Simple Security Questions

It is a conundrum that enterprises and organizations that need to protect their customers’ secure information often must access that secure information to authenticate the identity of a customer. In other words, to prevent a breach, they must risk a breach.

The use of customer service representatives, on whom banks, brokerages, credit card issuers and phone companies commonly depend to assist customer phone queries, presents two security vulnerabilities.

First, the very nature of the job means they are often the first point of contact for identity thieves attempting to use a stolen driver’s license, social security number or credit card to set up a fraudulent account. How does an institution validate the identity of a new customer with whom it has no prior relationship?

Conversely, who verifies the verifiers? In most cases, when a legitimate customer calls an enterprise with an issue related to sensitive personal information, the customer service representative must access that very information to ensure authentication. For example, a credit card customer calling to dispute a charge would be required to provide account name, number and perhaps a social security number or “password” like a mother’s maiden name. So, in the end, the rep has access to key personal identifiers as well as the customer’s account details.

The ease with which credit accounts can be created and changed, legitimately or not, is one reason identity theft is the fastest growing crime in the U.S. That makes any personal information as good as cash to an unscrupulous rep. Institutions may make an effort at background checks, but the unfortunate truth is that thoroughness must be balanced against cost. Rep positions, particularly in phone banks, are often low-pay, high-turnover jobs.

Enter RSA Identity Verification, a hosted application that performs authentication checks by cross-tabulating data from billions of public records and producing a series of questions that require answers that an identity thief is unlikely to know.At the same time, at the customer rep side, the system provides no context for the questions.

The rep merely enters the responses without knowing whether they are correct or not. At no point does the rep access personal information like social security numbers or account numbers to perform the identity authentication.

“When you’re establishing a relationship you have nothing,” says Bryan Knauss, senior product manager-identity verification solutions at RSA, Bedford, Mass.. “At the same time, when you want to verify ID on an existing customer involving a lost password or other credential, you can resolve it in an efficient way.”

Success At BNY Mellon

BNY Mellon Shareowner Services, Jersey City, N.J., a division of Bank of New York Mellon, has been down this road.

In its first attempt to strengthen ID authentication, BNY Mellon replaced the use of client social security numbers with a unique “Investor ID” it assigned to every customer. BNY Mellon customers had to visit the bank’s Web site, input their Investor ID and create a PIN. The PINcreation process initiated a mailing of a one-time user authentication code. The user then returned to the Web site to enter the authentication code and complete the activation of online account access.

A secure process, to be sure, but it proved inconvenient for customers who wanted immediate access to their online accounts. As a result of what was a three- to seven-day delay in waiting to receive an authentication code via mail, call center volumes spiked as clients repeatedly sought the status of their authentication code. To improve customer satisfaction, BNY Mellon adopted the RSA Identity Verification solution as a new method for customer identity authentication.

The bank declined to comment on the RSA solution. Through documentation on its Web site, RSA provided information on BNY Mellon’s experience. Other users include three of the top six wireless phone companies, Knauss says.

How It Works

The RSA Identity Verification solution, which can be used by a customer rep or incorporated as a Web-based application usable with any browser, presents the querying individual with a series of questions culled from an instantaneous scan of billions of public records held in databases owned by aggregators with which RSA has contracted.

The identity verification system will prompt the user to enter his or her name (or, if it’s a call, the customer rep will enter it on the user’s behalf). An RSA server will then run a query on the name through these databases.

In the process, the system may also cross-reference the name of the user with those of other individuals and companies that public records associate with the user. Based on the data retrieved, the RSA server will then generate the questions.These questions might ask if the user recognizes an old home address or phone number. They may present the first name of a spouse or sibling and ask to specify that person’s birthday. They generally are multiple choice, with “None of the Above” among the options. Whether the inquiry is made on the Web or through a customer service rep, the system simply indicates whether the customer’s identity is authenticated or not.

Because questions are generated on the spot, are presented in almost no context and their answers are not easily found by searching the Internet, the odds are slim that someone other than the genuine user could guess correctly. In addition, the system has the ability to dynamically adapt the difficulty level of questions based on certain high-risk events or business rules and adjust for inconsistencies in public data. Perhaps the only disquieting aspect for consumers who have an opportunity to use the system is that such a wealth of information exists about them and can be brought together so easily.

Knauss emphasizes, however, that the information sources are all from the public record -- birth certificates, marriage licenses, real estate transactions, phone directories and such -- that are available through an undisclosed number of data aggregators.“We don’t use credit file information,” he adds, or any other data held by private sources.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3