Simple Security Questions

• By Steven Titch
• May 09, 2008

It is a conundrum that enterprises and organizations that need to protect their customers’ secure information often must access that secure information to authenticate the identity of a customer. In other words, to prevent a breach, they must risk a breach.

The use of customer service representatives, on whom banks, brokerages, credit card issuers and phone companies commonly depend to assist customer phone queries, presents two security vulnerabilities.

First, the very nature of the job means they are often the first point of contact for identity thieves attempting to use a stolen driver’s license, social security number or credit card to set up a fraudulent account. How does an institution validate the identity of a new customer with whom it has no prior relationship?

Conversely, who verifies the verifiers? In most cases, when a legitimate customer calls an enterprise with an issue related to sensitive personal information, the customer service representative must access that very information to ensure authentication. For example, a credit card customer calling to dispute a charge would be required to provide account name, number and perhaps a social security number or “password” like a mother’s maiden name. So, in the end, the rep has access to key personal identifiers as well as the customer’s account details.

The ease with which credit accounts can be created and changed, legitimately or not, is one reason identity theft is the fastest growing crime in the U.S. That makes any personal information as good as cash to an unscrupulous rep. Institutions may make an effort at background checks, but the unfortunate truth is that thoroughness must be balanced against cost. Rep positions, particularly in phone banks, are often low-pay, high-turnover jobs.

Enter RSA Identity Verification, a hosted application that performs authentication checks by cross-tabulating data from billions of public records and producing a series of questions that require answers that an identity thief is unlikely to know.At the same time, at the customer rep side, the system provides no context for the questions.

The rep merely enters the responses without knowing whether they are correct or not. At no point does the rep access personal information like social security numbers or account numbers to perform the identity authentication.

“When you’re establishing a relationship you have nothing,” says Bryan Knauss, senior product manager-identity verification solutions at RSA, Bedford, Mass.. “At the same time, when you want to verify ID on an existing customer involving a lost password or other credential, you can resolve it in an efficient way.”

Success At BNY Mellon

BNY Mellon Shareowner Services, Jersey City, N.J., a division of Bank of New York Mellon, has been down this road.

In its first attempt to strengthen ID authentication, BNY Mellon replaced the use of client social security numbers with a unique “Investor ID” it assigned to every customer. BNY Mellon customers had to visit the bank’s Web site, input their Investor ID and create a PIN. The PINcreation process initiated a mailing of a one-time user authentication code. The user then returned to the Web site to enter the authentication code and complete the activation of online account access.

A secure process, to be sure, but it proved inconvenient for customers who wanted immediate access to their online accounts. As a result of what was a three- to seven-day delay in waiting to receive an authentication code via mail, call center volumes spiked as clients repeatedly sought the status of their authentication code. To improve customer satisfaction, BNY Mellon adopted the RSA Identity Verification solution as a new method for customer identity authentication.

The bank declined to comment on the RSA solution. Through documentation on its Web site, RSA provided information on BNY Mellon’s experience. Other users include three of the top six wireless phone companies, Knauss says.

How It Works

The RSA Identity Verification solution, which can be used by a customer rep or incorporated as a Web-based application usable with any browser, presents the querying individual with a series of questions culled from an instantaneous scan of billions of public records held in databases owned by aggregators with which RSA has contracted.

The identity verification system will prompt the user to enter his or her name (or, if it’s a call, the customer rep will enter it on the user’s behalf). An RSA server will then run a query on the name through these databases.

In the process, the system may also cross-reference the name of the user with those of other individuals and companies that public records associate with the user. Based on the data retrieved, the RSA server will then generate the questions.These questions might ask if the user recognizes an old home address or phone number. They may present the first name of a spouse or sibling and ask to specify that person’s birthday. They generally are multiple choice, with “None of the Above” among the options. Whether the inquiry is made on the Web or through a customer service rep, the system simply indicates whether the customer’s identity is authenticated or not.

Because questions are generated on the spot, are presented in almost no context and their answers are not easily found by searching the Internet, the odds are slim that someone other than the genuine user could guess correctly. In addition, the system has the ability to dynamically adapt the difficulty level of questions based on certain high-risk events or business rules and adjust for inconsistencies in public data. Perhaps the only disquieting aspect for consumers who have an opportunity to use the system is that such a wealth of information exists about them and can be brought together so easily.

Knauss emphasizes, however, that the information sources are all from the public record -- birth certificates, marriage licenses, real estate transactions, phone directories and such -- that are available through an undisclosed number of data aggregators.“We don’t use credit file information,” he adds, or any other data held by private sources.