, or that one day soon digital natives will wake up and realize what a terrible mistake they’ve made by exposing their lives online through Facebook, Twitter, and Google+ - is simply naïve.

Too many logins

How many passwords do you have to remember? It has long be recognized by security experts around the world, that by nature of the way our memory works and the load of having to remember so many login details, that customers increasingly choose the same passwords and IDs for multiple properties. The problem is when you have ask me to remember more and more passwords, that this actually makes systems less secure over time.

The weakest link is actually the individual and our flawed memory.  If I use the same password at multiple sites, the risk of one system intrusion being responsible for the compromise of a range of websites increases.

We need better identity

The fact is, the systems we use today to verify someone’s identity are massively flawed based on growing exposure and increasing transparency of personal information. Data Privacy laws in various jurisdictions are a nice idea, but when the main risk of exposure is the customer themselves sharing information through a ‘phished’ website or at a site with weak security infrastructure, privacy is no longer a legal solution.

One of the banks I use recently called me to verify some transactions that had taken place on my debit card. Although they called me, I was required to verify my details with them to prove who I was – all the information they asked me was pretty easy to source (address, ID number, etc). The ironic thing was, that when I asked to verify who they were, they were incredulous – “But, we’re your bank!”. I could have been giving my details over the phone to an identity thief for all I knew. In the end they gave me a number to call back - although that could have easily been mimicked as well.

The solution – a better identity

The only way to change this is to create a digital identity construct that is far more secure than being based on data that could be readily stolen, phished, compromised or willingly given by accident. We need to create an identity based on characteristics that are much more difficult to compromise. The only current technology that would seem to provide that security is biometrics.

Banks as an industry and government themselves are in a unique position to provide this layer of trusted identity management. They already have strong security platforms, broad availability, strong data management policies, and the ability to capture the biometric data points.

In reality though, the likelihood is that someone like Facebook or Google would be more likely to create a common identity platform because they understand that customer behavior means you can’t prop-up an outdated, outmoded KYC and identity model. It’s just one more reason why banks in the future are unlikely to own the customer.


Comments: (3)

John Dring
John Dring - Intel Network Services - Swindon 22 August, 2011, 11:27Be the first to give this comment the thumbs up 0 likes


Another great Blog - I like this one because I bet most readers have had to do the exact same things - play the 'system', duplicate passwords, one-way trust conversations, deciding how much data to share online etc. 

There was a 'perfectly good' concept of digital identity based on Public Key Infrastructure, but the implementations of it proved fragile.  Biometric meets with much scepticism although many of us use retina scans, fingerprints, hands, veins, even voice routinely to identify ourselves.

Banks seem to prefer the gadget ridden OTP approach, forcing customers to fiddle with tech to set up new payees or do anything important. Payments Providers 3D secure VbV and SecureCode checks are painful and seem insecure to me, designed only to offload liability to the customer, while adding another attack point for fraudsters in the process.

Someone, probably online, will create an acceptable digital passport which becomes acceptable across disparate services.  Not sure it will be FB, but Google might yet succeed.  Banks are too insular.


Brett King
Brett King - Moven - New York 22 August, 2011, 13:40Be the first to give this comment the thumbs up 0 likes


Agree. The path to a solution for this probably lies in a data organization or a new start-up that works to bridge the gap.

It needs someone like Google though with the power to bring disparate parties together. Banks are too insular and the players like Visa, Mastercard, SWIFT that might be able to provide a platform of some sort will be too concerned with owning it that it would never get widespread acceptance...


Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 23 August, 2011, 18:54Be the first to give this comment the thumbs up 0 likes

Recently, even I had the chance to reverse the table on a bank when they called me to reconfirm my credit card reward redemption order. After years of answering stupid ID verification questions whenever I've called them, it was great fun this time to flatly refuse to answer any of their questions to me and instead make them answer a few of mine to prove their ID to me! 

Brett King

Brett King

CEO & Founder


Member since

14 Apr 2010


New York

Blog posts




More from Brett

This post is from a series of posts in the group:

Online Banking

This community is for discussion of developments in the e-banking world, including mobile banking. This can include all the functional, business, technical, marketing, web site design, security and other related topics of Internet Banking segment, including public websites of the banks and financial institutions across the globe.

See all