Some banking companies are beefing up their online authentication with a technique commonly used to verify the identity of new customers: querying customers with data pulled from public databases.
Banks have long asked customers to provide answers to challenge questions, which people can later use to authenticate themselves. However, some customers are later unable to give correct answers to the challenge questions they created.
The use of multiple-choice questions based on database information aims to eliminate two common problems: people’s inability to remember the exact format of the answer — for example, whether they spelled out a word or used its abbreviation — and their tendency to forget that they have changed their answer to a subjective question, such as their favorite movie.
“There are some challenges with secret questions in terms of the setup, and in terms of how customer-friendly they might be,” said Robert Shenk, the senior vice president for retail strategy and customer experience at E-Trade Financial Corp.
E-Trade currently uses transaction monitoring security software from RSA Security Inc., and Mr. Shenk said it plans in the near future to begin using RSA’s multiple-choice database challenge question software in online authentication for certain high-risk transactions. E-Trade has not yet determined which transactions will trigger the questions, but Mr. Shenk said wire transfers are one type that would be a good fit for the questions.
The public database questions do not need to be set up by customers. The method more commonly used today features fill-in-the-blank-style queries that customers must answer when they enroll in an online banking system.
E-Trade, of New York, evaluated both and opted to use the multiple-choice approach, which it calls out-of-wallet questions. Mr. Shenk said these are “the simpler ones, because they also involve a minimum of customer setup.” E-Trade plans eventually to also use fill-in-the-blank questions, which it calls secret questions.
RSA, of Bedford, Mass., announced last week that it would offer software from Verid Inc. that asks just such out-of-wallet questions. Verid, of Fort Lauderdale, Fla., calls its product knowledge-based authentication. (The memory technology company EMC Corp. acquired RSA this month.)
Amir Orad, the vice president of marketing for RSA’s consumer solutions division, said that several customers told his company that they were interested in the out-of-wallet question approach, and he said that the approach would become more popular. Some banks “over time, will replace challenge questions with knowledge-based authentication, the Verid technology,” he said.
Mr. Orad said he could envision a bank using both types of questions, for example if a customer cannot answer a secret question, they might be asked out-of-wallet questions. Today, if a customer fails to correctly answer secret questions, the problem “falls back into the customer service area,” which means a conversation with a customer service representative.
Mr. Shenk said that multiple-choice questions are easier for people to answer correctly than secret questions, but are still difficult for criminals to guess. “No system will be 100% fraud-proof,” he said. Though it is “mathematically true” that a criminal could guess the answers, “multiple out-of-wallet questions can be answered rapidly by the legitimate customer, but will probably present a mathematical conundrum to the fraudster.”
Daniel Buttafogo, the senior director of risk management for Barclays PLC’s Barclaycard US, said Barclaycard (formerly Juniper Bank of Wilmington, Del.) has used Verid’s service for 18 months to offer instant credit approvals online. It does not use it to authenticate existing customers, but has signed up with RSA to use its Adaptive Authentication product for that purpose. It may also use Verid for phone authentication.
Verid’s service “is actually very effective,” Mr. Buttafogo said, even when a criminal is personally close to a customer. Barclaycard US uses the Verid service as a last step for customers who want immediate use of the credit they have applied for online.
Kevin Watson, Verid’s chairman and chief executive, said his service is “not only easier for the consumer” than secret questions, “but actually is more secure.”
Verid does not use data from credit bureaus, favoring utility and driving records that are less prone to tampering by identity thieves. Even in those cases, it ignores blatant errors, he said. “The artificial intelligence that we’ve built into the system” is programmed to look at all the data, “not just each discrete answer.”
Avivah Litan, a vice president and research director at Gartner Inc., a market research company in Stamford, Conn., said both types of challenge questions have become very common.
Her August survey of 5,000 online consumers found that it was the second-most common authentication method, after standard simple usernames and passwords. The username-password system was used by 90.6% of respondents, and a username-password-question system by 7.2%.
Using questions based on public information “would be great if it was low-cost,” but the service can run close to $2 per transaction, Ms. Litan said.
“There’s a definite need for this type of technology,” she said, because the data it uses adds security. “This data’s much harder for thieves to get at” than financial data, because thieves have less experience targeting utility and driving records than they do credit bureau information, she said.
But “as this data starts to get more used,” crooks will go after it, Ms. Litan said.
