What is the name of your first pet?
How many times have you answered that question or something like it? How many times have you been asked your mother’s maiden name, what city you were born in, the name of your first elementary school, the name of your favorite teacher, the name of a sibling, or some other such question. These questions are the basis for Knowledge-Based Authentication [KBA]– the current industry standard.
While it seems like a good method for verifying who a person is, this method has proven incredibly easy to compromise. In the modern age, KBA is a good way to irritate your customers and leave them as victims of fraud. This article will go over the problems with KBA verification, and how you can fight back.
The first problem with KBA is that your customers might forget what they put down. This is especially true for questions whose answers can change over time.
For example: if a person puts down the name of their favorite pet, that name could very easily change over time. Due to shorter lifespans, a customer is guaranteed to change pets every so often, and they might like the new pet better. You want your customers to stay with you for a long time, so it is counter-productive to punish them for forgetting how they would have answered a security question ten years ago.
This problem is not uncommon, and the last thing you want is to further frustrate your customers with authentication failures like these.
The most damning flaw in KBA is the fact that it depends upon publicly available information. We have all been told about the dangers of posting your social security number, but the ubiquitous nature of KBA makes a Facebook selfie labeled “Chilling out with my favorite teacher” with yourself and that teacher tagged in equally dangerous.
To a skilled fraudster, these security questions are not asking him if he is who he says he is. What they hear is “have you read this customer’s Facebook?” You could try advising your customers to not use security questions with publicly available information, but that is not always practical.
While KBA is deeply flawed, verifying customer identity is essential to preventing fraud. Rather than using security questions and answers for identity verification, consider some of the following alternatives:
This is a pattern that is frequently employed by credit card agencies. It generally involves using publicly available data to establish user patterns, and looking for breaks with those patterns. Customers tend to fall into habits, and a sudden break from those habits should create red flags in your system. While it is possible your model is wrong or the change in behavior is due to exigent circumstances, checking out shifts in customer behavior can be used to warn of possible fraud.
One thing that everybody has and tends to jealously guard is their phone. With the rise of mobile phones, and the many services offering number transfers, tying customer identity to phone number is a convenient way to verify identity. When somebody calls in, if they are using a phone number linked to the account, there is a good bet that you are speaking to the correct person. This method is best used in conjunction with other identity verification methods to counter possible software glitches.
The other benefit of this method is that, due to the universality of text messaging, if a customer tries calling in on a different phone, you can send a secret code to the primary phone number as a method of verification. The only way a fraudster can impersonate your customer is by stealing their phone.
The transition to KBA as an industry standard was a good idea in theory. However, nobody could have predicted the rise of social media and what a detrimental effect that would have on KBA. As the times evolve, so too must businesses, and seeking alternatives to KBA will go a long way towards guaranteeing customer identity and protecting your business against fraud.