Professional Documents
Culture Documents
Open Identity Exchange - 378
Open Identity Exchange - 378
Open Identity Exchange - 378
Working Group
Legal Considerations
Relying Party
Broker
Fraud Fraud
Controls Controls
ID Provider
Management
Internal Risk
Information
Sharing
Evidence
Fraud
REGISTRATION LOGON ACCOUNT UPDATE HELPDESK REGISTRATION LOGON ACCOUNT UPDATE HELPDESK WEBCHAT PHONE FACETOFACE VIDEOCHAT TEXT EMAIL
Fraud controls
Checks to establish any known links fraud pre/post registration or in the new evidence being provided. Should include a y y y y y y
Known Fraud Y Y
check on if the individual has been a victimof fraud.
Cross sector data Participating organisations submit fraud cases to a central database, which is then searchable by participating
sharing scheme organisations at point of need, flagging where names, addresses, contact details, financial details etc. have been Y
e.g. Cifas NFD involved in fraudulent conduct previously
Supplier specific Data sharing offered by suppliers of fraud control software, allowing sharing of relevant data items across other users of
Y
sharing schemes the software - e.g. Iovation device identifiers
Internal screening Checking supplied data against data already held by the organisation marked as fraudulent e.g. Local Hunter/SIRA Y
Y Y
E-Mail E-mail, linked to known fraud, suspicious domains
Y Y
Account Takeover Compromosed Credentials associated with known fraud
Evidence Y Y
Evidence presented/being updated is known to be assicated with known fraud, synthetic Identity, comprmised Identity
Verification
Y Y
Device Risk Can the device be linked to other registrations, or to known fraud/suspicious device characteristic. Y Y
Malware/session
Check device for malware and session/connection risk e.g Trusteer or Retrust Y Y
risk check
? Y Y
Anomaly Detection Are the discrepancy's in key information, location (inc. liveness test of biometric image capture). Y Y (partially)
y (update/step-up) Y Y
SIM Swap Verification that the number/device has not been compromised. Y
Inconsistency Checking supplied data against data already held by the organisation fromprevious applications/accounts e.g. Local Y
Y
screening Hunter/SIRA
Y
Call acoustics check Checking that the call acoustics match the situation provided by the caller/phone/location e.g Pindrop Y Y
Liveness check Check image provided is live/not a stock image, check voice is live Y Y
CRA/Electoral roll
Validating address history/financial conduct provided against data held at CRAs/on the electoral roll Y Y
check
Synthetic Identity A number of differnet elements of the ID not fitting together correctly will indicate an synthetic ID.
Veolocity Detection Velocity Thresholds need to be set. Consideration needs to be given to multiple users legitimately sharing one device.
Y
Credential Stuffing Number, velocity of attempts
Y
Device frequency Flag multiple connections from the same device in a short space of time
Data attribute
Check repeated rapid presentation of the same data attribute e.g. IP, mobile, email address
frequency
Fraud Networks Creation and scoring of networks of potentially fraudulent IDs or attempts to create IDs.
Evidence Verification Verification of (the change to) account/user evidence. Is the new evidence linked to any other transactions, known fraud. Y Y
Liveness Indicator(s) that physical presentation is “live” and not a static copy or forgery Y
Document Y
Physical examination of document - either by human or scanner Y
inspection
Check with
Check documents against details held at issuing body Y
issueing body
Check evidence
Read chip to match data on documents against those held on the chip Y
against chip
Algorithm
Ensure algorithmcorrelates to data on the document Y
validation
Failure (repeated) User fails an evidence check that they should pass. This could be indicaive of a fraid attempt. Especially repeated failure.
of Evience Checks Mitigating action is required.
Behavioral
Behaviour of individual not ‘realistic’ or linked to other registrations/known fraud Y Y Y
discrepancies and Risks
Data Entry
e.g. Data entry characteristics (typed / copy-paste/ speed / tapping / how device is held) Y Y
Inconsistency
Behavioural
Validate device interaction against known behaviour Y
biometric check
Y Y Y Y
Physical behaviour
Voice stress/tone, nervousness/confusion/agitation Y
risk indicators
Checking of external data sets to highlight any areas of increased fraud risk – e.g. mortality, redirection, email address
Risk indicators Risk indicators Y Y Y
age etc.
Compromised
Use of common or compromised credentials Y Y Y
Credentials
Gone Away check Check if the individual is a known 'Gone Away' at the address Y Y
Mail redirection/
Check mail is not being held back fromthe given address Y Y
keepsafe check
Phone contract
Check recency of contract inception Y Y
age check
Email age check Check recentcy of email address creation Y Y
Technical
*** **** ** *** **** ** *** **** ** *** ***
Syntactic ** *** *** ** *** *** ** *** *** ** **
Semantic
*** ** ** *** ** ** *** ** ** *** ***
Organisational
**** *** **** **** *** **** **** *** **** **** ****
Legal **** ** ** **** ** ** **** ** ** **** ****
Governance *** **** ** *** **** ** *** **** ** *** ***
User
Principles
Consumer Principles
CONVENIENCE CONTROL
• An ID I set up can be used in lots of different places - I • It’s my ID and data.
don’t need different IDs to access different kinds of • I need to agree who my data is shared with and what is
services, unless I choose to do so. shared.
