Beyond Mom's Maiden Name

Challenge questions, the prompts many companies use to authenticate customers' identity online, are themselves giving rise to a new generation of customer service challenge.

The questions, the classic example of which is the request for a mother's maiden name, have evolved over time, in part because widespread use has diluted the security value of the most common ones.

The other challenge: dealing with the frustrated customer who finds online access to an account blocked when unable to answer the security query.

Sam Tuohey, the chief technology officer and VP-technology and e-commerce for Stanford FCU of Palo Alto, Calif., said its systems sometimes ask people for the last four digits of their home or cell phone number, and some customers were concerned they would be barred from their accounts because their phone numbers have changed.

Stanford Federal uses authentication software that RSA Security Inc. acquired when it purchased PassMark Security Inc., Menlo Park., Calif.

The software evaluates customers' computers when they log in, to verify they are using a recognized system. If they are not, they must authenticate themselves by answering challenge questions.

When people can't answer the questions, their first response is to call the CU, but the staff could not help, because the software did not let them update the answers on file, Tuohey said, noting PassMark changed the software at the CU's request to allow it.

Amir Orad, VP-marketing with RSA's consumer solutions division (which includes the PassMark product), said the Bedford, Mass., vendor works with companies to develop questions that customers can use, and that great care must go into the process.

Name Your Sweetheart?

One rule RSA developed is to avoid questions for which the answer may change. For example, asking the name of a "childhood sweetheart" is not a good idea, Orad said.

"Some customers will change their mind in a few months." Tuohey said that in many cases, the problem is that the answer can change over time-as his boss learned the hard way.

John R. Davis, Stanford Federal's chief executive, was once trying to log in to an account he shared with his wife. Davis "knew her password, but he didn't know her challenge phrase," Tuohey recalled.

"The question was 'What is your favorite movie?' and he thought it was 'Casablanca.' It turned out he was dead wrong," and couldn't log in to the account.

"It was 'Breaking Away.'" Though Davis knew his wife was a longtime fan of the Humphrey Bogart film, she had seen the bicycle-racing one not long before she was asked to provide a challenge question for the CU's authentication software, and "Breaking Away" had replaced "Casablanca," temporarily, as her favorite.

Stanford also encourages members to select answers that do not match the questions, he said. "For, instance you can pick 'What are the last four digits of my cell phone number?' as the question but type your father's first name as the answer."

Doing so could improve security but would also make it more likely that the customer would forget the answer, Tuohey said.

Customers have three chances to answer, and Tuohey said he couldn't say whether these people could not access their accounts because of an incorrect answer. The credit union has received few complaints from people who could not answer their questions.

Orad said that another complication is that many effective questions are off limits, because "some customers don't feel comfortable answering certain challenge questions." The most secure questions are also the most personal, he said.

RSA's software once included a question asking customers for their Social Security number, but today many customers refuse to provide this, fearing identity theft.

Another issue is that "you don't want to ask the same question everyone's asking," Orad said; asking for a mother's maiden name is now so common it has lost its effectiveness.

Victor Smilgys, AVP of e-commerce at Technology CU in San Jose, said that financial companies should "stay away from questions with answers that may be limited to only a few popular choices." For example, if the system asks for someone's favorite sport, "many people would answer 'baseball' or 'football.'"

Technology CU began using PassMark's software in November, and Smilgys said that PassMark helped it craft its challenge questions. The version the credit union is using also permits people to change their own questions and answers within an online banking session. The CU has programmed the software to recognize some common abbreviations for street names, but not all of them, and it recommends that people avoid all abbreviations.

One feature Smilgys would like to see is permitting customers to write their own challenge questions; he has discussed the idea with the vendor. "That way, it's unique to them," he said.

RSA owns not only the PassMark product but also those developed by Cyota Inc., a New York company RSA bought in December.

Orad said that today between 0.25% and 0.5% of its authentication products' users cannot answer the challenge question presented to them. The failure rate was 1.1% to 2.3% when the products were introduced.

Timing Is Everything

When RSA bought PassMark, it learned that the timing of the questions can be critical. The PassMark product presents the challenge when people log in, when customers expect to undergo authentication and are more willing to read the instructions carefully, Orad said.

Cyota's software asks questions when people try to initiate risky transactions-after they have logged in to the website. Orad said people can be impatient and are less focused on authentication once they have moved past that process, and asking challenge questions later in an online banking session can be off-putting.

In those cases, the questions must be as succinct as possible, or people might get them wrong, he said.

George Tubin, senior analyst at TowerGroup Inc., a Needham, Mass., said banks should pay attention to the technology they use to evaluate the answers.

A system designed to use "fuzzy logic" is better at interpreting human answers than systems that accept only a single answer.

For example, some questions ask people the name of their high school. "If you went to St. Mary's, how you spell the word 'Saint' could be any one of six different ways," he said.

However, Avivah Litan, vice president and research director at the Stamford, Conn., market research company Gartner Inc., said that challenge questions may not provide enough security. Simplifying questions is another way of saying "they had to dumb down the questions," and "if they're easy for the customer, they're easy for the fraudster."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER