Simple Security Questions

It is a conundrum that enterprises and organizations that need to protect their customers’ secure information often must access that secure information to authenticate the identity of a customer. In other words, to prevent a breach, they must risk a breach.

The use of customer service representatives, on whom banks, brokerages, credit card issuers and phone companies commonly depend to assist customer phone queries, presents two security vulnerabilities.

First, the very nature of the job means they are often the first point of contact for identity thieves attempting to use a stolen driver’s license, social security number or credit card to set up a fraudulent account. How does an institution validate the identity of a new customer with whom it has no prior relationship?

Conversely, who verifies the verifiers? In most cases, when a legitimate customer calls an enterprise with an issue related to sensitive personal information, the customer service representative must access that very information to ensure authentication. For example, a credit card customer calling to dispute a charge would be required to provide account name, number and perhaps a social security number or “password” like a mother’s maiden name. So, in the end, the rep has access to key personal identifiers as well as the customer’s account details.

The ease with which credit accounts can be created and changed, legitimately or not, is one reason identity theft is the fastest growing crime in the U.S. That makes any personal information as good as cash to an unscrupulous rep. Institutions may make an effort at background checks, but the unfortunate truth is that thoroughness must be balanced against cost. Rep positions, particularly in phone banks, are often low-pay, high-turnover jobs.

Enter RSA Identity Verification, a hosted application that performs authentication checks by cross-tabulating data from billions of public records and producing a series of questions that require answers that an identity thief is unlikely to know.At the same time, at the customer rep side, the system provides no context for the questions.

The rep merely enters the responses without knowing whether they are correct or not. At no point does the rep access personal information like social security numbers or account numbers to perform the identity authentication.

“When you’re establishing a relationship you have nothing,” says Bryan Knauss, senior product manager-identity verification solutions at RSA, Bedford, Mass.. “At the same time, when you want to verify ID on an existing customer involving a lost password or other credential, you can resolve it in an efficient way.”

Success At BNY Mellon

BNY Mellon Shareowner Services, Jersey City, N.J., a division of Bank of New York Mellon, has been down this road.

In its first attempt to strengthen ID authentication, BNY Mellon replaced the use of client social security numbers with a unique “Investor ID” it assigned to every customer. BNY Mellon customers had to visit the bank’s Web site, input their Investor ID and create a PIN. The PINcreation process initiated a mailing of a one-time user authentication code. The user then returned to the Web site to enter the authentication code and complete the activation of online account access.

A secure process, to be sure, but it proved inconvenient for customers who wanted immediate access to their online accounts. As a result of what was a three- to seven-day delay in waiting to receive an authentication code via mail, call center volumes spiked as clients repeatedly sought the status of their authentication code. To improve customer satisfaction, BNY Mellon adopted the RSA Identity Verification solution as a new method for customer identity authentication.

The bank declined to comment on the RSA solution. Through documentation on its Web site, RSA provided information on BNY Mellon’s experience. Other users include three of the top six wireless phone companies, Knauss says.

How It Works

The RSA Identity Verification solution, which can be used by a customer rep or incorporated as a Web-based application usable with any browser, presents the querying individual with a series of questions culled from an instantaneous scan of billions of public records held in databases owned by aggregators with which RSA has contracted.

The identity verification system will prompt the user to enter his or her name (or, if it’s a call, the customer rep will enter it on the user’s behalf). An RSA server will then run a query on the name through these databases.

In the process, the system may also cross-reference the name of the user with those of other individuals and companies that public records associate with the user. Based on the data retrieved, the RSA server will then generate the questions.These questions might ask if the user recognizes an old home address or phone number. They may present the first name of a spouse or sibling and ask to specify that person’s birthday. They generally are multiple choice, with “None of the Above” among the options. Whether the inquiry is made on the Web or through a customer service rep, the system simply indicates whether the customer’s identity is authenticated or not.

Because questions are generated on the spot, are presented in almost no context and their answers are not easily found by searching the Internet, the odds are slim that someone other than the genuine user could guess correctly. In addition, the system has the ability to dynamically adapt the difficulty level of questions based on certain high-risk events or business rules and adjust for inconsistencies in public data. Perhaps the only disquieting aspect for consumers who have an opportunity to use the system is that such a wealth of information exists about them and can be brought together so easily.

Knauss emphasizes, however, that the information sources are all from the public record -- birth certificates, marriage licenses, real estate transactions, phone directories and such -- that are available through an undisclosed number of data aggregators.“We don’t use credit file information,” he adds, or any other data held by private sources.

Featured

  • Integration Imagination: The Future of Connected Operations

    Security teams that collaborate cross-functionally and apply imagination and creativity to envision and design their ideal integrated ecosystem will have the biggest upside to corporate security and operational benefits. Read Now

  • Smarter Access Starts with Flexibility

    Today’s workplaces are undergoing a rapid evolution, driven by hybrid work models, emerging smart technologies, and flexible work schedules. To keep pace with growing workplace demands, buildings are becoming more dynamic – capable of adapting to how people move, work, and interact in real-time. Read Now

  • Trends Keeping an Eye on Business Decisions

    Today, AI continues to transform the way data is used to make important business decisions. AI and the cloud together are redefining how video surveillance systems are being used to simulate human intelligence by combining data analysis, prediction, and process automation with minimal human intervention. Many organizations are upgrading their surveillance systems to reap the benefits of technologies like AI and cloud applications. Read Now

  • The Future is Happening Outside the Cloud

    For years, the cloud has captivated the physical security industry. And for good reason. Remote access, elastic scalability and simplified maintenance reshaped how we think about deploying and managing systems. But as the number of cameras grows and resolutions push from HD to 4K and beyond, the cloud’s limits are becoming unavoidable. Bandwidth bottlenecks. Latency lags. Rising storage costs. These are not abstract concerns. Read Now

  • Right-Wing Activist Charlie Kirk Dies After Utah Valley University Shooting

    Charlie Kirk, a popular conservative activist and founder of Turning Point USA, died Wednesday after being shot during an on-campus event at Utah Valley University in Orem, Utah Read Now

Most   Popular

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.