Black Friday is being dubbed as 'Black Fraud-ay' for good reason. While the government focuses on consumer awareness-raising, SMF fraud lead Richard Hyde explores the need to consider digital ID - a useful extra weapon in the anti-fraud armoury.
Black Friday provides more opportunities for fraudsters
Last week, Richard Horne, the CEO of the National Cyber Security Centre (NCSC), drew attention to the imminent arrival of Black Friday.
As well as a chance for consumers to buy lots of cheap products, it is also a lucrative opportunity for fraudsters. Prominent e-commerce moments in the year such as Black Friday and Cyber Monday drive upticks in internet activity and encourage the spending of money. This contributes to the risk that individuals may fall victim to fraud, which is as high as around 1 in 20 people each year.
Re-energising “Stop, think, fraud!”
The NCSC pronouncement accompanied a new phase in the government’s “Stop, think, fraud!” campaign. The focus was urging consumers on Black Friday to be cautious about where they are shopping. Fake websites are a particular favourite of fraudsters. The NCSC also recommended that consumers take steps such as turning-on double factor authentication where they can, to help protect them from identify fraud risks.
All very sensible advice! But this approach, like all efforts at public education, may make a marginal difference at best. Few campaigns are sufficiently sustained and impactful that they engender long-term behaviour change at the population level. The typical inefficacy of such campaigns, along with the broader issues of information overload for consumers and the complexities of consumer behaviour mean that awareness-raising cannot realistically be the primary focus of an effective response to fraud.
Neither are individual businesses – who are somewhat trapped in a collective action problem, as the incentives they face do not sufficiently strongly point them towards adopting the optimal suite of anti-fraud security measures. Consequently, government needs to step in, to ensure that all the key entities in what is called the “fraud chain” are “doing their bit” to maximise security across the system.
Digital ID could be a useful extra weapon in the anti-fraud armoury
Despite the potential of a new framework of duties and penalties on the companies that make up the “fraud chain” to make a substantial difference to fraud levels, it will not be a panacea, especially when new technologies such as AI support the rapid expansion of threats such as synthetic identities alongside accelerating the already industrial-scale identity theft that takes place. Therefore additional ways of bolstering the security of e-commerce or other online activities may need to be considered by policymakers.
It is in this context that the current government’s plan to bring forward the Digital Information and Smart Data Bill is important. From what we know of it, a key aim is to facilitate the private development of digital ID services. Digital ID is seen by many as being able to play a prominent role in denying fraudsters easy access to personal information. However, there is a non-negligible risk that the market-led approach sees consumers end-up with a disjointed and confusing marketplace of digital ID products, with little awareness of and trust in what is offered. In-turn, this could result in a market which ultimately fails to deliver the additional anti-fraud protection at scale that many hope digital ID will generate. Indeed, it is not currently obvious:
- How much consumer appetite there is for such a development.
- How people think and feel about digital ID services in the context of the wider fraud risks that pervade online activity.
- Whether the British people would prefer digital ID to be driven by private enterprise or a government scheme.
- To what extent digital ID will create new opportunities for fraudsters.
Will digital ID fall foul of the “fraud chain’s” collective action problem?
After the Digital Information and Smart Data Bill is passed, there is a real risk that digital ID becomes another element in the wider collective action failure that plagues the “fraud chain” and holds back an effective response to fraud from the private sector. Therefore, in anticipation of this risk materialising, the government may want to start and think in a more wide ranging way about digital ID, including gauging public opinion more thoroughly on peoples’ understanding of it and its potential uses.
Many other countries such as Estonia, Finland and Singapore operate relatively successful government run or government overseen, schemes. South Korea is currently introducing its own system, too. If the UK approach does fall short of making a difference to fraud these other countries may offer useful lessons about how to implement an effective system of digital ID. On the other hand, the market-led method might deliver the uptick in security against fraud that many hope it will. In which case the lessons from other countries where digital ID is more directly driven by government will be less important. However, to know, implementation will need to be rigorously evaluated with performance benchmarked against the experiences of those leading countries listed above.
For now, the current situation is one of considerable uncertainty as to whether the UK’s approach will work. While we wait for this question to be answered, more consumers will continue to be victims of fraud on Black Friday and Cyber Monday and indeed on most other days.
