As fraud grows more sophisticated, bad actors are constantly finding new ways to take advantage of legacy verification solutions. Companies need to adapt their risk and fraud strategy to meet this threat head-on and protect themselves, their reputation, and their customers from identity fraud.
A key part of any fraud prevention strategy is evaluating multiple signals during the identity verification process. With a diverse set of verification methods and a multi-layered approach, you will have much more data to determine when someone is attempting to use a fabricated, stolen, or synthetic identity. One of the most important methods to consider implementing in your business is validating user data against issuing databases.
What are issuing databases?
Issuing databases, also known as issuing data sources, are databases managed by organizations that offer critical services, such as government programs or driving privileges. These databases bind physical identities to these services with high assurance and are the most accurate as they are the original source of information.
The most common organizations that offer issuing databases are government entities like the Internal Revenue Service (IRS). Other organizations include those who issue public records, such as when somebody registers to vote or becomes involved in the court system. Utility and telephone companies are also considered issuing sources.
Issuing databases are different from authoritative databases. Authoritative sources also hold important personal information, but they don’t create or issue it. Instead, they simply pull information from issuing databases. Authoritative sources include credit bureaus (e.g., Experian, Equifax, and TransUnion), financial institutions, and other data aggregators.
How identities get corrupted despite issuing and authoritative databases
A significant part of identity verification relies on the information stored in issuing and authoritative databases. When organizations request an individual’s personal information and run it against a database, they’re relying on the accuracy of the database itself. But if there is even one flaw in the chain, bad actors will be able to find their way in, corrupting identities along the way.
So how is personal information corrupted in these databases in the first place?
One break in the chain can occur if organizations depend on utility companies as an issuing source. Depending on the security measures in place, a bad actor may be able to easily create a fake account record or spoof a bill or document that appears legitimate. These situations can make a fake identity appear real, so these databases are often less reliable.
As another example, banks and lenders are constantly checking personal information and making verification decisions. To enable faster conversions without worrying about system access or uptime, they might choose to use authoritative databases rather than issuing sources. Fraudsters can take advantage of this shortcut by leveraging synthetic fraud.
With synthetic fraud, bad actors combine pieces of real information into a new, fake identity. If they can manage to create a record of this “Frankenstein identity” in an authoritative database, it becomes much easier for them to access credit in the future.
As fraudsters find new ways to circumvent safeguards, it’s becoming more essential for organizations to implement a wide range of identity verification methods. Understanding identity assurance levels and using multiple issuing databases to verify identities are two ways your business can decrease the likelihood of fraud.
What are identity assurance levels?
The US government has implemented digital identity guidelines that any business can follow. Basically, the assurance level is the level of certainty that verification information can be trusted and matches the person’s “true” identity.
For organizations verifying identities online, the most relevant assurance level is IAL2. This level uses digital documents to support the real-world existence of an identity and verifies that the correct person is associated with it.
The IAL2 standard rates each type of supporting digital document on its reliability. Some documents offer stronger verification assurance than others due to factors such as the issuing source. For example, a passport is rated as “Superior,” a driver’s license can be “Strong” or “Fair,” and “Weak” documents are those where data is commonly leaked or easily spoofed, such as a Social Security card.
The IAL2 standard provides guidance around what documents are required to truly verify an identity. For example, one Strong or Superior document verified by an issuing database will meet the criteria. But two Strong documents or one Strong and two Fair documents matched against authoritative databases are needed to get the same level of verification assurance.
Issuing databases used for verification
Your organization can take advantage of several issuing databases to verify identities and reduce fraud. The best approach for your business will depend on your business model, your offerings, and the users you most often engage with.
Option #1: AAMVA (American Association of Motor Vehicle Administrators) verification
One option for verifying users against issuing databases is AAMVA. With this method, you can use the DMV database to verify driver’s license data and confirm that the name, birthdate, expiration date, and barcode are legitimate.
Benefits: AAMVA verification is extremely simple, convenient, and accurate — as a government entity, the DMV has the most up-to-date information about every driver’s license issued. This makes AAMVA a handy source of truth that gives you the ability to verify that the information is real and actually exists inside an objective, issuing database. And as driver’s licenses are one of the most common verification tools, verifying that license information is legitimate is often an effective way to catch fake identities.
Caveats: There are several states where AAMVA verification is not available, so organizations operating in these locations must use another method. Plus, this type of verification is not foolproof: it only tells you the information on the license is real. It unfortunately cannot tell you if it’s an illegitimate license overlaid with correct data, or a real license that was stolen and is being used by a bad actor.
Sample use case: AAMVA can be a great way to provide a bit of extra assurance for risky individuals. For example, if your system detects a risk signal or red flag while an account is being created (such as multiple accounts being created from the same location or device), you can use AAMVA to double check and confirm the information they're providing matches a real person.
Option #2: eCBSV (Electronic Consent Based Social Security Number) verification
eCBSV can help you confirm if the full name and birthdate provided matches an SSN in the official database. It also confirms the person associated with the number is alive.
Benefits: eCBSV verification is especially helpful at detecting synthetic identities. As synthetic IDs frequently use stolen SSNs, SSN verification is a quick and effective way to ensure the person actually exists.
It can also help you expand your coverage and offer your product or service to more people, as eCBSV extends beyond US citizens and is ideal for verifying those with thin or no credit history. If someone is new to the country or does not have a detailed financial past, eCBSV can quickly verify that they are a real person. This makes verification easier for those often excluded from traditional KYC processes.
Caveats: Currently, eCBSV is only available to financial institutions, not all organizations. It also requires explicit customer consent.
Sample use case: eCBSV is ideal for verifying those with thin or no credit history. For example, if you’re a neobank serving historically underbanked populations, you can use eCBSV to fight fraud and verify that someone who does not have a detailed financial past (but does have an SSN) is a real person.
Option #3: TIN (Taxpayer Identification Number) verification
With TIN verification, you can confirm that a name and a TIN exist as a pair in IRS records, which means you can be fairly confident that a user is a real person.
Benefits: This method is helpful in identifying both businesses and synthetic identities, especially those based on fake names. TIN also provides coverage for immigrants, foreigners, and other individuals without SSNs. These groups have been historically excluded from services that require online verification since they don’t always have the needed documents to verify who they are — TIN makes the internet more inclusive for them.
Caveats: TIN is a simple verification system with limited verifiable elements. It only looks at name and Taxpayer ID; items such as address or birthdate are not included. For this reason, it may be less reliable than other methods.
Sample use case: TIN is best reserved for verifying businesses or individuals who aren’t covered by other verification methods. For example, you could use TIN verification for someone without an SSN rather than exclude them from your service altogether.
Decrease fraud through issuing databases with Persona
There’s no silver bullet to identity verification. Businesses must use multiple strategies in tandem with each other to maximize their chances of catching bad actors and reduce the risk of fraud.
By understanding how to use issuing database verifications, their limitations, and the scenarios where they’re most helpful, you’ll be well on your way to reducing fraud and protecting your organization.
If you’re having trouble implementing verification in your business, Persona can help. Issuing database verifications are just some of the many verification options we offer, and our identity infrastructure is fully customizable to meet your and your customers’ needs.