Simple Security Questions

It is a conundrum that enterprises and organizations that need to protect their customers’ secure information often must access that secure information to authenticate the identity of a customer. In other words, to prevent a breach, they must risk a breach.

The use of customer service representatives, on whom banks, brokerages, credit card issuers and phone companies commonly depend to assist customer phone queries, presents two security vulnerabilities.

First, the very nature of the job means they are often the first point of contact for identity thieves attempting to use a stolen driver’s license, social security number or credit card to set up a fraudulent account. How does an institution validate the identity of a new customer with whom it has no prior relationship?

Conversely, who verifies the verifiers? In most cases, when a legitimate customer calls an enterprise with an issue related to sensitive personal information, the customer service representative must access that very information to ensure authentication. For example, a credit card customer calling to dispute a charge would be required to provide account name, number and perhaps a social security number or “password” like a mother’s maiden name. So, in the end, the rep has access to key personal identifiers as well as the customer’s account details.

The ease with which credit accounts can be created and changed, legitimately or not, is one reason identity theft is the fastest growing crime in the U.S. That makes any personal information as good as cash to an unscrupulous rep. Institutions may make an effort at background checks, but the unfortunate truth is that thoroughness must be balanced against cost. Rep positions, particularly in phone banks, are often low-pay, high-turnover jobs.

Enter RSA Identity Verification, a hosted application that performs authentication checks by cross-tabulating data from billions of public records and producing a series of questions that require answers that an identity thief is unlikely to know.At the same time, at the customer rep side, the system provides no context for the questions.

The rep merely enters the responses without knowing whether they are correct or not. At no point does the rep access personal information like social security numbers or account numbers to perform the identity authentication.

“When you’re establishing a relationship you have nothing,” says Bryan Knauss, senior product manager-identity verification solutions at RSA, Bedford, Mass.. “At the same time, when you want to verify ID on an existing customer involving a lost password or other credential, you can resolve it in an efficient way.”

Success At BNY Mellon

BNY Mellon Shareowner Services, Jersey City, N.J., a division of Bank of New York Mellon, has been down this road.

In its first attempt to strengthen ID authentication, BNY Mellon replaced the use of client social security numbers with a unique “Investor ID” it assigned to every customer. BNY Mellon customers had to visit the bank’s Web site, input their Investor ID and create a PIN. The PINcreation process initiated a mailing of a one-time user authentication code. The user then returned to the Web site to enter the authentication code and complete the activation of online account access.

A secure process, to be sure, but it proved inconvenient for customers who wanted immediate access to their online accounts. As a result of what was a three- to seven-day delay in waiting to receive an authentication code via mail, call center volumes spiked as clients repeatedly sought the status of their authentication code. To improve customer satisfaction, BNY Mellon adopted the RSA Identity Verification solution as a new method for customer identity authentication.

The bank declined to comment on the RSA solution. Through documentation on its Web site, RSA provided information on BNY Mellon’s experience. Other users include three of the top six wireless phone companies, Knauss says.

How It Works

The RSA Identity Verification solution, which can be used by a customer rep or incorporated as a Web-based application usable with any browser, presents the querying individual with a series of questions culled from an instantaneous scan of billions of public records held in databases owned by aggregators with which RSA has contracted.

The identity verification system will prompt the user to enter his or her name (or, if it’s a call, the customer rep will enter it on the user’s behalf). An RSA server will then run a query on the name through these databases.

In the process, the system may also cross-reference the name of the user with those of other individuals and companies that public records associate with the user. Based on the data retrieved, the RSA server will then generate the questions.These questions might ask if the user recognizes an old home address or phone number. They may present the first name of a spouse or sibling and ask to specify that person’s birthday. They generally are multiple choice, with “None of the Above” among the options. Whether the inquiry is made on the Web or through a customer service rep, the system simply indicates whether the customer’s identity is authenticated or not.

Because questions are generated on the spot, are presented in almost no context and their answers are not easily found by searching the Internet, the odds are slim that someone other than the genuine user could guess correctly. In addition, the system has the ability to dynamically adapt the difficulty level of questions based on certain high-risk events or business rules and adjust for inconsistencies in public data. Perhaps the only disquieting aspect for consumers who have an opportunity to use the system is that such a wealth of information exists about them and can be brought together so easily.

Knauss emphasizes, however, that the information sources are all from the public record -- birth certificates, marriage licenses, real estate transactions, phone directories and such -- that are available through an undisclosed number of data aggregators.“We don’t use credit file information,” he adds, or any other data held by private sources.

Featured

  • First, Do No Harm: Responsibly Applying Artificial Intelligence

    It was 2022 when early LLMs (Large Language Models) brought the term “AI” into mainstream public consciousness and since then, we’ve seen security corporations and integrators attempt to develop their solutions and sales pitches around the biggest tech boom of the 21st century. However, not all “artificial intelligence” is equally suitable for security applications, and it’s essential for end users to remain vigilant in understanding how their solutions are utilizing AI. Read Now

  • Improve Incident Response With Intelligent Cloud Video Surveillance

    Video surveillance is a vital part of business security, helping institutions protect against everyday threats for increased employee, customer, and student safety. However, many outdated surveillance solutions lack the ability to offer immediate insights into critical incidents. This slows down investigations and limits how effectively teams can respond to situations, creating greater risks for the organization. Read Now

  • Security Today Announces 2025 CyberSecured Award Winners

    Security Today is pleased to announce the 2025 CyberSecured Awards winners. Sixteen companies are being recognized this year for their network products and other cybersecurity initiatives that secure our world today. Read Now

  • Empowering and Securing a Mobile Workforce

    What happens when technology lets you work anywhere – but exposes you to security threats everywhere? This is the reality of modern work. No longer tethered to desks, work happens everywhere – in the office, from home, on the road, and in countless locations in between. Read Now

  • TSA Introduces New $45 Fee Option for Travelers Without REAL ID Starting February 1

    The Transportation Security Administration (TSA) announced today that it will refer all passengers who do not present an acceptable form of ID and still want to fly an option to pay a $45 fee to use a modernized alternative identity verification system, TSA Confirm.ID, to establish identity at security checkpoints beginning on February 1, 2026. Read Now

Most   Popular

New Products

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles.