Learn a Better Way to Prevent Fraud and Deliver Seamless Customer Interactions
Knowledge-based authentication is a hassle for customers. Thinking of questions that other people probably don’t know the answers to, and that a customer is likely to remember, can be challenging and stressful. Customers worry they’ll forget their answers and get locked out of vital accounts, just as they’re going online or calling a customer service center to perform an important, time-sensitive transaction.
Moreover, KBA is often ineffective as a security measure. People close to an account-holder often know a wide assortment of their personal information – pet’s name, elementary schools, mother’s maiden name. This leaves the system vulnerable to fraud by family members, erstwhile friends and associates.
Personal information is also often widely available to strangers on social media, or on shady websites that compile it for no-questions-asked purposes. There are also massive caches of highly sensitive personal data – social security numbers, credit card numbers, passwords, and even answers to “secret questions” – illicitly circulating as a result of data breaches at companies like Equifax and Yahoo that have affected literally billions of people.
Call centers a target for cyber criminals
When personal data isn’t available by other means, con artists have become skilled at coaxing it out of call center representatives. An identity thief might try building on information assembled online to pose as a harried customer who just needs a little help getting access to urgently needed funds. Enterprising swindlers have been known to employ elaborate ruses, like playing audio recordings of dogs barking and babies crying in the background. The object is to exploit the human element and the phone agent’s principal mission: being friendly and helpful to customers, and resolving calls as quickly as possible.
Stronger knowledge-based elements might include confidential account information, such as the size of a credit line that only the lender and the customer are supposed to know. This sort of information is also vulnerable to breaches and social engineering, however. And if a scammer learns that a key to access is, say, the amount of the last deposit, she could make a deposit into the target account before probing further. When rebuffed, criminals often try again, refining their approach over multiple attempts.
Indeed, a legitimate customer might fumble trying to remember personal details, provide confidential information and pass through security barriers, while a criminal reading off a painstakingly assembled dossier would not.
Once a criminal compromises an account, the scale of the damage can be devastating. The fraudster might monitor the account for a period, surveilling the timing of large deposits and waiting to strike at the optimal moment.
KBA is still widely used by financial institutions
Despite these shortcomings, KBA remains entrenched as a major security measure in the financial services industry. A survey of bank, credit union and non-bank executives shows that it is the third-most prevalent identity solution across the industry – more than 40% of respondents say they use it.
Further, many lenders do not appear conscious of its flaws and weaknesses. Survey respondents also rate KBA as the third-strongest security measure, just after multifactor authentication and biometrics. Just 1% of executives at non-bank lenders rank KBA as among the weakest anti-fraud tools.
Using identity data to thwart thieves
To mount an effective defense against account takeover and account origination fraud, lenders need broad, continuously refreshed and interconnected intelligence on offline and digital identities – including data that can’t be spoofed or stolen.
Is a mobile device’s reputation suspect because its phone number has recently been ported? Does data on the phone’s activity, usage and location match up with the offline data being given or on file – name, address and other personally identifying information? Does the browsing history, IP address and device fingerprint align?
Many lenders lack the capacity to answer questions like these. For example, just 22% of executives express high confidence that their current fraud prevention routines give them visibility into the device linked to an identity and the reputation of the device. Just 19% are highly confident their anti-fraud system can connect customers’ online identity to authoritative offline identity information.
With a multi-layered approach that enables such insights, lenders can make a precise determination of how confident they should be that a person is who they say they are and that a particular transaction is safe. Lenders can let legitimate customers through without hassle and friction, while shutting out criminals.