• I need to know where I can and cannot use my ID. • I can see a record of this, and request for it to be returned
• I need to understand why I am sometimes asked for and removed if I want.
further verification of my ID. • I can change my data a any time and can choose who is
informed of that change.
• My data will only be used in ways I have agreed to.
CHOICE CONFIDENCE
• I can choose who manages my ID for me and change this • I need to know my ID and data is safe from ID fraud and
at any time. those who might use it illegitimately.
• I can have more than one ID. • If something goes wrong, I need to know I will be OK, and
• My IDs are free. the problem will be resolved.
Consumer Principles
What do eco-system participants do to support?
Principle Principle Element Relying Party TrustMark (on half Broker IdP Evidence Verifier
of Scheme /
Framework)
CONVENIENCE An ID I set up can be used RP shows the Shows the user Lists all the RPs Show the user that Show the user that
in lots of different places - I TrustMark so users where they can use contracted to it to the ID has the the evidence verifier
don’t need different IDs to know they accept their ID. the consumer. Trustmark – explains is operating within
access different kinds of their ID what this means. the Trustmark –
services, unless I choose to explains what this
do so
means.
I need to know where I can Shows the user Needs to show a list Needs to show a list
and cannot use my ID. which ID of sectors and RPs of sectors and RPs
Assurance(s) it the ID can be used the ID can be used
accepts with? with?
I need to understand why I Needs to explain this
am sometimes asked for to the user when
further verification of my ID. step up occurs.
CHOICE I can choose who manages RP should show Lists the different ID Shows who the Supports ID change
my ID for me and change which IdPs are providers. alternative ID to new IdP. Includes
this at any time. preferred / accepted providers are. transfer of some ID
for new registration Allows users to Info Package data,
when a user wants to transfer data but not transfer of ID
change. (attributes?) from in whole. (This is a
one IdP another, Nice-to-have in a
subject to ID more mature
Proofing. market).
I can have more than one Explains the users User should be able
ID. can have more than to close their ID at
one ID. any time
My IDs are free. Explains that IDs are Re-iterates IDs are
free. free. 9
Consumer Principles
What do eco-system participants do to support?
Principle Principle Element Relying Party TrustMark (on half of Broker IdP Evidence Verifier
Scheme / Framework)
CONTROL It’s my ID and data. Explains that a users PII Explains that a users Explains that a users PII Explains that a users PII
belongs to them, but the PII belongs to them, belongs to them, but the ID belongs to them, but the ID
ID Evidence assets are but the ID Evidence Evidence assets are not Evidence assets are not
not theirs. assets are not theirs. theirs. theirs.
I need to agree who RP audit trail required. Explains Audit Trail of who Gathers and records Records consent.
my data is shared RP could have time IDPs share ID data consents to share with RPs
with. limited use of data (per with, but not the and Evidence Verifiers.
open banking 90-day detail.
rule) – user needs to be
informed.
I can see a record of Removes consumer data Explains Brokers data removal Shows historic RP consents Shows historic IdP consents
this, and request for it on request, informing from RPs and allows user to request and allows user to request
to be returned and the user of the removal. removal?
removed if I want. consequences of doing IdP sends a request to the
so. RP to remove data?
OR
IdP presents the user a link
to the RP site where the RP
tells the user how to delete
their account.
I can change my data RP must subscribe to Explains Sends Alerts to RPs Allows user to change and Verifies changed data.
at any time and accepts change of data choose who to alert, from ss
choose who is and updates their list of RPs who subscribe to
informed of that records this service.
change.
My data will only be Prohibited from selling Explains Enforces Gathers permission if Records consent.
used in ways that I data. relevant.
have agreed to
10
Consumer Principles
What do eco-system participants do to support?
Principle Principle Element Relying Party TrustMark (on half Broker IdP Evidence Verifier
of Scheme /
Framework)
CONFIDENCE I need to know my ID Implements Fraud Explains Implements fraud Implements fraud Implements fraud
and data is safe from ID Controls? controls controls controls
fraud and those who Should any fraud
might use it monitoring be done
illegitimately. at the Trustmark
level?
If something goes wrong, Explains. Explains. Provides help and Provides help and Provides help and
I need to know I will be Points to help and redress services. redress services. redress services.
OK, and the problem will redress service. Points to help and
be resolved. Other obligations? redress service.
Points to ultimate
redress and
complaint service at
Scheme / Framework
level.
11
Other levels of support
12